Lecture 7 Flashcards
What is a System Idle Process?
A (non) process with one or more kernel threads (one for each processor) that are always in “ready” state. The threads don’t do anything but are scheduled when no threads are available to run PID = 0.
What is a System process?
Handles kernel level tasks. On Windows 10, also handles memory compression. Pid = 4. Created by ntoskrnl.exe. Creates smss process.
What does winlogin.exe do?
Runs for each sessions and manages access to the desktop. Once a user is authenticated, checks in the registry to find initialization process to run next. HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\Winlogon At least one executable at that location.
What does csrss.exe do?
Client server runtime subsystem. Before Windows NT it was responsible for the entire UI. Now responsible for the console window and the shutdown process. At least two versions one for session 0 and one for session 1.
What does wininit do?
Launches system applilcations. Starts services.exe. Starts Isass.exe. Runs in session 0
What does services.exe do?
Services or Service Control Manager (SCM) is responsible for running, stopping, and interacting with system services. Launched by Wininit. Starts all services configured for automatic startup.
What does svchost.exe do?
Host process for windows and third party services.
What does Isass.exe do?
Local Security Authority Subsystem. Enforces security policy. Handles user access control.
What does explorer.exe do?
Handles the graphical ui. Every program that is launched will appear as a child process.
How is malware distributed as dlls?
When a malicious dll is loaded into a process’s address space, the activity will seem to be coming from the legitimate process.
