Windows System Processes — An Overview For Blue Teams
The Windows operating system contains a lot of system processes that are present every time we boot our machines. These processes are responsible for a lot of things. From initialization and creating the user interface to loading the necessary drivers and DLLs.
It becomes a must for threat hunters to know what is the normal behavior of these processes. Such as the parent-child relationship between them and the number of instances that should be present on a machine or user instance.
Today we’ll discuss these processes and provide an overview that’ll help every threat hunter in his journey (hopefully).
Let’s get started.
System Idle Process
The system idle process (which is not an actual process) is the one responsible for accounting for IDLE time on the system.
PID: 0Parent Process: NoneChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1
System
The system “process” is a special kind of process that hosts threads that only run in kernel mode.
PID: 4Parent Process: NoneChild Processes: SMSS.EXEUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\ntoskrnl.exe (Task Manager / Process Hacker) and None (Process Explorer)N° Of Instances: 1
Memory Compression
It’s a minimal process that is responsible for compressing the memory of processes in RAM instead of paging it out to disk to improve performance and response time.
PID: RandomParent Process: SystemChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1
Registry
Similar to the memory compression “Process” (Again, not really a process by windows standard). The registry process was introduced to improve performance and reduce memory usage. It stores registry hive data such as HKLM and HKCU.
PID: RandomParent Process: NoneChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1
Session Manager Subsystem (SMSS.EXE)
The session manager process is the first user-mode process. It’s responsible for creating the list of the environment variables, the security descriptors that’ll be used by the various system resources, initializing the rest of the registry (HKLM Software and the SAM and security hives), and a lot more. Refer to Windows Internals 7th edition book for a complete list.
The system process creates the first SMSS instance and it's known as the master SMSS.EXE process. It’s the only instance of SMSS.EXE that’ll stay after windows have booted up and one of the characteristics of this process is that it doesn’t have any command-line arguments
The master SMSS process will create at least two instances of itself. One in “Session 0” (OS) will be responsible for creating the “wininit.exe” process and another in “Session 1” (User) that’ll represent the first logged-on user and will create the “winlogon.exe”. Both will spawn a “csrss.exe” process.
All the children SMSS.EXE processes created by the master SMSS.EXE process will exit after finishing their JOB.
PID: RandomParent Process: "System"Child Processes: SMSS.EXE (Session 0), SMSS.EXE (Session 1), AUTOCHK.EXE and a new SMSS.EXE instance for each new sessionUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\smss.exeN° Of Instances: Multiple during boot-up and only one without arguments after boot-up.
Windows Subsystem Process (CSRSS.EXE)
PID: RandomParent Process: Orphan process (Parent was the SMSS.EXE child process of the master SMSS.EXE)Child Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\csrss.exeN° Of Instances: One for each session (In general you’ll find two at least, one for session 0 and one for session 1)
Windows Initialization Process (WININIT.EXE)
The windows initialization process is responsible for initializing and setting a lot of things.
- It sets the default environment variables (USERPROFILE, ALLUSERPROFILE, PUBLIC, and ProgramData).
- It creates the LSASS process and sets the LSA encryption key.
- It creates the Services Control manager by launching the SERVICES.EXE process
- It creates the temp directory in the system root (%Systemroot%\Temp).
- …Etc.
PID: RandomParent Process: Orphan process (Parent was the sessions 0 SMSS.EXE during boot)Child Processes: “services.exe”, “lsass.exe”, “fontdrvhost.exe”User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\wininit.exeN° Of Instances: 1
Service Control Manager (SERVICES.EXE)
The SCM or service control manager is responsible for handling (Start, Stop…etc.) services defined in the system. Services are defined in the following registry key: “HKLM/SYSTEM/CurrentControlSet/Services/”.
You can read my blog post on “Demystifying the “SVCHOST.EXE” Process and Its Command Line Options” for more details on the SCM.
PID: RandomParent Process: “wininit.exe”Child Processes: Multiple (Any services defined in “HKLM/SYSTEM/CurrentControlSet/Services/”. For example: “spoolsv.exe”, “svchost.exe”, “SearchIndexer.exe” …etc.)User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\services.exeN° Of Instances: 1
Windows Logon Process (WINLOGON.EXE)
Handles everything related to user’s logons/logoffs and user initialization. When logon is successful and validated by the LSASS process. It launches the processes listed in the “Userinit” registry value located at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
PID: RandomParent Process: Orphan process (Parent was the SMSS.EXE child process with session > 0)Child Processes: “LogonUI.exe”, “userinit.exe”, “dwm.exe”, “fontdrvhost.exe” and anything else listed in the “Userinit” valueUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %SystemRoot%\System32\winlogon.exeN° Of Instances: One for each user session
LOGONUI.EXE
Launched by “winlogon.exe” to show the logon interface and initialize the credential providers (Username/Password, Windows Hello…etc.).
PID: RandomParent Process: “winlogon.exe”Child Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %SystemRoot%\system32\LogonUI.exeN° Of Instances: One for each connected / logged on user with a locked screen.
USERINIT.EXE
As the name suggest the “userinit.exe” is responsible for user initialization, launching the logon scripts, reestablishing network connections, and launching the windows shell.
The value of the shell (By default is “explorer.exe”) is read from the following registry key “HKLM\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
The value for logon script named “UserInitLoginScript” is also read from the same key.
PID: RandomParent Process: “winlogon.exe”Child Processes: Shell process which is by default “explorer.exe” and anything executed via logon script stored in the value “UserInitLoginScript”.User: Logged on userImage: %Systemroot%\system32\userinit.exeN° Of Instances: 0 (The process exists after launching the shell “explorer.exe”)
EXPLORER.EXE
PID: randomParent Process: Orphan process (Parent was the “userinit.exe” process)Child Processes: Multiple processesUser: Logged on userImage: %Systemroot%\system32\explorer.exeN° Of instances: 1 for each user connected on the machine.
Desktop Window Manager (DWM.EXE)
The process responsible for rendering stuff on the screen.
PID: RandomParent Process: “winlogon.exe”Child Processes: NoneUser: Window Manager\DWM-X (Where “X” is the number of the session of the USER)Image: %Systemroot%\System32\dwm.exeN° Of Instances: 1 per logged on user
Local Security Authentication Service (LSASS.EXE)
The process responsible for managing authentication on the machine.
PID: RandomParent Process: “wininit.exe”Child Processes: None (Excluding password filters)User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\system32\lsass.exeN° Of Instances: 1
Service Host Process (SVCHOST.EXE)
The process responsible for hosting DLL services. Read my blog “Demystifying the “SVCHOST.EXE” Process and Its Command Line Options” to get more insight.
One thing to note is that the “svchost.exe” process should never exist without the “-k” flag at a minimum.
PID: RandomParent Process: “services.exe”Child Processes: Multiple (Depends on the services being launched)User: Multiple (NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE…etc.)Image: %Systemroot%\System32\svchost.exeN° Of Instances: Multiple
Note: Most of the processes in windows can spawn the “werfault.exe” process. Which is a process designed to handle crashes and errors. Something to keep in mind when looking at child processes.
Conclusion
Thanks for reading. I hope you enjoyed this overview of system processes. I’ll be adding more processes over time.
You can download the Mind Map below from my GitHub to help visualize all of this.
If you have any feedback or suggestions, please send them my way on Twitter @nas_bench
Happy Hunting
