Core Windows Process
smss.exe (session manager):-
- Responsible to create sessions.
- Session 0 creates OS services and starts csrss.exe and wininit.exe.
- Session 1 creates user session and starts csrss.exe and winlog.exe.
- Loads (its location is ) in shared memory and Locations.
- Executable Path: %SystemRoot%\System32\smss.exe Parent Process: System
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 11
- Time of Execution: For Session 0, within seconds of boot time
Sessions 0 and 1 are normal, and only 1 instance of smss.exe should be running.
csrss.exe. (Client/Server Run Subsystem Process):-
- Responsible to manage processes and threads and creating Windows API
- Responsible for mapping drive letters, creating temp files, and handling the shutdown process.
- Executable Path: %SystemRoot%\System32\csrss.exe Parent Process: Created by child instance of SMSS.EXE but
- that process won’t exist so will appear as no parent
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 13
- Time of Execution: For Sessions 0 & 1, within seconds of boot time
Typically you will see 2 instances of csrss.exe.
winlogon.exe(Windows Logon Process):-
- Responsible for user logons/logoffs. It launches LogonUI.exe for username and password and passes credentials to LSASS.exe which is verified via AD or local SAM.
- Loads Userinit.exe via Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
- Loads NTUSER.DAT into HKCU and starts the users shell via Userinit.exe.
- Userinit initializes the user environment and runs logon scripts and GPO.
- Executable Path: %SystemRoot%\System32\winlogon.exe Parent Process: Created by child instance of SMSS.EXE but
- that process won’t exist so will appear as no parent
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 13
- Time of Execution: For Sessions 1, within seconds of boot time. Other instances may start later.
- The abuse within this process often comes within the different components of the login process. Malware sometimes abuses the SHELL registry value. This value should be explorer.exe.
- Another registry key that is abused by malware that works in conjunction with winlogon.exe is Userinit.
wininit.exe(Windows Initialization Process):-
- Responsible to launch services.exe, lsass.exe, and lsm.exe in Session 0.
- Executable Path: %SystemRoot%\System32\wininit.exe Parent Process: Created by child instance of SMSS.EXE but
- that process won’t exist so will appear as no parent Username: NT AUTHORITY\SYSTEM (S-1–5–18) Base Priority: 13
- Time of Execution: Within seconds of boot time
You should only see 1 instance of wininit.exe.
Ism.exe(Local Session Manager):-
- Rresponsible to work with smss.exe to create, destroy, or manipulate new user sessions.
- Responsible for logon/logoff, shell start/end, lock/unlock desktop to name a few.
- Note: After Windows 7, lsm.exe no longer exists, and it is now a service called lsm.dll
- Executable Path: %SystemRoot%\System32\lsm.exe
- Parent Process: wininit.exe
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 8
- Time of Execution: Within seconds of boot time
You should only see 1 instance of lsm.exe on Windows 7 machines. You should NOT be seeing this on Windows 8 and beyond. It will be running as a service DLL instead, lsm.dll.
services.exe(Service Control Manager):-
- responsible for loading services (auto-start) and device drivers into memory.
- Parent to svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc.
- Services are defined in HKLM\SYSTEM\CurrentControlSet\Services.
- Maintains an in-memory database of service information which can be queried using the built-in Windows tool, sc.exe.
- After a successful interactive login, services.exe will backup a copy of the registry keys into HKLM\SYSTEM\Select\LastKnownGood which will be known as the Last Known Good Configuration
- Executable Path: %SystemRoot%\System32\services.exe Parent Process: wininit.exe
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 9
- Time of Execution: Within seconds of boot time
You should only see 1 instance of services.exe. This is a protected process which makes it difficult to tamper with.
lsass.exe(Local Security Authority Subsystem):-
- Responsible for user authentication and generating access tokens specifying security policies and/or restrictions for the user and the processes spawned in the user session.
- Uses authentication packages within HKLM\System\CurrentControlSet\Cont rol\Lsa to authenticate users.
- Creates security tokens for SAM, AD, and NetLogon.
- Writes to the Security event log.
- Executable Path: %SystemRoot%\System32\lsass.exe Parent Process: wininit.exe
- Username: NT AUTHORITY\SYSTEM (S-1–5–18)
- Base Priority: 9
- Time of Execution: Within seconds of boot time
You should only see 1 instance of lsass.exe. This process is commonly attacked and abused by hackers and malware. It is targeted to dump password hashes and is often used to hide in plain sight. You might see different variations of spelling for this process (lass.exe or lsasss.exe), and might even see multiple instances of it, like with Stuxnet malware.
svchost.exe(Generic Service Host Process):-
- Responsible for hosting multiple services DLLs into a generic shared service process.
- Each service will have registry entries that include ServiceDll. This will instruct svchost.exe what DLL to use. The entry will also include svchost.exe –k <name>.
- Multiple instances of svchost.exe host will be running, as seen in the screenshot to the right.
- All DLL-based services with the same <name> will share the same svchost.exe process.
- <name> values are found in Software\ Microsoft\Windows NT\CurrentVersion\ Svchost registry key.
- Each svchost.exe process will run with a unique –k <name>.
- Executable Path: %SystemRoot%\System32\svchost.exe Parent Process: services.exe
- Username: NT AUTHORITY\SYSTEM (S-1–5–18), LOCAL SERVICE (S-1–5–19), or NETWORK SERVICE (S-1–5–20) *
- Base Priority: 8
- Time of Execution: Varies
- *In Windows 10, an instance will start as user upon logon (-k UnistackSvcGroup).
This process is another process that is heavily abused. It can be used to launch malicious services (malware installed as a service). When this is done, (-k) will not be present. This process is often misspelled to hide in plain sight. Another technique used with this process is to place it in different directories, but note that services.exe will not be the parent.
When it comes to services, we will need to perform extra steps to determine whether the service/DLL being loaded by svchost.exe is legitimate or not.
It’s more than just checking for misspellings in svchost.exe, because techniques such as Process Injection and Process Hollowing can attack legitimate services. In these cases, advanced techniques are required, such as memory analysis.
taskhost.exe(Generic Host Process):-
- It acts as a host for processes that run from DLLs rather than EXEs. At startup, TASKHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them.
- In Windows 8, this process was renamed to taskhostex.exe.
- In Windows 10, this process was renamed to taskhostw.exe.
- Executable Path: %SystemRoot%\System32\taskhost.exe Parent Process: services.exe
- Username: Varies
- Base Priority: 8
- Time of Execution: Varies
explorer.exe(Windows Explorer):-
responsible for the user’s desktop and everything that comes with it, including access to files (file browser) and launching files via their file extensions.
- Even if multiple Windows Explorer windows open, only 1 process will be spawned per logged on user.
- Executable Path: %SystemRoot%\explorer.exe
- Parent Process: Created by USERINIT.EXE but that process
- won’t exist so will appear as no parent Username: As logged-on users
- Base Priority: 8
- Time of Execution: Varies
This process is targeted by malware as well. Different techniques will be incorporated, like the ones already mentioned, against this process. They will inject into the process, spawn malware named as explorer.exe, run it from a different folder or misspell it and have it run from the actual folder. Look for instances where explorer has CMD hanging off it or is listening/connected on a network port.
Core Windows processes shouldn’t run from Windows temp locations, or the Recycle Bin, and neither should be communicating to any outbound IPs.
Check for digital signatures (all Microsoft artifacts should be digitally signed)