Windows System Processes — An Overview For Blue Teams

Image for post
Image for post
Windows Process — Mind Map

System Idle Process

PID: 0Parent Process: NoneChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1

System

PID: 4Parent Process: NoneChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\ntoskrnl.exe (Task Manager / Process Hacker) and None (Process Explorer)N° Of Instances: 1

Memory Compression

PID: RandomParent Process: SystemChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1

Registry

PID: RandomParent Process: NoneChild Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: NoneN° Of Instances: 1

Session Manager Subsystem (SMSS.EXE)

PID: RandomParent Process: "System"Child Processes: SMSS.EXE (Session 0), SMSS.EXE (Session 1), AUTOCHK.EXE and a new SMSS.EXE instance for each new sessionUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\smss.exeN° Of Instances: Multiple during boot-up and only one without arguments after boot-up.

Windows Subsystem Process (CSRSS.EXE)

PID: RandomParent Process: Orphan process (Parent was the SMSS.EXE child process of the master SMSS.EXE)Child Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\csrss.exeN° Of Instances: One for each session (In general you’ll find two at least, one for session 0 and one for session 1)

Windows Initialization Process (WININIT.EXE)

PID: RandomParent Process: Orphan process (Parent was the sessions 0 SMSS.EXE during boot)Child Processes: “services.exe”, “lsass.exe”, “fontdrvhost.exe”User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\wininit.exeN° Of Instances: 1

Service Control Manager (SERVICES.EXE)

PID: RandomParent Process: “wininit.exe”Child Processes: Multiple (Any services defined in “HKLM/SYSTEM/CurrentControlSet/Services/”. For example: “spoolsv.exe”, “svchost.exe”, “SearchIndexer.exe” …etc.)User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\System32\services.exeN° Of Instances: 1

Windows Logon Process (WINLOGON.EXE)

PID: RandomParent Process: Orphan process (Parent was the SMSS.EXE child process with session > 0)Child Processes: “LogonUI.exe”, “userinit.exe”, “dwm.exe”, “fontdrvhost.exe” and anything else listed in the “Userinit” valueUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %SystemRoot%\System32\winlogon.exeN° Of Instances: One for each user session

LOGONUI.EXE

PID: RandomParent Process: “winlogon.exe”Child Processes: NoneUser: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %SystemRoot%\system32\LogonUI.exeN° Of Instances: One for each connected / logged on user with a locked screen.

USERINIT.EXE

PID: RandomParent Process: “winlogon.exe”Child Processes: Shell process which is by default “explorer.exe” and anything executed via logon script stored in the value “UserInitLoginScript”.User: Logged on userImage: %Systemroot%\system32\userinit.exeN° Of Instances: 0 (The process exists after launching the shell “explorer.exe”)

EXPLORER.EXE

PID: randomParent Process: Orphan process (Parent was the “userinit.exe” process)Child Processes: Multiple processesUser: Logged on userImage: %Systemroot%\system32\explorer.exeN° Of instances: 1 for each user connected on the machine.

Desktop Window Manager (DWM.EXE)

PID: RandomParent Process: “winlogon.exe”Child Processes: NoneUser: Window Manager\DWM-X (Where “X” is the number of the session of the USER)Image: %Systemroot%\System32\dwm.exeN° Of Instances: 1 per logged on user

Local Security Authentication Service (LSASS.EXE)

PID: RandomParent Process: “wininit.exe”Child Processes: None (Excluding password filters)User: NT AUTHORITY\SYSTEM (S-1-5-18)Image: %Systemroot%\system32\lsass.exeN° Of Instances: 1

Service Host Process (SVCHOST.EXE)

PID: RandomParent Process: “services.exe”Child Processes: Multiple (Depends on the services being launched)User: Multiple (NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE…etc.)Image: %Systemroot%\System32\svchost.exeN° Of Instances: Multiple

Conclusion

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store