{"id":2725,"date":"2026-04-03T18:47:00","date_gmt":"2026-04-03T18:47:00","guid":{"rendered":"https:\/\/zombierollz.blog\/?p=2725"},"modified":"2026-04-03T12:47:28","modified_gmt":"2026-04-03T12:47:28","slug":"core-windows-proccesses","status":"publish","type":"post","link":"https:\/\/zombierollz.blog\/?p=2725","title":{"rendered":"Core Windows Proccesses"},"content":{"rendered":"\n

https:\/\/tryhackme.com\/room\/btwindowsinternals<\/a>
Created by: tryhackme, ar33zy<\/p>\n\n\n\n

This room is a pre-requisite for https:\/\/tryhackme.com\/room\/volatility<\/a> and that room is a pre-requisite for https:\/\/tryhackme.com\/room\/boogeyman2<\/a> which is a part of the SOCL1 pathway.<\/p>\n\n\n\n

“In this room, we will explore the core processes within a Windows system. This room aims to help you know and understand what normal behaviour within a Windows operating system is. This foundational knowledge will help<\/strong> you identify malicious processes running on an endpoint.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I am already familiar with the majority of the content, but it’s been a while, and I am looking forward to a refresher. Task 2 covers the handy Task Manager.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

They bring up two additional utilities: Process Hacker and Process Explorer. I’ve used the latter in other THM rooms.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Takes 3 covers the System process and what is to be expected when you look at it’s properties.<\/p>\n\n\n\n

“The first Windows process on the list is\u00a0System<\/strong>. It was mentioned in a previous section that a\u00a0PID\u00a0for any given process is assigned at random, but that is not the case for the System process. The\u00a0PID\u00a0for System is always 4. What does this process do exactly?

The official definition from Windows Internals 6th Edition:

The System process (process ID 4) is the home for a special kind of thread that runs only in kernel mode a kernel-mode system thread. System threads have all the attributes and contexts of regular user-mode threads (such as a hardware context, priority, and so on) but are different in that they run only in kernel-mode executing code loaded in system space, whether that is in Ntoskrnl.exe or in any other loaded device driver. In addition, system threads don’t have a user process address space and hence must allocate any dynamic storage from operating system memory heaps, such as a paged or nonpaged pool.<\/em>‘”<\/p>\n\n\n\n

“What is user mode? Kernel-mode? Visit the following\u00a0link(opens in new tab)<\/a>\u00a0to understand each of these.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I decided to open Process Hacker and look at the differences. With Process Hacker, we get more details!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What PID should System always be?”

4<\/p>\n\n\n\n

Task 4 covers smss.exe.

“The next process is\u00a0smss.exe<\/strong>\u00a0(Session Manager Subsystem<\/strong>). This process, also known as the\u00a0Windows Session Manager<\/strong>, is responsible for creating new sessions. It is the first user-mode process started by the kernel.

This process starts the kernel and user modes of the Windows subsystem (you can read more about the NT Architecture\u00a0here(opens in new tab)<\/a>). This subsystem includes win32k.sys (kernel mode), winsrv.dll\u00a0(user mode), and csrss.exe (user mode).\u00a0

Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session. The first child instance creates child instances in new sessions, done by smss.exe copying itself into the new session and self-terminating.\u00a0You can read more about this process\u00a0here(opens in new tab)<\/a>.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“Aside from csrss.exe, what process does smss.exe spawn in Session 1?”<\/p>\n\n\n\n

winlogon.exe<\/p>\n\n\n\n

On to task 5, csrss.exe.<\/p>\n\n\n\n

“As mentioned in the previous section,\u00a0csrss.exe<\/strong>\u00a0(Client Server Runtime Process<\/strong>) is the user-mode side of the Windows subsystem. This process is always running and is critical to system operation. If this process is terminated by chance, it will result in system failure. This process is responsible for creating and deleting Win32 console windows and process threads. For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll\u00a0are loaded (along with others).\u00a0

This process is also responsible for making the Windows\u00a0API\u00a0available to other processes, mapping drive letters, and handling the Windows shutdown process.\u00a0You can read more about this process\u00a0here(opens in new tab)<\/a>.

Note<\/strong>: Recall that csrss.exe and winlogon.exe are called from smss.exe at startup for Session 1.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What was the process that had PID 384 and PID 488?”
smss.exe

On to task 6, wininit.exe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“Which process might you not see running if Credential Guard is not enabled?”

lsaiso.exe<\/p>\n\n\n\n

Up next is task 7, winini.texe > services.exe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“How many instances of services.exe should be running on a Windows system?”
1

On to Task 8, wininit.exe > services.exe > svchost.exe<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What single letter parameter should always be visible in the\u00a0Command line<\/strong>\u00a0or\u00a0Binary path<\/strong>?”

k<\/p>\n\n\n\n

On to task 9, lass.exe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A great article of how that expands on lsass as well as how it can used abused and what to do to defend it:
https:\/\/yungchou.wordpress.com\/2016\/03\/14\/an-introduction-of-windows-10-credential-guard\/<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

“What is the parent process for LSASS?”
wininit.exe<\/p>\n\n\n\n

On to task 10, winlogon.exe.

“The\u00a0Windows Logon<\/strong>,\u00a0winlogon.exe<\/strong>, is responsible for handling the\u00a0Secure Attention Sequence<\/strong>\u00a0(SAS). It is the ALT+CTRL+DELETE key combination users press to enter their username & password.\u00a0

This process is also responsible for loading the user profile. It loads the user’s NTUSER.DAT into HKCU, and userinit.exe loads the user’s shell. Read more about this process\u00a0here(opens in new tab)<\/a>.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What is the non-existent parent process for winlogon.exe?”<\/p>\n\n\n\n

smss.exe<\/p>\n\n\n\n

On to the last task, task 11.

“The last process we’ll look at is\u00a0Windows Explorer<\/strong>,\u00a0explorer.exe<\/strong>. This process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar.

As mentioned previously, the Winlogon process runs userinit.exe, which launches the value in\u00a0HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell<\/code>.\u00a0Userinit.exe exits after spawning explorer.exe. Because of this, the parent process is non-existent.”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

“What is the non-existent process for explorer.exe?”

userinit.exe<\/p>\n","protected":false},"excerpt":{"rendered":"

https:\/\/tryhackme.com\/room\/btwindowsinternalsCreated by: tryhackme, ar33zy This room is a pre-requisite for https:\/\/tryhackme.com\/room\/volatility and that room is a pre-requisite for https:\/\/tryhackme.com\/room\/boogeyman2 which is a part of the SOCL1 pathway. “In this room, we will explore the core processes within a Windows system. This room aims to help you know and understand what normal behaviour within a Windows […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2725","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2725"}],"version-history":[{"count":2,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2725\/revisions"}],"predecessor-version":[{"id":2754,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=\/wp\/v2\/posts\/2725\/revisions\/2754"}],"wp:attachment":[{"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zombierollz.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}