hacktricks/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md

129 lines
6.9 KiB
Markdown
Raw Normal View History

2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
2022-05-01 16:32:23 +00:00
## smss.exe
2021-09-06 14:49:06 +00:00
It's called **Session Manager**.\
Session 0 starts **csrss.exe** and **wininit.exe** (**OS** **services**) while Session 1 starts **csrss.exe** and **winlogon.exe** (**User** **session**). However, you should see **only one process** of that **binary** without children in the processes tree.\
2021-09-06 14:49:06 +00:00
Also, more sessions apart from 0 and 1 may mean that RDP sessions are occurring.
2022-05-01 16:32:23 +00:00
## csrss.exe
2021-09-06 14:49:06 +00:00
Is the **Client/Server Run Subsystem Process**.\
It manages **processes** and **threads**, makes the **Windows** **API** available for other processes and also **maps** **drive** **letters**, create **temp** **files** and handles the **shutdown** **process**.\
There is one **running in Session 0 and another one in Session 1** (so **2 processes** in the processes tree).\
2021-09-06 14:49:06 +00:00
Another one is created **per new Session**.
2022-05-01 16:32:23 +00:00
## winlogon.exe
2021-09-06 14:49:06 +00:00
This is Windows Logon Process.\
It's responsible for user **logon**/**logoffs**.\
It launches **logonui.exe** to ask for username and password and then calls **lsass.exe** to verify them.\
Then it launches **userinit.exe** which is specified in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** with key **Userinit**.\
2021-09-06 14:49:06 +00:00
Mover over, the previous registry should have **explorer.exe** in the **Shell key** or it might be abused as a **malware persistence method**.
2022-05-01 16:32:23 +00:00
## wininit.exe
2021-09-06 14:49:06 +00:00
This is the **Windows Initialization Process**. It launches **services.exe**, **lsass.exe** and **lsm.exe** in Session 0.\
2021-09-06 14:49:06 +00:00
There should only be 1 process.
2022-05-01 16:32:23 +00:00
## userinit.exe
2021-09-06 14:49:06 +00:00
Load the **ntduser.dat in HKCU** and initialises the **user** **environment** and runs **logon** **scripts** and **GPO**.\
2021-09-06 14:49:06 +00:00
It launches **explorer.exe**.
2022-05-01 16:32:23 +00:00
## lsm.exe
2021-09-06 14:49:06 +00:00
This is the **Local Session Manager**.\
It works with smss.exe to manipulate use sessions: Logon/logoff, shell start, lock/unlock desktop...\
After W7 lsm.exe was transformed into a service (lsm.dll).\
2021-09-06 14:49:06 +00:00
There should only be 1 process in W7 and from them a service running the DLL.
2022-05-01 16:32:23 +00:00
## services.exe
2021-09-06 14:49:06 +00:00
This is the **Service Control Manager**.\
2021-09-06 14:49:06 +00:00
It **loads** **services** configured as **auto-start** and **drivers**.
It's the parent process of **svchost.exe**, **dllhost.exe**, **taskhost.exe**, **spoolsv.exe** and many more.\
2021-09-06 14:49:06 +00:00
Note that services are defined in `HKLM\SYSTEM\CurrentControlSet\Services` and this process maintains a DB in memory of service info that can be queried by sc.exe.
Note how **some** **services** are going to be running in a **process of their own** and others are going to be **sharing a svchost.exe process**.
There should only be 1 process.
2022-05-01 16:32:23 +00:00
## lsass.exe
2021-09-06 14:49:06 +00:00
This the **Local Security Authority Subsystem**.\
It's responsible for the user **authentication** and create the **security** **tokens**. It uses authentication packages located in `HKLM\System\CurrentControlSet\Control\Lsa`.\
It writes to the **Security** **event** **log**.\
There should only be 1 process.\
2021-09-06 14:49:06 +00:00
Keep in mind that this process is highly attacked to dump passwords.
2022-05-01 16:32:23 +00:00
## svchost.exe
2021-09-06 14:49:06 +00:00
This is the **Generic Service Host Process**.\
It hosts multiple DLL services in one shared process.\
2021-11-30 16:46:07 +00:00
Usually you will find that **svchost.exe** is launched with `-k` flag. This will launch a query to the registry **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process.
2021-09-06 14:49:06 +00:00
For example: `-k UnistackSvcGroup` will launch: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc`
If the **flag `-s`** is also used with an argument, then svchost is asked to **only launch the specified service** in this argument.
There will be several process of `svchost.exe`. If any of them is **not using the `-k` flag**, then thats very suspicious. If you find that **services.exe is not the parent**, thats also very suspicious.
2022-05-01 16:32:23 +00:00
## taskhost.exe
2021-09-06 14:49:06 +00:00
This process act as host for processes run from DLLs. It loads the services that are run from DLLs.\
2021-09-06 14:49:06 +00:00
In W8 is called taskhostex.exe and in W10 taskhostw.exe.
2022-05-01 16:32:23 +00:00
## explorer.exe
2021-09-06 14:49:06 +00:00
This is the process responsible for the **user's desktop** and launching files via file extensions.\
**Only 1** process should be spawned **per logged on user.**\
2021-11-30 16:46:07 +00:00
This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process.
2021-09-06 14:49:06 +00:00
2022-05-01 16:32:23 +00:00
# Catching Malicious Processes
2021-09-06 14:49:06 +00:00
* Is it running from the expected path? (No Windows binaries run from temp location)
2021-09-06 14:49:06 +00:00
* Is it communicating with weird IPs?
* Check digital signatures (Microsoft artefacts should be signed)
2021-09-06 14:49:06 +00:00
* Is it spelled correctly?
* Is running under the expected SID?
* Is the parent process the expected one (if any)?
* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?)
2022-04-28 16:01:33 +00:00
2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
2022-05-01 16:32:23 +00:00