Here's a quick layout of how the core windows processes are layered, we'll talk about how the all fit together below. .
SYSTEM (ALWAYS PID 4)
smss.exe (session 0)
csrss.exe (session 0)
wininit.exe (session 0)
services.exe
lsass.exe
lsaiso.exe
services.exe
svchost.exe
csrss.exe (session 1)
csrsrv.dll
basesrv.dll
winsrv.dll
winlogon.exe (session 1)
SYSTEM (Process ID 4) - Runs in Kernel mode (C:\Windows\system32\ntoskrnl.exe)
smss.exe - Windows Session Manager: Creates new sessions > startscsrss.exe, wininit.exe, winlogon.exe in session 0 (isolated for the OS) and csrss.exe, winlogon.exe for Session 1 (user session) (%SystemRoot%\System32\smss.exe)
csrss.exe - Client Server Runtime Process > starts csrsrv.dll, basesrv.dll, winsrv.dll, handles drive mappings and windows shutdown process (%SystemRoot%\System32\csrss.exe)
wininit.exe - Windows Initialization Process > starts services.exe, lsass.exe, lsaiso.exe in session 0 (%SystemRoot%\System32\wininit.exe)
services.exe - Service Control Manager: Handles loading services, interacting with services, starts/stop services, load device drivers to memory etc. Can query its database with sc.exe. HKLM\System\CurrentControlSet\Service. loads svchost.exe, spoolsv.exe, msmpeng.exe, dllhost.exe (%SystemRoot%\System32\services.exe)
svchost.exe - Host Process for Windows Services: Handles hosting and managing Windows services implemented as DLLs HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters (%SystemRoot%\System32\svchost.exe)
lsass.exe - Local Security Authority Subsystem Service: enforces the security policy on the system, verifying users login in to windows, handles password changes, creates access tokens (SAM, AD, NETLOGON) and writes to the Windows Security Log. HKLM\System\CurrentControlSet\Control\Lsa (%SystemRoot%\System32\lsass.exe)
winlogon.exe - Windows Logon: handles Secure Attention Sequence (SAS), which is the ALT+CTRL+DELETE key combo. Handles loading of the suer profile by loading NTUSER.DAT into HKCU via userinit.exe, locking the screen, running the screensaver (%SystemRoot%\System32\winlogon.exe)
explorer.exe - Windows Explorer: Gvies user access to folders and files, functionality for start menus and taskbars. Runs userinit.exe which launches value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (%SystemRoot%\explorer.exe)