FUNDAMENTAL WINDOWS PROCESSES

Hello friends. In this blog post I study at important windows processes for preparing memory forensic with volatility later. Understanding fundamental Windows processes and their execution and creation order, their counts and behaviours are vital for memory forensic. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;

Practical Cyber Threat Hunting

Introduction To Reverse Engineering And Malware Analysis

Let’s discuss them;

Hello friends. In this blog post I study at important windows processes for preparing memory forensic with volatility later. Understanding fundamental Windows processes and their execution and creation order, their counts and behaviours are vital for memory forensic. Let’s discuss them;

SMSS.EXE

SMSS.exe process’es task is creating new sessions. First it creates Session 0 and Session 1 just operating sytem starts. Session zero triggers and starts csrss.exe and wininit.exe processes. Session 1 triggers and starts csrss.exe and winlogon.exe. Whereas session 0 processes are operating system processes, session 1 processes are users session processes. There must be only one instance of SMSS.exe in a process tree. SMSS.exe is used for creating and managing child processes. SMSS.exe valid path is ‘%SystemRoot%\System32\smss.exe’. SMSS.exe is created by the system and it’s SID number is:

S-1–5–18 (NT AUTHORITY\SYSTEM) Druring boot process it is created and executed.

CSRSS.EXE

Client Server Run Sub System exe process is responsible for management of processes and threads which provides communication with Windows APIs. Moreover CSRSS.exe is responsible for mapping phisical drives, creating temporary files and closing and terminating processes. It’s path is: %SystemRoot%System32\csrss.exe. His parent process is SMSS.exe. User SID value is: SID is NT AUTHORITY\SYSTEM(S-1–5–18). It is created during os boot. There must be only two instances in process tree. Malware authors use a trick like mispelling the process such as cssrs.exe.

WINLOGON.EXE

WINLOGON.EXE is responsible for user’s logon and logoff operations. LogonUI.exe sends username and password information to the lsass.exe and lsass.exe verify and authenticate users by connecting the Active Directory for checking the validition of credentials by using ntds.dit or use Security Account Manager aka SAM.

Userinit.exe is installed under Software\Microsoft\Windows NT\CurrntVersion\Winlogon and authentication process is started. WINLOGON.exe path is %SystemRoot%\System32\winlogon.exe. Its parent process is SMSS.EXE. Its SID is NT AUTHORITY\SYSTEM (S-1–5–18). WINLOGON.exe uses registery key is given below; Malware authors can be manipulate register these registery values.

Key: HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: Shell
Type: REG_SZ
Value: [Explorer.exe or Cmd.exe or PowerShell.exe or others]

WININIT.EXE

Windows Initilization Process exe aka WININIT.exe is responsible for starting and triggering of services.exe, lsass.exe, lsm.exe. Its path is %SystemRoot%\System32\wininit.exe. It’s created boot time. Its parent SMSS.exe but it seems to have no parent process. SID number is “NT AUTHORITY\SYSTEM(S-1–5–18). There must be only one instance in process tree. If you see second same named process it is suspicious process.

LSM.EXE

Local Session Manager exe aka LSM.exe cooparate with SMSS.exe and it is responsible for creation, termination and change of sessions. In windows 7, it is called as lsm.dll. Its path is %SystemRoot%System32\lsm.exe. Its parent process is WININIT.exe. SID number is NT AUTHORITY\SYSTEM(S-1–5–18) and only one instance could be exisist in a process tree.

SERVICES.EXE

SERVICES.exe is responsible for initiating of services, starting, stopping and suspending services activities. Service Control Manager task is loading services and drivers to the the memory. It’s parent process for svchost.exe, dllhost.exe, taskhost.exe and spoolsv.exe. Its registery path is HKLM\SYSTEM\CurrentControlSet\Services. It’s path “%SystemRoot%System32\services.exe”. SERVICES.exe has just only one instance in a processtree. Its SID is NT AUTHORITY\SYSTEM ( S-1–5–18).

LSASS.EXE

Local Security Authority Sub System exe aka LSASS.exe is responsible for generating security tokens, applying security policies and user authentication. lsass.exe creates tokens for SAM, AD and netlogon. It benefits packets from HKLM\System\CurrentControlSet\Control\Lsa for authenticating users. It sends security logs to event log. It’s parent process is wininit.exe. Its path is %SystemRoot%\System32\lsass.exe. SID number is NT AUTHORITY\SYSTEM(S-1–5–18). Malwares can trick users for hiding process with mispelling like 1sass.exe. There must be only one instance of lsass.exe in process tree of Windows.

SVCHOST.EXE

Svchost.exe is a generic host process name for services that run from dynamic-link libraries. Because of DDL files are non executable files, they are run with svchost for triggering the services of operating system. SVCHOST.exe is responsible for usage and managment of muti dll services for optimization of system sources. All services have the registery values which include serviceDLL with this registery values svchost knows which dll files will be used. Svchost has -k parameter to specify the service name. Its path is %SystemRoot%\System32\svchost.exe -k (service group; i.e. netsvcs). Its registery is Software\Microsoft\Windows NT\CurrentVersion\Svchost. You can see svchost process from commandline with tasklist /svc /fi “imagename eq svchost.exe” command. If you examine process list there are a lot of svchost process can be seen. All DLL based services share the same svchost process. Every svchost process occurs with executing unique services. Its parent process is wininit.exe. SID numbers are NT AUTHORITY\SYSTEM(S1–5–18) , LOCAL SERVICE (S-1–5–19) or NETWORK SERVICE (S-1–5–20). Malware authors can use svchost for process injection, can trick us mispelling like svch0st and we should be careful services are worked without -k parameter, wrong paths. For instance, in process hollowing attacks and process injection attacks mispleling technique is used for hiding malware names.

TASKHOST.EXE

TASKHOST.exe is generic host exe is used for running dll services like svchost. During Ininitilization of operating system, taskhost control the registery key services part and provides running and loading process of DLL based services. Its path %SystemRoot%\System32\taskhost.exe. Its parent process is services.exe. Taskhost.exe is a generic process that acts as a host for processes that run from dynamic link libraries (dll) instead of exe. The process checks the Windows Registry on startup to discover dll-based services that need to be loaded in a nut shell.

EXPLORER.EXE

Explorer exe is responsible for all GUI Windows Explorer operation like browsing files and directories, file accessing. Only one instance of explorer.exe is spawned for per user. It’s path is %SystemRoot%\Explorer.exe. Its parent USERINIT.exe but it seems to have no parent process in process tree. If under this process cmd is opened or socket connection is initialized or conhost process is opened or explorer.exe hasn^t got Microsoft Orginal Digital Signature all of them are suspicious.

https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids