Critical System Processes Flashcards
Idle
Not real process (in the sense that is has no executable on disk). Idle is just a container that the kernel uses to charge CPU time for idle threads.
System
Not real process (in the sense that is has no executable on disk). System serves as the default home for threads that run in kernel mode. Thus, the System process (PID 4) appears to own any sockers or handles to files that kernel modules open.
csrss.exe
The client/server runtime subsystem plays a role in creating and deleting processes and threads. It maintains a private list of the objects that you can use to cross-reference with other data sources. On systems before Windows 7, this process also served as the broker of commands executed via cmd.exe. Expect to see multiple CSRSS processes because each session gets a dedicated copy; however, watch out for attempts to exploit the name convention (csrsss.exe or cssrs.exe). The real one is located in the system32 directory.
services.exe
The Service Control Manager (SCM) manages Windows services and maintains a list of such services in its private memory space. This process should be the parents for any svchost.exe instances that you see, in addition to processes such as spoolsv.exe and SearchIndexer.exe that implements the services. There should be only one copy of services.exe on a system, and it should be running from the system32 directory.
svchost.exe
A clean system has multiple shared host processes running concurrently, each providing a contrainer for DLLs that implement services. The path to their executable should point to system32 directory. Look for common variations used in malware (scvhost.exe and svch0st.exe)
lsass.exe
The local security authority subsystem process is responsible for enforcing the security policy, verifying passwords, and creating access tokens. As such, it’s often the target of code injections because the plaintext password hashes can be found in its private memory space. There should be only one instance of lsass.exe running from the system32 directory, and its parent is winlogon.exe on pre-Vista machines and wininit.exe on Vista and later systems. Stuxnet created two fake copies of lsass.exe which caused them to stick out like a sore thumb
winlogon.exe
This process presents the interactive logon prompt, initiates the screen saver when necessary, helps load user profiles, and responds to Secure Attention Sequence (SAS) keyboard operations such as ctrl+alt+delete. Also, this process monitors files and directories for changes on systems that implement Windows File Protection (WFP). Located in system32.
explorer.exe
You’ll see one Windows Explorer process for each logged-on user. It is responsible for handling a variety of user interactions such as GUI-based folder navigation, presenting the start menu, and so on. It also has access to sensitive material such as the documents you open and credentials you use to log in to FTP sites via Windows Explorer.
smss.exe
The session manager is the first real user-mode process that starts during the boot sequence. It is responsible for creating the sessions that isolate OS services from the various users who may log on via the console or RDP.
