Normal Windows Processes Flashcards
Knowing normal Windows processes to determine outliers
List the normal Windows Processes
System.exe
smss. exe
wining. exe
runtimebroker. exe
taskhostw. exe
winlogon. exe
csrss. exe
service. exe
svchost. exe
lsaiso. exe
lsass. exe
Describe system.exe
Responsible for most kernel-mode threads.Modules run under system.exe are primarily drivers.
Parent process of system.exe
None
Number of instances of system.exe
1
Describe smss.exe
Session manager process is responsible for new creating new sessions.
Parent process of smss.exe
System.exe
Number of instances of smss.exe
1 master instance and another child instance. Child instance exits after creating their session.
Describe wininit.exe
Starts key background processes within session 0. It starts services.exe, lsass.exe and lsaiso.exe
Parent process of wininit.exe
smss.exe
Number of instances of wininit.exe
1
Describe runtimebroker.exe
Acts as a proxy between Universal Windows Platform applications and the full Windows API.
Parent process of runtimebroker.exe
svchost.exe
Number of instances of runtimebroker.exe
1 or more
Describe taskhostw.exe
Generic host process for Windows Tasks.
Parent process of taskhostw.exe
svchost.exe
Number of instances of taskhostw.exe
1 or more
Describe winlogon.exe
Handles interactive user logons and logoffs. Launches the logonui.exe. Once user is authenticated winlogon loads the user’s NTUSER.DAT in HKCU.
Parent process of winlogon.exe
smss.exe
Number of instances of winlogon.exe
1 or more
Describe csrss.exe
Client/Server Run-time subsystem user mode process for the Windows sub system. Duties include managing processes and threads and facilitating of the GUI during system shutdown.
Parent process of csrss.exe
smss.exe
Number of instances of csrss.exe
Two or more
Describe services.exe
Implements Unified Background Process Manager which is responsible for background activities such as services and scheduled tasks. also implements the service control manager which handles loading of services and device drivers.
Parent process of services.exe
wininit.exe
Number of instances of services.exe
1
Describe svchost.exe
Generic host process for Windows services. Used for running service DLLs. Each instance of svchost.exe will have a unique ‘-k parameter’
Parent process of svchost.exe
services.exe
Number of instances of svchost.exe
Many
Describe lsaiso.exe
When credential guard is enabled the functionality of lsass.exe is split between two processes, itself and lsaiso.exe. Storing of account credentials sits with lsaiso.exe.
Parent process of lsaiso.exe
wininit.exe
Number of instances of lsaiso.exe
0 or 1
Describe lsass.exe
Local Security Authority Subsystem Service responsible for authenticating users.
Parent process of lsass.exe
wininit.exe
Number of instances of lsass.exe
1
Describe explorer.exe
Explorere provides users access to files. Acts as both a file browser and user interface.
Parent process of explorer.exe
userinit.exe (which exits)
Number of instances of explorer.exe
1 or more per interactively logged on user.
