Understanding Windows Processes

Here's a quick layout of how the core windows processes are layered, we'll talk about how the all fit together below. .

SYSTEM (ALWAYS PID 4)
- smss.exe (session 0)
  - csrss.exe (session 0)
  - wininit.exe (session 0)
    - services.exe
    - lsass.exe
    - lsaiso.exe
    - services.exe
      - svchost.exe
  - csrss.exe (session 1)
    - csrsrv.dll
    - basesrv.dll
    - winsrv.dll
  - winlogon.exe (session 1)

SYSTEM (Process ID 4) - Runs in Kernel mode (C:\Windows\system32\ntoskrnl.exe)

smss.exe - Windows Session Manager: Creates new sessions > startscsrss.exe, wininit.exe, winlogon.exe in session 0 (isolated for the OS) and csrss.exe, winlogon.exe for Session 1 (user session) (%SystemRoot%\System32\smss.exe)

csrss.exe - Client Server Runtime Process > starts csrsrv.dll, basesrv.dll, winsrv.dll, handles drive mappings and windows shutdown process (%SystemRoot%\System32\csrss.exe)

wininit.exe - Windows Initialization Process > starts services.exe, lsass.exe, lsaiso.exe in session 0 (%SystemRoot%\System32\wininit.exe)

services.exe - Service Control Manager: Handles loading services, interacting with services, starts/stop services, load device drivers to memory etc. Can query its database with sc.exe. HKLM\System\CurrentControlSet\Service. loads svchost.exe, spoolsv.exe, msmpeng.exe, dllhost.exe (%SystemRoot%\System32\services.exe)

svchost.exe - Host Process for Windows Services: Handles hosting and managing Windows services implemented as DLLs HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters (%SystemRoot%\System32\svchost.exe)

lsass.exe - Local Security Authority Subsystem Service: enforces the security policy on the system, verifying users login in to windows, handles password changes, creates access tokens (SAM, AD, NETLOGON) and writes to the Windows Security Log. HKLM\System\CurrentControlSet\Control\Lsa (%SystemRoot%\System32\lsass.exe)

winlogon.exe - Windows Logon: handles Secure Attention Sequence (SAS), which is the ALT+CTRL+DELETE key combo. Handles loading of the suer profile by loading NTUSER.DAT into HKCU via userinit.exe, locking the screen, running the screensaver (%SystemRoot%\System32\winlogon.exe)

explorer.exe - Windows Explorer: Gvies user access to folders and files, functionality for start menus and taskbars. Runs userinit.exe which launches value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (%SystemRoot%\explorer.exe)

ADDITIONAL READING

https://www.threathunting.se/tag/windows-process/

https://www.sans.org/security-resources/posters/hunt-evil/165/download

https://docs.microsoft.com/en-us/sysinternals/resources/windows-internals

Understanding Windows Processes

ADDITIONAL READING

Comments