Windows Core processes

System

The System process is a critical kernel-level process that is responsible for managing system resources, such as memory, devices, and processor time. It's THE core Windows process.

Normal Signs : -Image Path: N/A -Parent Process: None -Number of Instances: One -User Account: Local System -Start Time: At boot time

Suspicious signs include ; -Having a Parent Process (with the exception of "System Idle Process 0") -Multiple instances of it -A different PID other than 4 (see above) -A session other than 0 (can be checked in the "Token" tab)

Smss.exe

The Session Manager Subsystem (smss.exe) process is created directly by the System process. It is responsible for starting and stopping user sessions and spawning the user/kernel modes during the boot process. It starts csrss.exe and winnit.exe in Session 0, and crss.exe and winlogon.exe in Session 1.

Normal signs include: -Image Path: %SystemRoot%\System32\smss.exe -Parent Process: System -Number of Instances: One master instance and child instance per session. The child instance exits after creating the session. -User Account: Local System -Start Time: Within seconds of boot time for the master instance

Suspicious signs include: -A parent process that's different than System (4) -An image path that isn't "C:\Windows\system32" -More than one running process -A running user that isn't SYSTEM

Csrss.exe

The Client Server Runtime Subsystem (csrss.exe) process is responsible for creating and managing user-mode processes and threads and handling console input and output operations. It also makes the winAPI available to other processes.

Normal signs include : -Image Path: %SystemRoot%\System32\csrss.exe -Parent Process: Created by an instance of smss.exe -Number of Instances: Two or more -User Account: Local System -Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although only Sessions 0 and 1 are often created.

Suspicious signs include: -An actual parent process. (smss.exe calls this process and self-terminates) -Image file path other than C:\Windows\System32 -Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain sight -The user is not the SYSTEM user.

Wininit.exe

The Windows Initialization process (wininit.exe) is responsible for the launch of the services process (services.exe), and the lsass/lsaiso security processes

Normal signs include : -Image Path: %SystemRoot%\System32\wininit.exe -Parent Process: Created by an instance of smss.exe (the process will be unavailable due to smss.exe self-termination) -Number of Instances: One -User Account: Local System -Start Time: Within seconds of boot time

Unusual signs include: -An actual parent process. (smss.exe calls this process and self-terminates) -Image file path other than C:\Windows\System32 -Subtle misspellings to hide rogue processes in plain sight -Multiple running instances -Not running as SYSTEM

Services.exe

The Services and Controller app (services.exe) is responsible for starting, stopping, and managing system services, and possesses its own tool to query it's internal database of services : sc.exe.

It is also the parent process to other important sub-processes : svchost.exe, spoolsv.exe, msmpeng.exe, and dllhost.exe.

Normal signs include : -Image Path: %SystemRoot%\System32\services.exe -Parent Process: wininit.exe -Number of Instances: One -User Account: Local System -Start Time: Within seconds of boot time

Unusual signs include : -A parent process other than wininit.exe -Image file path other than C:\Windows\System32 -Subtle misspellings to hide rogue processes in plain sight -Multiple running instances -Not running as SYSTEM

Svchost.exe

The Service Host (svchost.exe) process is responsible for hosting and running multiple system services as shared service processes, which helps to conserve system resources and improve system performance.Unusual svchost processes are common and can be spotted by: -A parent process that isn't services.exe -An image filepath that isn't C:\Windows\System32 -Misspelings -No -k parameter in the Command-Line field (used to point to a valid .dll in the HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters subkey

Lsass.exe

The Local Security Authority Subsystem Service (lsass.exe) is responsible for managing security policies, authentication, and logon sessions on the system.

Winlogon.exe

The Windows Logon process (winlogon.exe) is responsible for handling user logon and logoff events and managing user sessions, including starting the user's shell and launching the Windows desktop.

Explorer.exe