Normal Windows Processes

Question 1

List the normal Windows Processes

Answer 1

System.exe

smss. exe
wining. exe
runtimebroker. exe
taskhostw. exe
winlogon. exe
csrss. exe
service. exe
svchost. exe
lsaiso. exe
lsass. exe

Question 2

Describe system.exe

Answer 2

Responsible for most kernel-mode threads.Modules run under system.exe are primarily drivers.

Question 3

Parent process of system.exe

Answer 3

None

Question 4

Number of instances of system.exe

Answer 4

1

Question 5

Describe smss.exe

Answer 5

Session manager process is responsible for new creating new sessions.

Question 6

Parent process of smss.exe

Answer 6

System.exe

Question 7

Number of instances of smss.exe

Answer 7

1 master instance and another child instance. Child instance exits after creating their session.

Question 8

Describe wininit.exe

Answer 8

Starts key background processes within session 0. It starts services.exe, lsass.exe and lsaiso.exe

Question 9

Parent process of wininit.exe

Answer 9

smss.exe

Question 10

Number of instances of wininit.exe

Answer 10

1

Question 11

Describe runtimebroker.exe

Answer 11

Acts as a proxy between Universal Windows Platform applications and the full Windows API.

Question 12

Parent process of runtimebroker.exe

Answer 12

svchost.exe

Question 13

Number of instances of runtimebroker.exe

Answer 13

1 or more

Question 14

Describe taskhostw.exe

Answer 14

Generic host process for Windows Tasks.

Question 15

Parent process of taskhostw.exe

Answer 15

svchost.exe

Question 16

Number of instances of taskhostw.exe

Answer 16

1 or more

Question 17

Describe winlogon.exe

Answer 17

Handles interactive user logons and logoffs. Launches the logonui.exe. Once user is authenticated winlogon loads the user’s NTUSER.DAT in HKCU.

Question 18

Parent process of winlogon.exe

Answer 18

smss.exe

Question 19

Number of instances of winlogon.exe

Answer 19

1 or more

Question 20

Describe csrss.exe

Answer 20

Client/Server Run-time subsystem user mode process for the Windows sub system. Duties include managing processes and threads and facilitating of the GUI during system shutdown.

Question 21

Parent process of csrss.exe

Answer 21

smss.exe

Question 22

Number of instances of csrss.exe

Answer 22

Two or more

Question 23

Describe services.exe

Answer 23

Implements Unified Background Process Manager which is responsible for background activities such as services and scheduled tasks. also implements the service control manager which handles loading of services and device drivers.

Question 24

Parent process of services.exe

Answer 24

wininit.exe

Question 25

Number of instances of services.exe

Answer 25

1

Question 26

Describe svchost.exe

Answer 26

Generic host process for Windows services. Used for running service DLLs. Each instance of svchost.exe will have a unique ‘-k parameter’

Question 27

Parent process of svchost.exe

Answer 27

services.exe

Question 28

Number of instances of svchost.exe

Answer 28

Many

Question 29

Describe lsaiso.exe

Answer 29

When credential guard is enabled the functionality of lsass.exe is split between two processes, itself and lsaiso.exe. Storing of account credentials sits with lsaiso.exe.

Question 30

Parent process of lsaiso.exe

Answer 30

wininit.exe

Question 31

Number of instances of lsaiso.exe

Answer 31

0 or 1

Question 32

Describe lsass.exe

Answer 32

Local Security Authority Subsystem Service responsible for authenticating users.

Question 33

Parent process of lsass.exe

Answer 33

wininit.exe

Question 34

Number of instances of lsass.exe

Answer 34

1

Question 35

Describe explorer.exe

Answer 35

Explorere provides users access to files. Acts as both a file browser and user interface.

Question 36

Parent process of explorer.exe

Answer 36

userinit.exe (which exits)

Question 37

Number of instances of explorer.exe

Answer 37

1 or more per interactively logged on user.