/
defensive security
/
core windows processes
Menu
Core Windows Processes
Task Manager
Understanding Task Manager Columns
The Details Tab
What Task Manager Doesn’t Show
Process Hacker and Process Explorer
System
The
System
Process (PID 4)
What Does the System Process Do?
What’s the Difference Between
User Mode
and
Kernel Mode
?
Normal VS Suspicious Behaviour
System> smss.exe
smss.exe – Session Manager Subsystem
What smss.exe Starts
Session Setup
Registry-Defined Subsystems
Other Responsibilities
Normal VS Unusual
Csrss.exe
csrss.exe – Client Server Runtime Process
How It Starts
Normal VS Unsual
Wininit.exe
wininit.exe – Windows Initialization Process
Normal VS Unusual
wininit.exe > services.exe
services.exe – Service Control Manager (SCM)
Interacting with SCM via Command Line
Registry Involvement
Parent to Other Processes
Normal VS Unusual
wininit.exe > services.exe > svchost.exe
svchost.exe – Service Host Process
How It Works
About the
k
Parameter
Why is svchost.exe a Target?
Normal VS Unusual
lsass.exe
lsass.exe – Local Security Authority Subsystem Service
Normal VS Unusal
winlogon.exe
winlogon.exe – Windows Logon Process
How It Starts
Normal Vs Unusual
explorer.exe
explorer.exe – Windows Explorer
How It Starts
Child Processes
Normal VS Unusual
