Core Windows Processes

Task Manager
Task Manager is a built-in GUI-based Windows utility that allows users to see
what is running on the Windows system. It also provides information on resource
usage, such as how much each process utilizes CPU and memory. When a
program is not responding, Task Manager is used to end (kill) the process.

To open Task Manager, right-click the Taskbar. When the new window appears,
select Task Manager (as shown below).

Type - Each process falls into 1 of 3 categories (Apps, Background process, or

Windows process).

Core Windows Processes 1

 Publisher - Think of this column as the name of the author of the program/file.

PID - This is known as the process identifier number. Windows assigns a unique
process identifier each time a program starts. If the same program has multiple
running processes, each will have its unique process identifier (PID).

Process name - This is the file name of the process. In the above image, the file
name for Task Manager is Taskmrg.exe.

Command line - The full command used to launch the process.

CPU - The amount of CPU (processing power) the process uses.

Memory - The amount of physical working memory utilized by the process.

Let's move to the Details tab. This view provides some core processes that will be
discussed in this room. Sort the PID column so that the PIDs are in ascending order.

Add some additional columns to see more information about these processes. Good
columns to add are Image path name and Command line .

Process Hacker

Core Windows Processes 2

 Process Explorer

Moving forward, we'll use Process Hacker and Process Explorer instead of Task
Manager to obtain information about each Windows process.

System
The first Windows process on the list is System. It was mentioned in a previous
section that a PID for any given process is assigned at random, but that is not
the case for the System process. The PID for System is always 4. What does
this process do exactly?

The official definition from Windows Internals 6th Edition:

💡 "The System process (process ID 4) is the home for a special kind of

thread that runs only in kernel mode a kernel-mode system thread.
System threads have all the attributes and contexts of regular user-mode
threads (such as a hardware context, priority, and so on) but are different
in that they run only in kernel-mode executing code loaded in system
space, whether that is in Ntoskrnl.exe or in any other loaded device driver.
In addition, system threads don't have a user process address space and
hence must allocate any dynamic storage from operating system memory
heaps, such as a paged or nonpaged pool."

Core Windows Processes 3

 What is user mode? Kernel-mode? Visit the following link to understand each of
these.

Now, what is normal behaviour for this process? Let's use Process Explorer and
view the properties of the System.

Image Path: C:\Windows\system32\ntoskrnl.exe (NT OS Kernel)

Parent Process: System Idle Process (0)

Number of Instances: One

User Account: Local System

Start Time: At boot time

What is unusual behaviour for this process?

• A parent process (aside from System Idle Process (0))

Core Windows Processes 4

 • Multiple instances of System. (Should only be one instance)

• A different PID. (Remember that the PID will always be PID 4)

• Not running in Session 0

System > smss.exe

The next process is smss.exe (Session Manager Subsystem). This process,
also known as the Windows Session Manager, is responsible for creating new
sessions. It is the first user-mode process started by the kernel.

This process starts the kernel and user modes of the Windows subsystem (you
can read more about the NT Architecture here). This subsystem includes
win32k.sys (kernel mode), winsrv.dll (user mode), and csrss.exe (user mode).

Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0,

an isolated Windows session for the operating system, and csrss.exe and
winlogon.exe for Session 1, which is the user session. The first child instance
creates child instances in new sessions, done by smss.exe copying itself into the
new session and self-terminating. You can read more about this process here.

Session 0 (csrss.exe & wininit.exe)

Session 1 (csrss.exe & winlogon.exe)

Core Windows Processes 5

 What is normal?

Image Path: %SystemRoot%\System32\smss.exe

Parent Process: System

Number of Instances: One master instance and child instance per session. The
child instance exits after creating the session.

User Account: Local System

Start Time: Within seconds of boot time for the master instance

Core Windows Processes 6

 What is unusual?
A different parent process other than System (4)

The image path is different from C:\Windows\System32

More than one running process. (children self-terminate and exit after each new
session)

The running User is not the SYSTEM user

Unexpected registry entries for Subsystem

csrss.exe
As mentioned in the previous section, csrss.exe (Client Server Runtime
Process) is the user-mode side of the Windows subsystem. This process is
always running and is critical to system operation. If this process is terminated
by chance, it will result in system failure. This process is responsible for the
Win32 console window and process thread creation and deletion. For each
instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with others).

This process is also responsible for making the Windows API available to other
processes, mapping drive letters, and handling the Windows shutdown
process. You can read more about this process here.

Note: Recall that csrss.exe and winlogon.exe are called from smss.exe at startup for
Session 1.

