Investigating common Windows Processes

  1. What is the expected parent process?
  2. Is it running on the expected path?
  3. Is it spelled correctly?
  4. Is it running under the correct SID?
  5. Is it signed by an authorized source?
  6. Is it running from a temp or strange location?
  7. Does it have a digital signature?

SMSS.exe

  • session 0 starts csrss.exe and wininit.exe
  • session 1 starts csrss.exe and winlogon.exe
  • will self-terminate
  • Executable Path: %SystemRoot%\System32\smss.exe
  • Parent Process: System
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: for session 0 it will execute within seconds of boot time

CSRSS.exe

  • Runs both in session 0 and 1
  • For each session there is a new csrss.exe
  • Executable Path: %SystemRoot%\system32\csrss.exe
  • Parent Process: Created by child instance of smss.exe BUT since smss.exe self terminates, it technically does not have a parent process
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: For sessions 0 and 1, they execute at boot time

WINLOGON.exe

  • Executable Path: %SystemRoot%\system32\winlogon.exe
  • Parent Process: Child instance on smss.exe which self terminates, so it doesnt have a parent process
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: For session 1, within seconds of boot time, other instances may appear later on

WINIT.exe

  • Executable Path: %SystemRoot%\system32\winit.exe
  • Parent Process: Created by smss.exe which then self terminates
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: Within seconds of boot time

LSM.exe

  • Executable Path: %SystemRoot%\system32\lsm.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: Within seconds of boot time

SERVICES.exe

  • Parent process to svchost.exe, dllhost.exe, taskhost.exe, and spoolsv.exe
  • Services are defined in HKLM\System\Current\ControlSet\Services
  • After a successful interactive login, services.exe will backup a copy of the registry keys to HKLM\System\Select\LastKnownGood
  • Executable Path: %SystemRoot%\system32\services.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: within seconds of boot time

LSASS.exe

  • Uses authentication packages within HKLM\System\CurrentControlSet\Control\LSA
  • Writes to security event log
  • Executable Path: %SystemRoot%\system32\lsass.exe
  • Parent Process: winit.exe
  • Username: NT Authority\System (S-1–5–18)
  • Time of Execution: within seconds of boot time

SVCHOST.exe

  • Each service will have registry entries that will include serviceDLL
  • Multiple instances of svchost.exe host will be running. Each entry will also include svchost.exe -k
  • Executable Path: %SystemRoot%\system32\svchost.exe
  • Parent Process: services.exe
  • Username: NT Authority\System (S-1–5–18), LOCAL SERVICE (S-1–5–19), or NETWORK SERVICE (S-1–5–20)
  • Time of Execution: varies

TASKHOST.exe

  • Executable Path: %SystemRoot%\system32\taskhost.exe
  • Parent Process: services.exe
  • Username: varies
  • Time of Execution: varies

EXPLORER.exe

  • Only one process per user will be spawned
  • Executable Path: %SystemRoot%\system32\explorer.exe
  • Parent Process: userinit.exe which self terminates
  • Username: name of logged in user
  • Time of Execution: varies

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store