Core Windows processes

System

The System process is a critical kernel-level process that is responsible for managing system resources, such as memory, devices, and processor time, and providing low-level system services to other processes.

Smss.exe

The Session Manager Subsystem (smss.exe) process is responsible for starting and stopping user sessions and initializing system services during the boot process. It starts csrss.exe and winlogon.exe

Csrss.exe

The Client Server Runtime Subsystem (csrss.exe) process is responsible for creating and managing user-mode processes and threads and handling console input and output operations. It also makes the winAPI available to other processes, by the way.

Wininit.exe

The Windows Initialization process (wininit.exe) is responsible for initializing the Windows operating system during boot and executing critical system processes and services.

Services.exe

The Services and Controller app (services.exe) is responsible for starting, stopping, and managing system services and handles the communication between services and the Service Control Manager.

Svchost.exe

The Service Host (svchost.exe) process is responsible for hosting and running multiple system services as shared service processes, which helps to conserve system resources and improve system performance.

Unusual svchost processes are common and can be spotted by: -A parent process that isn't services.exe -An image filepath that isn't C:\Windows\System32 -Misspelings -No -k parameter in the Command-Line field (used to point to a valid .dll in the HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters subkey

Lsass.exe

The Local Security Authority Subsystem Service (lsass.exe) is responsible for managing security policies, authentication, and logon sessions on the system.

Winlogon.exe

The Windows Logon process (winlogon.exe) is responsible for handling user logon and logoff events and managing user sessions, including starting the user's shell and launching the Windows desktop.

Explorer.exe

The Windows Explorer process (explorer.exe) is responsible for providing the graphical user interface and managing the desktop, files, and folders on the system. It is also responsible for launching other applications and processes as requested by the user.

Unusual explorer processes can be spotted by: -An existing parent process (the normal one self-terminates) -An image file path that isn't C:\Windows -Running as an unknown user -Misspellings -Outbounds tcp/ip connections