Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags (2024)

Table of Contents
Process Explorer - Sysinternals Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. References

Having a look at the running processes on a Windows operating system can be quite overwhelming to get an understanding of at first glance, so the aim of this blog post is to give you a better understanding of what's “not normal”.

Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags (2)

First things first, I would like to mention that there's multiple ways to view the running processes on a Windows operating system, from using the CLI to a GUI, but the easiest way to view Windows processes is by using a tool called “Process Explorer” which is part of a larger suite of tools from the Sysinternals system utilities.

Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags (3)

I have provided a link to download Process Explorer below:

You can view an abundance of process information and its associated meta data by selecting the “View” button via the ribbon and applying appropriate columns. It also helps to right click a process and select “Properties”. Now that you have an appropriate tool to view your Windows processes, lets get into the nitty-gritty.

System

The System process is a special kind of thread that runs only in kernel mode a kernel-mode system thread. System threads have all the attributes and contexts of regular user-mode threads (such as a hardware context, priority, and so on) but are different in that they run only in kernel-mode executing code loaded in system space. The PID for System is always 4 and an example of a kernel-mode system thread is located in the file path: C:\Windows\system32\ntoskrnl.exe (NT OS Kernel).

What is unusual?

  • A parent process aside from System Idle Process(0).
  • More than 1 instance of System.
  • A different PID value other than 4.
  • Not running in session 0.

System -> smss.exe

Smss.exe, Session Manager Subsystem, fulfils the role of the Windows Session Manager, primarily responsible for the initiation of new sessions within Windows. It is the first user-mode process started by the kernel.

Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session. The first child instance creates other child instances in new sessions, done by smss.exe copying itself into the new session and self-terminating:
Session 0 (csrss.exe & wininit.exe)
Session 1 (csrss.exe & winlogon.exe)

What is unusual?

  • A parent process that is NOT System(4).
  • The file path is different from “C:\Windows\System32”.
  • More than 1 running instance.
  • The running user is NOT NT AUTHORITY\SYSTEM.

csrss.exe

Csrss.exe (Client Server Runtime Process) represents the user-mode side of the Windows subsystem. This particular process operates indefinitely and is very important for the proper functioning of the system. If by any chance this operation is stopped, it will trigger a system failure. Its primary responsibilities oversee the Win32 console window, as well as process thread creation and deletion. Upon each occurrence, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded in conjunction with other DLLs.

This process is also responsible for making the Windows API available to other processes, mapping drive letters, and handling the Windows shutdown process.

Note: Recall that csrss.exe and winlogon.exe are called from smss.exe at start-up for Session 1.

What is unusual?

  • A parent process(should not have one).
  • File path other than “C:\Windows\System32”.
  • Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain sight.
  • The running user is NOT NT AUTHORITY\SYSTEM.

wininit.exe

The process of initializing Windows, managed by wininit.exe, is responsible for launching services.exe (Service Control Manager) and lsass.exe (Local Security Authority) within Session 0. This represents yet another crucial process within Windows, operating in the background alongside its child processes.

Note: lsaiso.exe only runs if Credential Guard is enabled.

What is unusual?

  • A parent process(should not have one).
  • File path other than “C:\Windows\System32”.
  • Subtle misspellings to hide rogue processes in plain sight.
  • More than 1 running instance.
  • The running user is NOT NT AUTHORITY\SYSTEM.

wininit.exe -> services.exe

The Service Control Manager (SCM), or services.exe, primary responsibility is to handle system services: interacting with services, loading services and starting or stopping services. It maintains a database that can be queried using a Windows built-in utility, sc.exe.

The registry entry can be found via regedit in this location: HKLM\System\CurrentControlSet\Services

This process is the parent to several other key processes including: svchost.exe, spoolsv.exe, msmpeng.exe, and dllhost.exe.

What is unusual?

  • A parent process that is NOT wininit.exe.
  • File path other than “C:\Windows\System32”.
  • Subtle misspellings to hide rogue processes in plain sight.
  • More than 1 running instance.
  • The running user is NOT NT AUTHORITY\SYSTEM.

wininit.exe -> services.exe -> svchost.exe

The Service Host (Host Process for Windows Services), or svchost.exe, is responsible for hosting and managing Windows services.

The functionalities carried out by the services within this process are executed through Dynamic Link Libraries (DLLs). The specific DLL utilized for implementation is stored in the registry for the respective service, located under the Parameters subkey in ServiceDLL.

The registry entry can be found via regedit in this location: HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters.

Since svchost.exe will always have multiple running processes on any Windows system, this process is a very popular target for malicious use. Adversaries create malware to masquerade as this process and try to hide amongst the legit svchost.exe processes. They can name the malware svchost.exe or misspell it slightly by trying to go under the radar from Anti-Virus solutions. A very popular tactic is to call a malicious service (DLL).

What is unusual?

  • A parent process that is NOT services.exe.
  • File path other than “C:\Windows\System32”.
  • Subtle misspellings to hide rogue processes in plain sight.
  • The absence of the -k parameter in the command line.

wininit.exe -> lsass.exe

Local Security Authority Subsystem Service (LSASS) is a process that is responsible for enforcing the security policy on the Windows system. It verifies users logging on to a Windows computer or server, handles password changes and creates access tokens. It also writes to the Windows Security Log. It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON.

The registry entry can be found via regedit in this location: HKLM\System\CurrentControlSet\Control\Lsa.

What is unusual?

  • A parent process that is NOT wininit.exe.
  • File path other than “C:\Windows\System32".
  • Subtle misspellings to hide rogue processes in plain sight.
  • More than 1 running instance.
  • The running user is NOT NT AUTHORITY\SYSTEM.

winlogon.exe

Winlogon.exe, the Windows Logon process, assumes the role of managing the Secure Attention Sequence (SAS), executed by the key combination CTRL+ALT+DELETE that users utilize to input their username and password. This process also assumes the responsibility of initializing the user profile. It achieves this by loading the NTUSER.DAT file of the user into the HKEY_CURRENT_USER (HKCU) registry hive. Furthermore, the userinit.exe operation takes charge of launching the user’s designated shell. It is also responsible for locking the screen and running the user’s screensaver, among other functions.

What is unusual?

  • A parent process(should not have one).
  • File path other than “C:\Windows\System32”.
  • Subtle misspellings to hide rogue processes in plain sight.
  • A Shell value in the registry other than explorer.exe.
  • The running user is NOT NT AUTHORITY\SYSTEM.

explorer.exe

The Windows Explorer, explorer.exe, process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar. Userinit.exe exits after spawning explorer.exe. Because of this, the parent process is non-existent and there will be many processes for explorer.exe.

What is unusual?

  • A parent process(should not have one).
  • File path other than “C:\Windows”.
  • Running as an unknown user(not your user account).
  • Subtle misspellings to hide rogue processes in plain sight.
  • Outbound TCP/IP connections.
Understanding Crucial Windows Processes: Differentiating Normal Operations from Red Flags (2024)

References

Top Articles
Where Can You Use Fortiva Retail Credit
Fortiva® Credit Card Review 2024
neither of the twins was arrested,传说中的800句记7000词
Western Union Mexico Rate
Truist Park Section 135
<i>1883</i>'s Isabel May Opens Up About the <i>Yellowstone</i> Prequel
Hay day: Top 6 tips, tricks, and cheats to save cash and grow your farm fast!
Kentucky Downs Entries Today
Over70Dating Login
Snowflake Activity Congruent Triangles Answers
A Fashion Lover's Guide To Copenhagen
Https //Advanceautoparts.4Myrebate.com
Industry Talk: Im Gespräch mit den Machern von Magicseaweed
finaint.com
Amc Flight Schedule
Eva Mastromatteo Erie Pa
Gem City Surgeons Miami Valley South
Booknet.com Contract Marriage 2
Bing Chilling Words Romanized
Invitation Homes plans to spend $1 billion buying houses in an already overheated market. Here's its presentation to investors setting out its playbook.
How to Download and Play Ultra Panda on PC ?
Craigs List Tallahassee
How to Watch Every NFL Football Game on a Streaming Service
Greensboro sit-in (1960) | History, Summary, Impact, & Facts
Criterion Dryer Review
Mta Bus Forums
Nottingham Forest News Now
Aes Salt Lake City Showdown
12657 Uline Way Kenosha Wi
Himekishi Ga Classmate Raw
2021 Tesla Model 3 Standard Range Pl electric for sale - Portland, OR - craigslist
Current Students - Pace University Online
The Creator Showtimes Near Baxter Avenue Theatres
Diggy Battlefield Of Gods
Ripsi Terzian Instagram
Cross-Border Share Swaps Made Easier Through Amendments to India’s Foreign Exchange Regulations - Transatlantic Law International
To Give A Guarantee Promise Figgerits
Greater Keene Men's Softball
Petsmart Northridge Photos
Busch Gardens Wait Times
San Bernardino Pick A Part Inventory
How Many Dogs Can You Have in Idaho | GetJerry.com
Stewartville Star Obituaries
The Conners Season 5 Wiki
National Weather Service Richmond Va
Iman Fashion Clearance
Steam Input Per Game Setting
Washington Craigslist Housing
Bbwcumdreams
Immobiliare di Felice| Appartamento | Appartamento in vendita Porto San
Epower Raley's
Cool Math Games Bucketball
Latest Posts
Meggyeggo Live
Tyrones Unblocked Games Basketball Stars
Article information

Author: Kerri Lueilwitz

Last Updated:

Views: 6450

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.