What is normal?
Session 0 (PID 392)

Core Windows Processes 7

 Session 1 (PID 512)

Image Path: %SystemRoot%\System32\csrss.exe

Parent Process: Created by an instance of smss.exe

Core Windows Processes 8

 Number of Instances: Two or more

User Account: Local System

Start Time: Within seconds of boot time for the first two instances (for Session 0
and 1). Start times for additional instances occur as new sessions are created,
although only Sessions 0 and 1 are often created

What is unusual?
An actual parent process. (smss.exe calls this process and self-terminates)

Image file path other than C:\Windows\System32

Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain

sight

The user is not the SYSTEM user.

wininit.exe
The Windows Initialization Process, wininit.exe, is responsible for launching
services.exe (Service Control Manager), lsass.exe (Local Security Authority), and
lsaiso.exe within Session 0. It is another critical Windows process that runs in the
background, along with its child processes.

Note: lsaiso.exe is a process associated with Credential Guard and KeyGuard.

You will only see this process if Credential Guard is enabled.

What is normal?

Core Windows Processes 9

 Image Path: %SystemRoot%\System32\wininit.exe
Parent Process: Created by an instance of smss.exe

Number of Instances: One

User Account: Local System

Start Time: Within seconds of boot time

What is unusual?
An actual parent process. (smss.exe calls this process and self-terminates)

Image file path other than C:\Windows\System32

Subtle misspellings to hide rogue processes in plain sight

Multiple running instances

Not running as SYSTEM

wininit.exe > services.exe

Core Windows Processes 10

 The next process is the Service Control Manager (SCM) or services.exe. Its
primary responsibility is to handle system services: loading services, interacting with
services and starting or ending services. It maintains a database that can be queried
using a Windows built-in utility, sc.exe .
This process is the parent to several other key processes: svchost.exe, spoolsv.exe,
msmpeng.exe, and dllhost.exe, to name a few. You can read more about this
process here.

What is normal?

Core Windows Processes 11

 Image Path: %SystemRoot%\System32\services.exe

Parent Process: wininit.exe

Number of Instances: One
User Account: Local System

Start Time: Within seconds of boot time

What is unusual?
A parent process other than wininit.exe

Image file path other than C:\Windows\System32

Subtle misspellings to hide rogue processes in plain sight

Multiple running instances

Not running as SYSTEM

wininit.exe > services.exe > svchost.exe

The Service Host (Host Process for Windows Services), or svchost.exe, is
responsible for hosting and managing Windows services.

What is normal?

Core Windows Processes 12

 Image Path: %SystemRoot%\System32\svchost.exe

Parent Process: services.exe

Number of Instances: Many
User Account: Varies (SYSTEM, Network Service, Local Service) depending on the
svchost.exe instance. In Windows 10, some instances run as the logged-in user.
Start Time: Typically within seconds of boot time. Other instances of svchost.exe
can be started after boot.

What is unusual?
A parent process other than services.exe

Image file path other than C:\Windows\System32

Subtle misspellings to hide rogue processes in plain sight

The absence of the -k parameter

Core Windows Processes 13

 lsass.exe
The Windows Logon, winlogon.exe, is responsible for handling the Secure
Attention Sequence (SAS). It is the ALT+CTRL+DELETE key combination users
press to enter their username & password.
It is also responsible for locking the screen and running the user's screensaver,
among other functions. You can read more about this process here.
Remember from earlier sections, smss.exe launches this process along with a copy
of csrss.exe within Session 1.

What is normal?

Core Windows Processes 14

 Image Path: %SystemRoot%\System32\winlogon.exe
Parent Process: Created by an instance of smss.exe that exits, so analysis tools
usually do not provide the parent process name.

Number of Instances: One or more

User Account: Local System
Start Time: Within seconds of boot time for the first instance (for Session 1).
Additional instances occur as new sessions are created, typically through Remote
Desktop or Fast User Switching logons.

What is unusual?
An actual parent process. (smss.exe calls this process and self-terminates)

Image file path other than C:\Windows\System32

Subtle misspellings to hide rogue processes in plain sight

Not running as SYSTEM

Shell value in the registry other than explorer.exe

explorer.exe
The last process we'll look at is Windows Explorer, explorer.exe. This process
gives the user access to their folders and files. It also provides functionality for other
features, such as the Start Menu and Taskbar.
There will be many child processes for explorer.exe.

Core Windows Processes 15

 What is normal?

Image Path: %SystemRoot%\explorer.exe

Parent Process: Created by userinit.exe and exits
Number of Instances: One or more per interactively logged-in user

User Account: Logged-in user(s)

Start Time: First instance when the first interactive user logon session begins

Core Windows Processes 16

 What is unusual?
An actual parent process. (userinit.exe calls this process and exits)

Image file path other than C:\Windows

Running as an unknown user

Subtle misspellings to hide rogue processes in plain sight

Outbound TCP/IP connections

Note: The above image is the explorer.exe properties view from Process Explorer.

Core Windows Processes 17