Open in app

Sign in

Write

Sign in

Windows Processes — Memory Forensics! #DFIR

A cross-reference during memory forensics to minimize confusion. #DFIR

ismail kaleem
3 min readJan 8, 2020

There should only ever be one instance of System:

PID of System is always 4; if not run for your life!

Session Manager Subsystem/SMSS.EXE

  • Image Path: %SystemRoot%\System32\smss.exe
  • Parent Process: System

smss.exe is executed during the startup of the OS and is the first user-mode process to be started by the kernel. It starts both kernel and user modes of the Win32 subsystem.

Once the child instance initializes the new session by starting the Windows subsystem (csrss.exe) and wininit.exe for Session 0 or winlogon.exe

1. Client Server Runtime Process/CSRSS.EXE

  • Image Path: %SystemRoot%\System32\csrss.exe
  • Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.

Session 0 is for services and Session 1 for the local console session. Additional sessions are created through the use of Remote Desktop and/or Fast User Switching. Each new session results in a new instance of csrss.exe.

2. Winlogon.exe

Specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface.

Image Path: %SystemRoot%\explorer.exe Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name.

As Winlogon runs userinit which spawns explorer, let’s look at the explorer process next.

2.1 Explorer.exe

  • We have already covered the fact that userinit.exe exits after execution meaning no parent process.
  • Again as already covered, the registry entry lives under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • The user will be the logged in account (that which was used to logon via the WINLOGON.EXE process).
  • It runs out of \%Systemroot%\Explorer.exe

Explorer spawns child processes for normal programs in windows. There should be no requested network connections for explorer.exe

3. Wininit.exe

  • Image Path: %SystemRoot%\System32\wininit.exe
  • Parent Process: Created by an instance of smss.exe that exits, so tools usually do not provide the parent process name.

As with SMSS.EXE, userinit.exe exits after it has run, meaning anything loaded from registry (explorer.exe, dodgy malwares) will not have a parent process. It also means userinit.exe will not be visible to you in Process Explorer.

  • Creates a Window station (Winsta0) and two desktops (Winlogon and Default) for processes to run on in session 0
  • Creates Services.exe
  • Starts Lsass.exe
  • Starts Lsm.exe

3.1 SVCHOST.EXE / Service Hosting Process

There will be multiple instances of SVCHOST running

  • Image Path: %SystemRoot%\system32\svchost.exe
  • Parent Process: services.exe (most often)

If you ever happen to see the parent process id is different to services.exe pid; now is the time to panic.

Hunting for the Ghosts

File-less malware hiding in other PID’s of legitimate processes.

This is a very time consuming and tedious task for any DFIR analyst which also requires a significant amount of data gathering. On top of this; the traditional methods/tools are extremely ineffective.

It’s a highly popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat — cryptocurrency miners.

Windows 10
Process

--

--

ismail kaleem
ismail kaleem

Written by ismail kaleem

40 Followers
15 Following

Follow me on Twitter https://twitter.com/@roketscientist

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams