Friday, March 6, 2015
Critical Windows Processes - smss.exe, wininit.exe, services.exe, winlogon.exe, csrss.exe
Similar to the "System Idle Process" and the "System" process, smss.exe, wininit.exe, services.exe, winlogon.exe, csrss.exe are some one of the other critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.
Session Manager Subsystem (smss.exe)
- Initiated by System PID 4
- Parent should be marked as "System" with PID 4
- In contrast to the "System Idle Process" and the "System" processes, this actually points to a valid executable - C:\Windows\System32\smss.exe
- First user mode process created
- Responsible for starting user sessions
- Should have only 1 active copy once the system has initialized
Windows Initialization Process (wininit.exe)
- Gets created by smss.exe
- However, the parent smss.exe dies leaving wininit.exe parentless
- creates %windir%\temp
- Creates services.exe and lsass.exe
- Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\wininit.exe
Services Control Manager (services.exe)
- created by wininit.exe
- used for interacting with services
- Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\services.exe
Windows Logon (winlogon.exe)
- created by wininit.exe
- used for interactive logons and logoff
- Works in conjunction with credential providers
- Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\winlogon.exe
Client Server Runtime Subsystem (csrss.exe)
- User mode portion of win32 subsystem
- Responsible for console windows
- Legacy process from the days of WindowsNT
- Responsible to drive mapping, temp files creations, etc
- Similarly to smss.exe, this process is actually pointed to a specific executable - C:\Windows\System32\csrss.exe
- Non existent parent process
Why does all of this matters? Thought you would never ask ... Being able to identify processes in general will be helpful in determining what you investigate. However, knowing what is critical and their characteristics can make your investigation process much easier.
References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment