WINDOWS PROCESSES
Understanding operating system basics is one of the key areas to focus on when starting out in the general Information Technology (IT) field. It allows you to have a good basis when it comes to error handling or troubleshooting. For incident responders and digital forensics analysts, it expands your ability to differentiate between a normal and an infected windows system; The Windows operating system is pretty huge and complex but no worries, I will break it down into different articles, stay tuned!
In this article, we will look at windows system processes where I will be breaking them down to details focusing on subjects such as user (responsible for running the process), child process (if any), default executable location and the functions they play during a windows operating system boot up.
Adversaries have been known to use techniques such as process injection (action of executing malicious code into the memory space of another already running process) and mimicking windows system processes names in order to evade detection e.g. lsasss.exe, lsas.exe.
Below is a diagram that illustrates the process family tree for windows
- System
- Has a Process ID (PID) of 4
- Initiates smss.exe
- Only has 1 instance
2. Smss.exe <Session Manager Subsystem or Windows Session Manager>
Smss.exe is stored in %SystemRoot%\System32\smss.exe and is responsible for creating and managing sessions. It starts immediately after boot up and includes 2 sessions (the master and child). The master aka Session 0 is responsible for initializing csrss.exe and wininit.exe processes while the child process aka Session 1 or more, is responsible for initializing winlogon.exe. We use "session 1 or more" because it depends on the number of users logged on on that host.
Once the child process (session 1)has completed the initialisation of user session i.e. winlogon.exe, it exists hence why we have only 1 visible smss.exe from the screenshot above and on all windows systems.
User responsible for starting this process is NT AUTHORITY\SYSTEM
3. Csrss.exe <Client/Server Run-Time Subsystem>
Csrss.exe is stored in %SystemRoot%\System32\csrss.exe and is responsible for creating and deleting processes and threads, temp files etc.
It is parent process is smss.exe and only 1 instance should be running per session.
User responsible for starting this process is NT AUTHORITY\SYSTEM
4. Wininit.exe <Windows Initialization Process>
Wininit.exe is stored in %SystemRoot%\System32\wininit.exe and is responsible initializing program tasks in user-mode. Through wininit.exe, programs are able to start running during boot time.
It is the parent process to lsass.exe, services.exe and lsaiso.exe and there should ONLY be 1 instance of wininit running.
User responsible is NT AUTHORTIY\SYSTEM
5. Winlogon.exe <Windows Logon Process>
Winlogon.exe is stored in %SystemRoot%\System32\winlogon.exe and is responsible for user logon/logoffs on windows. Through the value stored in winlogon registry, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, it launches userinit.exe
Only 1 instance should be running
User responsible is NT AUTHORITY\SYSTEM
6. Lsass.exe <Local Security Authority SubSystem>
Lsass.exe is stored under %SystemRoot%\System32\lsass.exe and is responsible for enforcing local security policy on a windows system. Local security policy includes managing users allowed access, enforcing password policies, creates access tokens, verifying user credentials, managing user password changes just to mention a few.
Only 1 instance should be running and has NO child process.
User responsible is NT AUTHORITY\SYSTEM
7. Services.exe <Service Control Manager>
Services.exe is stored under %SystemRoot%\System32\services.exe and is responsible for starting and stopping services. It starts drivers or services that have been set to auto-start and their dependencies .
Parent process to svchost.exe, dllhost.exe, spoolsv.exe, taskhostw.exe and child process to wininit.exe
Services set to auto-start and their dependencies are stored under the registry HKLM\SYSTEM\CurrentControlSet\Service
Only 1 instance should be running.
User responsible is NT AUTHORITY\SYSTEM
8. Userinit.exe < User Initilization process>
Userinit.exe is stored under %SystemRoot%\System32\userinit.exe and is responsible for user environment initialization including execution of GPOs (Group Policy Objects) and logon scripts that may be set in an organization setting.
Once the initialization of user environment has completed, userinit.exe exists. This is why it is not visible in the screenshot above.
Parent process to explorer.exe.
9. Svchost.exe < Service Host Process>
Services.exe is stored under %SystemRoot%\System32\svchost.exe and is responsible for launching and hosting multiple DLL services i.e. it allows windows to group similar services together. This is in-turn reduces resource consumption during boot time.
Expect to see more than 1 instance of svchost.exe running on a host.
During execution, svchost launches a query to the registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost where the registry value defines the service group to launch. For example, windows can create a service group based on network connections or firewall related.
Command-Line argument: svchost -k <service group name>
Users responsible are NT AUTHORITY\NETWORK SERVICE or NT AUTHORITY\SYSTEM or NT AUTHORITY\LOCAL SERVICE
10. Taskhostw.exe
Tashostw.exe/taskhostex.exe/taskhost.exe is stored under %SystemRoot%\System32\taskhostw.exe and is responsible for hosting processes that run DLLs.
Multiple instances should be running.
11. Explorer.exe <Windows Explorer>
Explorer.exe is stored under %SystemRoot%\Explorer.exe and is responsible for launching and managing windows Graphical User Interface (GUI) from the start menu to the taskbar to the file explorer and the files stored etc.
Explorer.exe points to the registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.
User responsible is Logged on User
Multiple child processes.
IMPORTANT THINGS TO LOOK OUT FOR WHEN PERFORMING AN INVESTIGATION
- Parent process
- Child process
- Command line argument for example svchost.exe command running without the -k option is suspicious, winword.exe starting powershell.exe is very suspicious.
- Spelling errors in process names e.g. svch0st.exe, scvhost.exe, svvhost.exe, lsasss.exe, lsas.exe
- User responsible for running the process
- Process executable location i.e. where was the process executed from? is it the correct folder?
- registry values — have any of the mentioned values been modified? if yes, by who? what time?
Thank you for engaging with me. Remember to leave a clap or comment. See you next time!