This post will go over some core windows processes and what they should look like. I will be using Process Hacker and Process Explorer to show examples of each one. The main goal is to help people determine if their processes are legitimate or if they are dealing with malware trying to hide among the other numerous processes.
Process: System
The System process is a crucial component of the Windows operating system. It runs as a system-level process with elevated privileges, allowing it to perform critical tasks and interact directly with hardware.
Normal:
PID always 4
Runs in kernel mode*
Parent: System Idle process (0)
Should only be 1 instance of System
Always running in session 0**
*Kernel mode is a privileged operational mode in a computer's operating system (OS) where the kernel, the core component of the OS, executes. In kernel mode, the operating system has direct access to the hardware and can perform critical operations, manage system resources, and enforce security controls.
**In Windows operating systems, "session 0" refers to the isolated and non-interactive desktop environment where system-level processes run. The "System" process is one such process that runs exclusively in session 0. Running system-level processes in session 0 enhances security by isolating them from user sessions. This isolation prevents non-privileged applications or user actions from interfering with critical system operations.
Near the top you can see the System process with a PID of 4, and its parent process, System Idle Process, with a PID of 0. You can also see that there is only 1 System process.
Right-clicking in either Process Hacker (above) or Process Explorer (below) with give you more details on the selected process.
Process: smss.exe (Session Manager SubSystem)
Normal:
Image Path: Windows\System32\smss.exe
Parent Process: System (PID 4)
Number of Instances: One master instance and one child instance per session. Child exits after creating the session.
User Account: Local System
Start Time: Within seconds of boot time for the master instance.
The file "smss.exe" stands for Session Manager Subsystem. It is a critical system process in Windows operating systems and is responsible for managing sessions and launching system services during the boot process. Here is a summary of smss.exe:
1. Purpose: Smss.exe is an essential component of the Windows operating system and is the first process that starts during system boot-up. It plays a crucial role in initializing the system session and launching other important system components.
2. Session Management: Smss.exe creates and manages user sessions, also known as session 0, which are responsible for hosting system services and user login sessions. It establishes and maintains the necessary environment for subsequent system processes.
3. Process Launching: Smss.exe is responsible for launching critical system processes, including the Winlogon process (responsible for handling user logins), the CSRSS process (Client/Server Runtime Subsystem, responsible for console windows and threading), and the system services required for proper system functioning.
4. System Shutdown: Smss.exe also plays a role in system shutdown and session termination. It communicates with other system processes and handles the necessary steps to shut down or restart the system gracefully.
Also, just hovering your mouse over a process will give you a small summary of it.
No comments:
Post a Comment