Investigating common Windows Processes

jon
3 min readOct 16, 2021

--

Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.

Checklist:

  1. What is the expected parent process?
  2. Is it running on the expected path?
  3. Is it spelled correctly?
  4. Is it running under the correct SID?
  5. Is it signed by an authorized source?
  6. Is it running from a temp or strange location?
  7. Does it have a digital signature?

Below are some of the most common Windows processes that should be analzyed when suspicious of malware:

SMSS.exe

Session Manager — Creates new sessions, loads registry and DLLs into memory locations.

  • session 0 starts csrss.exe and wininit.exe
  • session 1 starts csrss.exe and winlogon.exe
  • will self-terminate
  • Executable Path: %SystemRoot%\System32\smss.exe
  • Parent Process: System
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: for session 0 it will execute within seconds of boot time

Only 1 instance of smss.exe should be running

CSRSS.exe

Client/Servers Run Subsystem Process — Manages processess and threads, makes Windows API available for other processes, mapping the drive, creating temp files, and handling the shutdown of processes.

  • Runs both in session 0 and 1
  • For each session there is a new csrss.exe
  • Executable Path: %SystemRoot%\system32\csrss.exe
  • Parent Process: Created by child instance of smss.exe BUT since smss.exe self terminates, it technically does not have a parent process
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: For sessions 0 and 1, they execute at boot time

Typically there is only two instances of csrss.exe

WINLOGON.exe

Windows Logon Process — Responsible for user logons/logoffs. Launches LOGONUI.exe for login credentials and sends them to lsass.exe which verifies via AD or local SAM. Then it launches userinit.exe which is specified in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

  • Executable Path: %SystemRoot%\system32\winlogon.exe
  • Parent Process: Child instance on smss.exe which self terminates, so it doesnt have a parent process
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: For session 1, within seconds of boot time, other instances may appear later on

Abuse may come from different components of login process. Malware may abuse SHELL registry value. SHELL registry value should be explorer.exe.

WINIT.exe

Windows Intialization Process — Launches services.exe, lsaas.exe, and lsm.exe in session 0.

  • Executable Path: %SystemRoot%\system32\winit.exe
  • Parent Process: Created by smss.exe which then self terminates
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: Within seconds of boot time

There should only be one instance of this

LSM.exe

Local Session Manager — Works with smss.exe to create, destroy, or manipulate new users sessions. Responsible for logon/logoff, shell start/end, lock/unlock Desktop. After Win7 lsm.exe was transformed into a service lsm.dll.

  • Executable Path: %SystemRoot%\system32\lsm.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: Within seconds of boot time

Should only be one instance in Win7. Should not see lsm.exe in Win8, only lsm.dll

SERVICES.exe

Services Control Manager — Responsile for loading services (auto-start) and device drivers into memory

  • Parent process to svchost.exe, dllhost.exe, taskhost.exe, and spoolsv.exe
  • Services are defined in HKLM\System\Current\ControlSet\Services
  • After a successful interactive login, services.exe will backup a copy of the registry keys to HKLM\System\Select\LastKnownGood
  • Executable Path: %SystemRoot%\system32\services.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: within seconds of boot time

There should only be one instance

LSASS.exe

Local Security Authority Subsystem — Responsible for user authentication and generating access tokens specifying security policies and/or restrictions for the user and the processes spawned in the user session.

  • Uses authentication packages within HKLM\System\CurrentControlSet\Control\LSA
  • Writes to security event log
  • Executable Path: %SystemRoot%\system32\lsass.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: within seconds of boot time

There should only be one instance

SVCHOST.exe

Generic Service Host Process — Responsible for hosting multiple services DLL into a generic shared service process.

  • Each service will have registry entries that will include serviceDLL
  • Multiple instances of svchost.exe host will be running. Each entry will also include svchost.exe -k
  • Executable Path: %SystemRoot%\system32\svchost.exe
  • Parent Process: services.exe
  • Username: NT Authority\System (S-1–5–18), LOCAL SERVICE (S-1–5–19), or NETWORK SERVICE (S-1–5–20)
  • Time of Execution: varies

If any of them is not using the -k flag then that is a red flag

TASKHOST.exe

Generic Host Process — Acts like a host for processes that run from DLLs rather than .exes. This process is also sometimes called taskhostex.exe (Win8)or taskhostw.exe (Win10).

  • Executable Path: %SystemRoot%\system32\taskhost.exe
  • Parent Process: services.exe
  • Username: varies
  • Time of Execution: varies

EXPLORER.exe

Windows Explorer — Responsible for user’s desktop and everything that comes with it including access to file and launching files via their file extensions.

  • Only one process per user will be spawned
  • Executable Path: %SystemRoot%\system32\explorer.exe
  • Parent Process: userinit.exe which self terminates
  • Username: name of logged in user
  • Time of Execution: varies

Look for instances where explorer uses CMD, is listening or connected to a port

--

--