Windows Core Processes

Session 0:

System(PID: 4) > smss.exe smss.exe is the Windows Session Manger. responsible for creating new sessions. user-mode process started by kernel, and will auto terminate itself in the child process when finished starting.

smss.exe → csrss.exe && wininit.exe

wininit.exe:
- → services.exe (Service Control Manager)
  - loading services. interacting with services, starting, ending services. maintains a database that can be queried using a Windows built-in utulity; sc.exe
    - <<< —> svchost.exe is responsible for hosting and managing Windows services. the services running here are implemented as DLLs. the DLLs to implement is stored in the registry for the service under the Parameters subkey in serviceDLL.
    - HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters is where the software document the required ServiceDLLs.
- → lsass.exe (Local Security Authority)
  - responsible for enforcing the security policy on the system. verify users logon. handles password changes, and creates access tokens. writes to the Windows Security Log.
  - It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. It uses authentication packages specified in
  - HKLM\System\CurrentControlSet\Control\Lsa.
  - Attacks like mimikatz to dump credentials or mimic.
- lsasio.exe(within the session 0) lsaiso.exe is a process associated with Credential Guard and Key Guard. You will only see this process if Credential Guard is enabled.

Session 1:

smss.exe → csrss.exe && winlogon.exe

winlogon.exe is responsible for handling the Secure Attention Sequence(SAS). loading user profile by loading the user's NTUSER.DAT into HKCU and via userinit.exe loads the user's shell.
- winlogon.exe → userinit.exe →explorer.exe
  - gives the user access to their folders and files. It also provides functionality to other features such as the Start Menu,.
  - userinit.exe exits after spawning exporer.exe So the parent process for explorer.exe is non-existent

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later.[1] Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the task kill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system.[2](at 0:31) However in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

Client/Server Runtime Subsystem