The next process is smss.exe (Session Manager Subsystem). This process, also known as the Windows Session Manager, is responsible for creating new sessions. It is the first user-mode process started by the kernel.
SMSS is also responsible for creating environment variables, virtual memory paging files and starts winlogon.exe (the Windows Logon Manager).
Session 0 (csrss.exe & wininit.exe)
Session 1 (csrss.exe & winlogon.exe)
Image Path: %SystemRoot%\System32\smss.exe
Parent Process: System
Number of Instances: One master instance and child instance per session. The child instance exits after creating the session.
User Account: Local System
Start Time: Within seconds of boot time for the master instance
What is unusual?
- A different parent process other than System (4)
- The image path is different from C:\Windows\System32
- More than one running process. (children self-terminate and exit after each new session)
- The running User is not the SYSTEM user
- Unexpected registry entries for Subsystem
csrss.exe
As mentioned in the previous section, csrss.exe (Client Server Runtime Process) is the user-mode side of the Windows subsystem. This process is always running and is critical to system operation. If this process is terminated by chance, it will result in system failure. This process is responsible for the Win32 console window and process thread creation and deletion. For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with others).
Recall that csrss.exe and winlogon.exe are called from smss.exe at startup for Session 1.
What is normal?
Session 0 (PID 392)
Session 1 (PID 512)
- Image Path: %SystemRoot%\System32\csrss.exe
- Parent Process: Created by an instance of smss.exe
- Number of Instances: Two or more
- User Account: Local System
- Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although only Sessions 0 and 1 are often created.
What is unusual?
An actual parent process. (smss.exe calls this process and self-terminates)
Image file path other than C:\Windows\System32
Subtle misspellings to hide rogue processes masquerading as csrss.exe in plain sight
The user is not the SYSTEM user.
wininit.exe
The Windows Initialization Process, wininit.exe, is responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe within Session 0. It is another critical Windows process that runs in the background, along with its child processes.
What is normal?
- Image Path: %SystemRoot%\System32\wininit.exe
- Parent Process: Created by an instance of smss.exe
- Number of Instances: One
- User Account: Local System
- Start Time: Within seconds of boot time
What is unusual?
- An actual parent process. (smss.exe calls this process and self-terminates)
- Image file path other than C:\Windows\System32
- Subtle misspellings to hide rogue processes in plain sight
- Multiple running instances
- Not running as SYSTEM
wininit.exe –> Services.exe
The next process is the Service Control Manager (SCM) or services.exe. Its primary responsibility is to handle system services: loading services, interacting with services and starting or ending services. It maintains a database that can be queried using a Windows built-in utility, sc.exe
Information regarding services is stored in the registry, HKLM\System\CurrentControlSet\Services
This process also loads device drivers marked as auto-start into memory.
When a user logs into a machine successfully, this process is responsible for setting the value of the Last Known Good control set (Last Known Good Configuration), HKLM\System\Select\LastKnownGood, to that of the CurrentControlSet.
What is normal?
- Image Path: %SystemRoot%\System32\services.exe
- Parent Process: wininit.exe
- Number of Instances: One
- User Account: Local System
- Start Time: Within seconds of boot time
What is unusual?
- A parent process other than wininit.exe
- Image file path other than C:\Windows\System32
- Subtle misspellings to hide rogue processes in plain sight
- Multiple running instances
- Not running as SYSTEM