There are two broad categories of Windows core processes. Processes that initialize system environment and those that initialize the user environment. Whatever is the category, you need to know them well in order to detect abnormal things.
Boot
BIOS, POST, Boo Loader (NLTDR), Kernl (NTOSKERNEL), files: win.sys, HAL.DLL, system.ini, sizedit.exe, config.exe, autoexec.BAT, MISCONFIG.exe.
Main Processes
Below is the overview of the main processes in Windows. There are several core process that are important to examine since malware often drool ๐คค over them. Singleton - one instance running only. One instance lsass, services, System, winint, lsm.exe โ. If any of these having more than 1 process should be the object of further investigation.
The process tree
- IDLE
- System (PID 4).
- Memory Compression
- smss.exe
- csrss
- wininit
- services
- lsass
- winlogon
- logonUI. Terminates once complete
- userinit. Terminates once complete
- explorer
IDLE or System Idle Process
Parent ๐คฑ: None.
Children ๐ง : None
Singleton โ๏ธ:
Path to file ๐ฃ: None
Account: Local System
Start time: Boot
The first and the most importnat process that “gives birth” to other processes - IDLE. ๐ It doesn’t have an image file on disk, so if you see IDLE.exe, it is most likely a malware ๐ฆ (or you have been sophisticatedly pranked ๐). PID is usually 0.
๐ Are
IDLEandSystem Idle Processthe same thing?๐งช If I dump a process that doesn’t have an image file, will it still have a PE header?
Runs in system memory space.
System
Parent ๐คฑ: None.
Children ๐ง : smss, Interrupts, Memory Compression
Singleton โ๏ธ: Yes
Path to file ๐ฃ: None
Account: Local System
Start time: Boot
Handles kernel mode system threads, different device drivers, waiting for I/O etc. PID is usually 4.
Runs in system memory space.
Memory Compression
Parent ๐คฑ: System
Children ๐ง : None
Singleton โ๏ธ:
Path to file ๐ฃ: None
Account: Local System
Start time: Boot
Compresses the memory of the user space. Doesn’t have an image file on disk. Not really interesting for DFIR.
smss
Parent ๐คฑ: System
Children ๐ง : None
Singleton โ๏ธ: No
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
Session manager process. The first user-mode process. Run from System32 directory. There are two instances:
- master instance perfroms some init stuff. Reads and writes to registry preparing the OS for use. Initializes the registry hives
- session startup instance. Creates three subsystem processes and exits: csrss.exe,
winlogon
Parent ๐คฑ: None.
Children ๐ง : None
Singleton โ๏ธ: No
Path to file ๐ฃ: System32
Account: Local System
Start time: varies
Another process of particilar interest is msc.
wininit
Parent ๐คฑ: None.
Children ๐ง : lsm, lsass, services
Singleton โ๏ธ: Yes
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
lsass
Parent ๐คฑ: wininit
Children ๐ง : None
Singleton โ๏ธ: Yes
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
lsass. This is the main process of Windows OS that’s responsible for authentication and authorisation. More about lsass here.
svchost
Parent ๐คฑ: services
Children ๐ง : Lots of:
Singleton โ๏ธ: No
Path to file ๐ฃ: System32
Account: Local System, Network Service, Local Service
Start time: Boot
๐ฆ This one is very ofter used by malware for disguise. It has lot’s of instances.
csrss
Parent ๐คฑ: none
Children ๐ง :
Singleton โ๏ธ: No
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
taskhost
Parent ๐คฑ: services
Children ๐ง : Lots of:
Singleton โ๏ธ: No
Path to file ๐ฃ: System32
Account: many
Start time: varies
lsaiso
Parent ๐คฑ: winint.exe
Children ๐ง : None
Singleton โ๏ธ: Yes
Path to file ๐ฃ: None
Account: Local System
Start time: Boot
Windows Credential Guard. Only for Windows 10 Enterprise or Windows Server 2016 and above. Also, this exe is present on a Windows 11 system, but is not running. It’s a singleton and is located on disk in System32 directory. It runs under local system account and it’s parent is winint.exe. Works in the isolated user mode, so that even the kernel doesn’t have access to it. Secure Kernel protected by Hyper-V is talking to lsaiso instead. Kernel Mode and Secure Kernel are talking using a small buffer. VSL calls. Between SK and lsaiso - sys call. VSM container: lsaiso, credentials, secure kernel, kernel mode code integrity. HVCI - Hyper-V code integrity.
mimikatz.exe
> version
privilege::debug
securlsa::logonpasswords
> misc::memssp
userinit
Parent ๐คฑ: winlogon
Children ๐ง : explore
Singleton โ๏ธ:
Path to file ๐ฃ:
Account:
Start time:
explorer
Parent ๐คฑ: userinit. Since the parent terminates once it’s done everything, explorer won’t have a parent in process tree.
Children ๐ง : iexplore
Singleton โ๏ธ: No
Path to file ๐ฃ: %Systemroot%\
Account: Local Users
Start time: varies
iexplore
Parent ๐คฑ: explorer
Children ๐ง : None
Singleton โ๏ธ: Yes
Path to file ๐ฃ: Program Files\Internet Explorer\iexplore.exe
Account: Local Users
Start time: Boot
lsm
Parent ๐คฑ: wininit
Children ๐ง : None
Singleton โ๏ธ: Yes
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
services
Parent ๐คฑ: wininit
Children ๐ง : svchost, taskhost
Singleton โ๏ธ: Yes
Path to file ๐ฃ: System32
Account: Local System
Start time: Boot
Quick Check List
Singletons vs Cloners
Singletons: System, wininit, lsass.exe, lsm.exe, lsaiso, services.exe
Cloners: sms, taskhost, winlogon, iexplore, explorer, svchost, csrss
grep -E -i "(system|wininit|lsass|lsm|services)" "psscan.txt|pslist.txt" > singletons.txt
Boot vs Varies
Boot: System, sms, wininit, lsass, lsm, svchost*, services, csrss
Varies: taskhost, winlogon, iexplore, explorer, svchost*
grep -E -i "(system|wininit|lsass|lsm|services|sms|csrss)" "psscan.txt|pslist.txt" > boottime.txt
grep -E -i -v <2019-01-20> psscan.txt > nonboot.txt
System32 vs Other
System32: System, sms, wininit, taskhost, lsass, winlogon, lsm, svchost, services, csrss, lsaiso
Other: iexplore, explorer
WinCore vs Other
Non Wincore:
grep -E -i -v "(system|wininit|lsass|lsm|services|sms|taskhost|winlogon|iexplore|explorer|svchost|csrss)" "psscan.txt|pslist.txt" > all_non_core.txt
WinCore:
grep -E -i "(system|wininit|lsass|lsm|services|sms|taskhost|winlogon|iexplore|explorer|svchost|csrss)" "psscan.txt|pslist.txt" > all_non_core.txt
References
[1] SDF Podcast, by Michael Leclair