Windows System Processes — An Overview For Blue Teams

Image for post
Image for post
Windows Process — Mind Map

The Windows operating system contains a lot of system processes that are present every time we boot our machines. These processes are responsible for a lot of things. From initialization and creating the user interface to loading the necessary drivers and DLL’s.

It becomes a must for threat hunters to know what is the normal behavior of these processes. Such as the parent child relationship between them and the number of instances that should be present on a machine or user instance.

Today we’ll discuss these processes and provide an overview that’ll help every threat hunter in his journey (hopefully).

Let’s get started.

System Idle Process

The system idle process (which is not an actual process) is the one responsible for accounting for IDLE time on the system.

System

The system “process” is a special kind of process that hosts threads that only run in kernel mode.

Memory Compression

It’s a minimal process that is responsible for compressing memory of processes in RAM instead of paging it out to disk to improve performance and response time.

Registry

Similar to the memory compression “Process” (Again, not really a process by windows standard). The registry process was introduced to improve performance and reduce memory usage. It stores registry hive data such as HKLM and HKCU.

Session Manager Subsystem (SMSS.EXE)

The sessions manager process is the first user mode process. It’s responsible for creating the list of the environment variables, the security descriptors that’ll be used by the various system resources, initializing the rest of the registry (HKLM Software and the SAM and security hives) and a lot more. Refer to Windows Internals 7th edition book for a complete list.

The system process creates the first SMSS instance and its known as the master SMSS.EXE process. It’s the only instance of SMSS.EXE that’ll stay after windows has booted up and one of the characteristics of this process is that it doesn’t have any command line arguments

The master SMSS process will create at least two instances of itself. One in “Session 0” (OS) that will be responsible for creating the “wininit.exe” process and another in “Session 1” (User) that’ll represent the first logged-on user and will create the “winlogon.exe”. Both will spawn a “csrss.exe” process.

All the children SMSS.EXE processes created by the master SMSS.EXE process will exit after finishing their JOB.

Windows Subsystem Process (CSRSS.EXE)

Windows Initialization Process (WININIT.EXE)

The windows initialization process is responsible for initializing and setting a lot of things.

  • It sets the default environment variables (USERPROFILE, ALLUSERPROFILE, PUBLIC and ProgramData).
  • It creates the LSASS process and sets the LSA encryption key.
  • It creates the Services Control manager by launching the SERVICES.EXE process
  • It creates the temp directory in the system root (%Systemroot%\Temp).
  • …Etc.

Service Control Manager (SERVICES.EXE)

The SCM or service control manager is the responsible for handling (Start, Stop…etc.) services defined in the system. Services are defined in the following registry key: “HKLM/SYSTEM/CurrentControlSet/Services/”.

You can read my blog post on “Demystifying the “SVCHOST.EXE” Process and Its Command Line Options” for more details on the SCM.

Windows Logon Process (WINLOGON.EXE)

Handles everything related to user’s logons / logoffs and user initialization. When logon is successful and validated by the LSASS process. It launches the processes listed in the “Userinit” registry value located at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”

LOGONUI.EXE

Launched by “winlogon.exe” to show the logon interface and initialize the credential providers (Username/Password, Windows Hello…etc.).

USERINIT.EXE

As the name suggest the “userinit.exe” is responsible for user initialization, launching the logon scripts, reestablishing network connections and launching the windows shell.

The value of the shell (By default is “explorer.exe”) is read from the following registry key “HKLM\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”

The value for logon script named “UserInitLoginScript” is also read from the same key.

EXPLORER.EXE

Desktop Window Manager (DWM.EXE)

The process responsible for rendering stuff on the screen.

Local Security Authentication Service (LSASS.EXE)

Process responsible for managing authentication on the machine.

Service Host Process (SVCHOST.EXE)

The process responsible for hosting DLL services. Read my blog “Demystifying the “SVCHOST.EXE” Process and Its Command Line Options” to get more insight.

One thing to note is that the “svchost.exe” process should never exist without the “-k” flag at a minimum.

Note: Most of the processes in windows can spawn the “werfault.exe” process. Which is a process designed to handle crashes and errors. Something to keep in mind when looking at child processes.

Conclusion

Thanks for reading. I hope you enjoyed this overview of system processes. I’ll be adding more processes over time.

You can download the Mind Map below from my GitHub to help visualize all of this.

If you have any feedback or suggestions, please send them my way on twitter @nas_bench

Happy Hunting

Written by

#ThreatHunting #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store