Friday, March 6, 2015

Critical Windows Processes - smss.exe, wininit.exe, services.exe, winlogon.exe, csrss.exe


Similar to the "System Idle Process" and the "System" process, smss.exe, wininit.exe, services.exe, winlogon.exe, csrss.exe are some one of the other critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.

Session Manager Subsystem (smss.exe)

   





















  








   
    - Initiated by System PID 4

    - Parent should be marked as "System" with PID 4   
    - In contrast to the "System Idle Process" and the "System" processes, this actually points to a valid executable - C:\Windows\System32\smss.exe  
    - First user mode process created
    - Responsible for starting user sessions
    - Should have only 1 active copy once the system has initialized
   
      
Windows Initialization Process (wininit.exe)

































    - Gets created by smss.exe
    - However, the parent smss.exe dies leaving wininit.exe parentless
    - creates %windir%\temp
    - Creates services.exe and lsass.exe
    - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\wininit.exe
   

Services Control Manager (services.exe)


   






























    - created by wininit.exe
    - used for interacting with services

      - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\services.exe   
   

Windows Logon (winlogon.exe)
 



























  



    - created by wininit.exe
    - used for interactive logons and logoff
    - Works in conjunction with credential providers

    - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\winlogon.exe   

  
Client Server Runtime Subsystem (csrss.exe)





























 



    - User mode portion of win32 subsystem
    - Responsible for console windows
    - Legacy process from the days of WindowsNT
    - Responsible to drive mapping, temp files creations, etc

    - Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\csrss.exe   
    - Non existent parent process 



Why does all of this matters? Thought you would never ask ... Being able to identify processes in general will be helpful in determining what you investigate. However, knowing what is critical and their characteristics can make your investigation process much easier.





References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html

No comments:

Post a Comment