Hunt Evil

In the vast landscape of digital forensics, the ability to distinguish between normal and abnormal behavior on a Windows host is paramount. This skill helps investigators cut through the noise and quickly locate potential malware. This article provides a reference to help you understand what’s normal in Windows, so you can focus your attention on the outliers.

The System Process:

• Image Path: N/A for system.exe – Not generated from an executable image.

• Parent Process: None.

• Number of Instances: One.

• User Account: Local System.

• Start Time: At boot time.

• Description: The System process is responsible for most kernel-mode threads. Modules running under System are primarily drivers (.sys files) but also include several important DLLs as well as the kernel executable, ntoskrnl.exe.

This process is integral to the functioning of the Windows operating system, ensuring that various system-level operations and drivers are managed efficiently.

Session Manager Process (smss.exe)

• Image Path: %SystemRoot%\System32\smss.exe

• Parent Process: System

• Number of Instances:

  • One master instance.

  • One child instance per session, which exits after creating the session.

• User Account: Local System

• Start Time: Within seconds of boot time for the master instance.

• Description:

  • Purpose: Responsible for creating new sessions.

  • Operation:

    • The master instance creates a child instance for each new session.

    • Each child instance initializes the new session by starting key processes:

      • csrss.exe (Windows subsystem)

      • wininit.exe for Session 0

      • winlogon.exe for Session 1 and higher

    • After initializing the session, the child instance exits.

The Session Manager process plays a crucial role in session creation and initialization, ensuring that the necessary components for user sessions are started properly.

Client/Server Run-Time Subsystem (csrss.exe)

• Image Path: %SystemRoot%\System32\csrss.exe

• Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.

• Number of Instances: Two or more

• User Account: Local System

• Start Time:

  • Within seconds of boot time for the first two instances (for Session 0 and 1).

  • Start times for additional instances occur as new sessions are created, although often only Sessions 0 and 1 are created.

• Description:

  • Purpose: User-mode process for the Windows subsystem.

  • Responsibilities:

    • Managing processes and threads.

    • Importing many of the DLLs that provide the Windows API.

    • Facilitating the shutdown of the GUI during system shutdown.

  • Operation:

    • An instance of csrss.exe runs for each session.

    • Session 0 is for services.

    • Session 1 is for the local console session.

    • Additional sessions are created through Remote Desktop and/or Fast User Switching, resulting in new instances of csrss.exe.

The Client/Server Run-Time Subsystem is vital for managing user-mode operations within the Windows operating system, ensuring that processes, threads, and essential system functions are handled efficiently.

Windows Initialization Process (wininit.exe)

• Image Path: %SystemRoot%\System32\wininit.exe

• Parent Process: Created by an instance of smss.exe that exits, making it difficult for analysis tools to identify the parent process.

• Number of Instances: One

• User Account: Local System

• Start Time: Within seconds of boot time

• Description:

  • Role: Responsible for starting key background processes within Session 0, which is the session dedicated to system services and background tasks.

  • Primary Responsibilities:

    • Service Control Manager (services.exe): Manages the starting, stopping, and interaction of system services.

    • Local Security Authority Subsystem Service (lsass.exe): Handles security policies, user authentication, and the generation of access tokens.

    • LSA Isolated (LSAISO) process (lsaiso.exe): Used in systems with Credential Guard enabled to provide additional security by isolating secrets (e.g., user credentials).

  • Changes in Windows 10:

    • Local Session Manager (lsm.exe): Previously started by wininit.exe, but in Windows 10, this functionality has moved to a service DLL (lsm.dll) hosted by svchost.exe.

The wininit.exe process is crucial for initializing critical system services and security components during the early stages of the Windows operating system's boot process. Its proper functioning is essential for the overall stability and security of the system.

Services and Controller App (services.exe)

• Image Path: %SystemRoot%\System32\services.exe

• Parent Process: wininit.exe

• Number of Instances: One

• User Account: Local System

• Start Time: Within seconds of boot time

• Description:

  • Role: Implements the Unified Background Process Manager (UBPM) and the Service Control Manager (SCM).

  • Primary Responsibilities:

    • Unified Background Process Manager (UBPM): Manages background activities such as services and scheduled tasks.

    • Service Control Manager (SCM):

      • Handles the loading, starting, stopping, and interaction of services and device drivers that are marked for auto-start during the boot process.

      • Manages the lifecycle and dependencies of system services.

    • Boot Success Confirmation:

      • Once a user logs on interactively, the SCM considers the boot successful.

      • Updates the Last Known Good control set (HKLM\SYSTEM\Select\LastKnownGood) to match the CurrentControlSet. This ensures that the system can revert to the last known good configuration if needed.

  • Significance:

    • Ensures the proper initialization and management of essential services and drivers.

    • Provides a stable environment for running background tasks and services, which are critical for the overall functionality of the operating system.

    • Plays a vital role in maintaining system stability and recoverability by managing the Last Known Good configuration.

The services.exe process is a fundamental component of the Windows operating system, ensuring that critical services and drivers are managed efficiently and that the system can recover from configuration issues.

Service Host Process (svchost.exe)

• Image Path: %SystemRoot%\system32\svchost.exe

• Parent Process: services.exe (most often)

• Number of Instances: Many (generally at least 10, potentially more than 50 on systems with over 3.5 GB RAM)

• User Account: Varies depending on the svchost instance, typically:

  • Local System

  • Network Service

  • Local Service

  • Windows 10 instances can also run as logged-on users.

• Start Time: Typically within seconds of boot time. However, services can also start after boot (e.g., at logon), resulting in new instances of svchost.exe after boot time.

• Description:

  • Role: Generic host process for Windows services, used for running service DLLs.

  • Instance Management:

    • Windows runs multiple instances of svchost.exe, each with a unique -k parameter for grouping similar services.

    • Common -k parameters include DcomLaunch, RPCSS, LocalServiceNetworkRestricted, LocalServiceNoNetwork, LocalServiceAndNoImpersonation, netsvcs, NetworkService, and more.

  • Security Concerns:

    • Malware authors often exploit the ubiquitous nature of svchost.exe, using it to host malicious DLLs or running malicious processes named similarly to svchost.exe.

  • Changes in Windows 10 version 1703:

    • Microsoft changed the default grouping of similar services if the system has more than 3.5 GB of RAM.

    • Most services will run under their own instance of svchost.exe on such systems, leading to a significant increase in the number of svchost.exe instances (potentially more than 50).

  • Importance:

    • svchost.exe is essential for the execution and management of many system services.

    • Proper functioning of svchost.exe instances ensures that various background services and system functionalities operate correctly.

    • Monitoring svchost.exe is crucial for system security and performance management, given its critical role and the potential for misuse by malware.

The svchost.exe process is a core component of the Windows operating system, responsible for hosting and managing various system services, ensuring they run efficiently and securely.

Runtime Broker Process (RuntimeBroker.exe)

• Image Path: %SystemRoot%\System32\RuntimeBroker.exe

• Parent Process: svchost.exe

• Number of Instances: One or more

• User Account: Typically the logged-on user(s)

• Start Time: Start times vary greatly depending on the initiation of Universal Windows Platform (UWP) apps.

• Description:

  • Role: Acts as a proxy between constrained Universal Windows Platform (UWP) apps (formerly called Metro apps) and the full Windows API.

  • Primary Responsibilities:

    • Access Mediation: Provides necessary access for UWP apps to interface with hardware and the file system, which they are otherwise restricted from accessing directly.

    • Security and Resource Management: Ensures that UWP apps operate within their defined security and resource constraints.

  • Instance Management:

    • Generally, there will be one RuntimeBroker.exe process for each running UWP app.

    • For example, starting an app like Calculator.exe will cause a corresponding RuntimeBroker.exe process to initiate.

  • Importance:

    • Critical for the proper functioning of UWP apps, ensuring they can access necessary system resources while maintaining system security and stability.

    • Facilitates the safe execution of UWP apps by enforcing the restricted capabilities and permissions assigned to them.

The RuntimeBroker.exe process is essential for managing the interaction between UWP apps and the broader Windows environment, ensuring that these apps can function correctly while adhering to their security and capability constraints.

Task Host for Windows (taskhostw.exe)

• Image Path: %SystemRoot%\System32\taskhostw.exe

• Parent Process: svchost.exe

• Number of Instances: One or more

• User Account: Multiple taskhostw.exe processes are normal. They can be owned by logged-on users and/or local service accounts.

• Start Time: Start times vary greatly depending on the tasks being triggered.

• Description:

  • Role: Generic host process for Windows Tasks, responsible for managing and executing scheduled tasks.

  • Primary Responsibilities:

    • Task Initialization: Upon initialization, taskhostw.exe runs a continuous loop listening for trigger events.

    • Trigger Events: Tasks can be initiated by various trigger events such as:

      • Defined schedule

      • User logon

      • System startup

      • Idle CPU time

      • Windows log events

      • Workstation lock/unlock

    • Task Management: Manages the execution of tasks based on the defined triggers and schedules.

  • Preconfigured Tasks:

    • More than 160 tasks are preconfigured on a default installation of Windows 10 Enterprise, though many are disabled.

    • All executable files (DLLs & EXEs) used by the default Windows 10 scheduled tasks are signed by Microsoft, ensuring their authenticity and security.

  • Importance:

    • Facilitates the automation of various system maintenance and management tasks, enhancing system efficiency and user experience.

    • Ensures that scheduled tasks are executed reliably based on their triggers, contributing to the smooth operation of the system.

The taskhostw.exe process is essential for managing scheduled tasks within the Windows operating system, ensuring that these tasks are executed efficiently and securely based on their defined triggers.

LSA Isolated Process (lsaiso.exe)

• Image Path: %SystemRoot%\System32\lsaiso.exe

• Parent Process: wininit.exe

• Number of Instances: Zero or one

• User Account: Local System

• Start Time: Within seconds of boot time

• Description:

  • Role: Provides secure storage for account credentials when Credential Guard is enabled, leveraging hardware virtualization technology for isolation.

  • Primary Responsibilities:

    • Credential Storage: Safely stores account credentials in an isolated environment, separate from other processes, to enhance security.

    • Function Split: When Credential Guard is enabled, the functionality of lsass.exe is divided between lsass.exe and lsaiso.exe.

      • lsass.exe retains most of its original functionalities.

      • lsaiso.exe takes over the role of secure credential storage.

    • Remote Authentication: When remote authentication is needed, lsass.exe uses a Remote Procedure Call (RPC) channel to communicate with lsaiso.exe to authenticate the user to the remote service.

  • Security Context:

    • Runs in a context isolated from other processes via hardware virtualization, ensuring that sensitive credentials are protected from potential threats.

    • This isolation is part of Microsoft's Credential Guard feature, designed to protect user credentials from advanced persistent threats and malware.

  • Condition-Based Operation:

    • lsaiso.exe only runs if Credential Guard is enabled.

    • If Credential Guard is not enabled, lsaiso.exe should not be present or running on the system.

The lsaiso.exe process is crucial for enhancing security in environments where Credential Guard is enabled, providing robust protection for account credentials through hardware-based isolation and ensuring secure handling of authentication processes.

Local Security Authority Subsystem Service (lsass.exe)

• Image Path: %SystemRoot%\System32\lsass.exe

• Parent Process: wininit.exe

• Number of Instances: One

• User Account: Local System

• Start Time: Within seconds of boot time

• Description:

  • Role: Responsible for authenticating users and enforcing security policies.

  • Primary Responsibilities:

    • User Authentication:

      • Calls appropriate authentication packages specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

      • Typically uses Kerberos for domain accounts and MSV1_0 for local accounts.

    • Security Policy Implementation:

      • Enforces local security policies, including password policies and audit policies.

    • Event Logging:

      • Writes security-related events to the security event log, providing an audit trail of security-related activities and changes.

  • Instance Management:

    • Only one instance of lsass.exe should be running on the system.

    • It should rarely have child processes, with Encrypting File System (EFS) being a known exception.

  • Additional Functionality:

    • In environments with Credential Guard enabled, some functionalities related to credential storage are offloaded to lsaiso.exe, while lsass.exe retains most of its original responsibilities.

  • Significance:

    • Critical for maintaining system security by ensuring that only authenticated users gain access and that security policies are consistently enforced.

    • Provides crucial logging and auditing capabilities, which are vital for detecting and investigating security incidents.

The lsass.exe process is a vital component of the Windows security infrastructure, ensuring robust user authentication, policy enforcement, and security event logging to protect the integrity and security of the system.

Windows Logon Application (winlogon.exe)

• Image Path: %SystemRoot%\System32\winlogon.exe

• Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.

• Number of Instances: One or more

• User Account: Local System

• Start Time: Within seconds of boot time for the first instance (Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.

• Description:

  • Role: Handles interactive user logons and logoffs.

  • Primary Responsibilities:

    • User Logon Process:

      • Launches LogonUI.exe, which uses a credential provider to gather credentials from the user.

      • Passes the gathered credentials to lsass.exe for validation.

    • User Authentication:

      • Works with lsass.exe to authenticate the user.

    • User Session Initialization:

      • Once authenticated, winlogon.exe loads the user's NTUSER.DAT into the HKCU (HKEY_CURRENT_USER) registry hive.

      • Starts the user's shell (usually explorer.exe) via userinit.exe.

  • Instance Management:

    • Typically one instance for the primary session (Session 1).

    • Additional instances are created for each new user session initiated through Remote Desktop or Fast User Switching.

  • Significance:

    • Critical for managing the logon and logoff processes, ensuring secure and seamless user authentication and session initialization.

    • Manages the transition from the logon screen to the user's desktop environment, handling the necessary background processes to ensure the user's environment is correctly set up.

The winlogon.exe process is essential for handling user logon and logoff activities, ensuring that user credentials are securely processed and that the user's session is initialized correctly and efficiently.

Windows Explorer (explorer.exe)

• Image Path: %SystemRoot%\explorer.exe

• Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name.

• Number of Instances: One or more per interactively logged-on user

• User Account: <logged-on user(s)>

• Start Time: The first instance starts when the owner’s interactive logon begins.

• Description:

  • Role: Provides users with access to files and the user interface.

  • Primary Responsibilities:

    • File Browser: Functions as a file browser via Windows Explorer.

    • User Interface: Provides the user interface, including:

      • Desktop

      • Start Menu

      • Taskbar

      • Control Panel

    • Application Launching: Allows application launching via file extension associations and shortcut files.

  • Instance Management:

    • The default user interface is specified in the registry value HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell.

    • Windows can alternatively function with another interface such as cmd.exe or powershell.exe.

    • Legitimate explorer.exe resides in the %SystemRoot% directory rather than %SystemRoot%\System32.

    • Multiple instances per user can occur, especially when the option "Launch folder windows in a separate process" is enabled.

  • Significance:

    • Essential for providing a familiar and functional user interface, allowing users to interact with the file system and launch applications.

    • Central to the Windows user experience, integrating various user interface elements and functionalities into a single process.

The explorer.exe process is a crucial component of the Windows operating system, serving as both a file browser and the primary user interface, enabling users to interact with their files, applications, and system settings seamlessly.