Normal Windows Operation - whiteowl911/leveleffect GitHub Wiki

What’s “Normal” with Windows?

Goals

When we first start looking at system processes looking for malware/suspicious activity, normal processes can start to look malicious. This content is meant to serve as a reference to understand what normal looks like so that we can better find what is not normal.

What happens when I boot my Windows machine?

Pre-Windows Initialization (Pushing the Power Button)

  1. Hardware initializes & checks for hardware disks (Basic Input Output System (BIOS)).

  2. UEFI Firmware Bootstrap Code checks for a Master Boot Record (MBR) and loads Windows Boot Manager.

  3. Windows Boot Manager (%SystemDrive%\bootmgr) determines if multiple OSs exist, if yes offers a menu of the OSs (winload.exe will boot to correct OS).

  4. Windows OS Loader (%SystemRoot%\system32\winload.exe) loads important drivers to start the Windows Kernel.

System Boot

System Idle Process

PID: 0
Image: None
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Accounts for system idle time.

System

PID: 4
Image: %SystemRoot%\System32\ntoskrnl.exe
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Responsible for most threads that only run in the kernel mode.

Memory Compression

PID: Random
Image: None
Parent Processes: System
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Responsible for compressing memory of processes in RAM vs. paging to disk to improve performance.

Registry

PID: Random
Image: None
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Stores registry hive data such as HKLM and HKCU

Session Manager Sub System (smss.exe)

PID: Random
Image: %SystemRoot%\System32\smss.exe
Parent Processes: System
Child Processes: Multiple

  • smss.exe (Session 0)
  • smss.exe (Session 1)
  • autochk.exe
  • smss.exe (For each new session)

Number of Instances: 2+ during startup/1 master without arguments after startup.
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: First user-mode process. Creates master smss.exe process (the only one that stays after boot)

Windows Subsystem (csrss.exe)

PID: Random
Image: %SystemRoot%\System32\csrss.exe
Parent Processes: smss.exe child process of master smss.exe (Orphaned)
Child Processes: None
Number of Instances: 2+
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot (Session 0 and 1), after each new session (1+)

Description: User-mode process for Windows-subsystem, manages processes and threads, imports dlls for Windows API. Session 0 for services, Session 1 for local console session.

Windows Initialization Process (wininit.exe)

PID: Random
Image: %SystemRoot%\System32\wininit.exe
Parent Processes: Session 0 smss.exe (Orphaned)
Child Processes: Multiple

  • services.exe
  • lsass.exe
  • fontdrvhost.exe

Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Sets default environment variables (USERPROFILE, ALLUSERPROFILE, PUBLIC and ProgramData). Creates LSASS process and sets LSA encryption key. Creates Services Control manager (services.exe). Creates the temp directory (%SystemRoot%\Temp)

Service Control Manager (services.exe)

PID: Random
Image: %SystemRoot%\System32\services.exe
Parent Processes: wininit.exe
Child Processes: Multiple

  • ANY defined in HKLM/SYSTEM/CurrentControlSet/Services/
  • spoolsv.exe
  • svchost.exe

Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Responsible for handling (Start, Stop, Status, etc.) of services defined in the system.

Local Security Authentication Service (lsass.exe)

PID: Random
Image: %SystemRoot%\system32\lsass.exe
Parent Processes: wininit.exe
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Process responsible for managing user authentication on machine.

Local Security Authentication Service/Credential Guard (lsaiso.exe)

PID: Random
Image: %SystemRoot%\system32\lsaiso.exe
Parent Processes: wininit.exe
Child Processes: None
Number of Instances: 0 or 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: If Credential Guard is enabled, lsass.exe splits into two processes (itself and lsaiso.exe). Lsass.exe maintains most functions, lsaiso.exe stores credentials in an isolated environment.

Service Host Process (svchost.exe)

PID: Random
Image: %SystemRoot%\System32\svchost.exe
Parent Processes: services.exe
Child Processes: Multiple
Number of Instances: Multiple
User: Multiple

  • NT AUTHORITY\SYSTEM
  • NT AUTHORITY\LOCAL SERVICE
  • NT AUTHORITY\NETWORK SERVICE

Start Time: Within seconds of system boot

Description: Hosts DLLs/Windows Services, runs with the -k flag to reference the services to launch from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Registry key (SHOULD ALWAYS RUN WITH THE -K FLAG AT A MINIMUM). The -s flag specifies a specific service from those keys to load. The -p flag enforces a specific policy when running that service.

Windows Runtime Broker (RuntimeBroker.exe)

PID: Random
Image: %SystemRoot%\System32\RuntimeBroker.exe
Parent Processes: svchost.exe
Child Processes: None
Number of Instances: 1+
User: Typically logged-on user(s)
Start Time: Varies

Description: Proxy between Universal Windows Platform (UWP) applications and the full Windows API due to UWP limitations with hardware & filesystem access.

User Logon

Windows Logon Process (winlogon.exe)

PID: Random
Image: %SystemRoot%\System32\winlogon.exe
Parent Processes: Session 0 smss.exe (Orphaned)
Child Processes: Multiple

  • LogonUI.exe

  • userinit.exe

  • dwm.exe

  • fondrvhost.exe

  • Anything else listed in Userinit value

Number of Instances: 1 for each user session
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Handles everything related to user logon/logoff. After successful logon and validation by LSASS launches processes listed in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Windows Logon User Interface (LogonUI.exe)

PID: Random
Image: %SystemRoot%\system32\LogonUI.exe
Parent Processes: winlogon.exe
Child Processes: None
Number of Instances: 1 for each logged-on user with a locked screen
User: NT AUTHORITY\SYSTEM
Start Time: At user logon

Description: Launched by winlogon.exe to show logon interface and initialize authentication/credential providers (ie. Username\Password, PIN, Token, etc.)

User Initialization (userinit.exe)

PID: Random
Image: %SystemRoot%\system32\userinit.exe
Parent Processes: winlogon.exe
Child Processes: Multiple

  • explorer.exe

  • Anything executed via logon script in UserInitLoginScript

Number of Instances: 0 (exits after launching explorer.exe)
User: Logged on user
Start Time: After user authentication

Description: Initializes user, launches logon scripts, reestablishes network connections & launches Windows shell (default explorer.exe, read from HKLM\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) as well as logon script UserInitLoginScript (from the same Registry key)

Windows Explorer (explorer.exe)

PID: Random
Image: %SystemRoot%\system32\explorer.exe
Parent Processes: userinit.exe (Orphaned)
Child Processes: Multiple
Number of Instances: 1 for each logged-on user
User: Logged on user
Start Time: After user initialization

Description: Windows Graphical User Interface (GUI)

Desktop Window Manager (dwm.exe)

PID: Random
Image: %SystemRoot%\System32\dwm.exe
Parent Processes: winlogon.exe
Child Processes: None
Number of Instances: 1 per logged-on user
User: Window Manager\DWM-X (X = logged on user session)
Start Time: After user initialization

Description: Renders GUI programs on-screen

Process Analysis with PowerShell

Start

45 min

Module Inspection with PowerShell

Start

45 min

Career Prep Week 3

Start

30 min

Instructor Led

Review of Windows Services

Start

120 min

Instructor Led

The Devil’s in the Process

Start

120 min

Instructor Led

Persistence: The key to success

Start

120 min

Instructor Led

Nothing but Net

Start

120 min

Instructor Led

Advanced Windows Final Quiz

Start

10 min

What's "Normal" with Windows?

What’s “Normal” with Windows?

Goals

When we first start looking at system processes looking for malware/suspicious activity, normal processes can start to look malicious. This content is meant to serve as a reference to understand what normal looks like so that we can better find what is not normal.

What happens when I boot my Windows machine?

Pre-Windows Initialization (Pushing the Power Button)

  1. Hardware initializes & checks for hardware disks (Basic Input Output System (BIOS)).

  2. UEFI Firmware Bootstrap Code checks for a Master Boot Record (MBR) and loads Windows Boot Manager.

  3. Windows Boot Manager (%SystemDrive%\bootmgr) determines if multiple OSs exist, if yes offers a menu of the OSs (winload.exe will boot to correct OS).

  4. Windows OS Loader (%SystemRoot%\system32\winload.exe) loads important drivers to start the Windows Kernel.

System Boot

System Idle Process

PID: 0
Image: None
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Accounts for system idle time.

System

PID: 4
Image: %SystemRoot%\System32\ntoskrnl.exe
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Responsible for most threads that only run in the kernel mode.

Memory Compression

PID: Random
Image: None
Parent Processes: System
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: At boot

Description: Responsible for compressing memory of processes in RAM vs. paging to disk to improve performance.

Registry

PID: Random
Image: None
Parent Processes: None
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Stores registry hive data such as HKLM and HKCU

Session Manager Sub System (smss.exe)

PID: Random
Image: %SystemRoot%\System32\smss.exe
Parent Processes: System
Child Processes: Multiple

  • smss.exe (Session 0)
  • smss.exe (Session 1)
  • autochk.exe
  • smss.exe (For each new session)

Number of Instances: 2+ during startup/1 master without arguments after startup.
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: First user-mode process. Creates master smss.exe process (the only one that stays after boot)

Windows Subsystem (csrss.exe)

PID: Random
Image: %SystemRoot%\System32\csrss.exe
Parent Processes: smss.exe child process of master smss.exe (Orphaned)
Child Processes: None
Number of Instances: 2+
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot (Session 0 and 1), after each new session (1+)

Description: User-mode process for Windows-subsystem, manages processes and threads, imports dlls for Windows API. Session 0 for services, Session 1 for local console session.

Windows Initialization Process (wininit.exe)

PID: Random
Image: %SystemRoot%\System32\wininit.exe
Parent Processes: Session 0 smss.exe (Orphaned)
Child Processes: Multiple

  • services.exe
  • lsass.exe
  • fontdrvhost.exe

Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Sets default environment variables (USERPROFILE, ALLUSERPROFILE, PUBLIC and ProgramData). Creates LSASS process and sets LSA encryption key. Creates Services Control manager (services.exe). Creates the temp directory (%SystemRoot%\Temp)

Service Control Manager (services.exe)

PID: Random
Image: %SystemRoot%\System32\services.exe
Parent Processes: wininit.exe
Child Processes: Multiple

  • ANY defined in HKLM/SYSTEM/CurrentControlSet/Services/
  • spoolsv.exe
  • svchost.exe

Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Responsible for handling (Start, Stop, Status, etc.) of services defined in the system.

Local Security Authentication Service (lsass.exe)

PID: Random
Image: %SystemRoot%\system32\lsass.exe
Parent Processes: wininit.exe
Child Processes: None
Number of Instances: 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Process responsible for managing user authentication on machine.

Local Security Authentication Service/Credential Guard (lsaiso.exe)

PID: Random
Image: %SystemRoot%\system32\lsaiso.exe
Parent Processes: wininit.exe
Child Processes: None
Number of Instances: 0 or 1
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: If Credential Guard is enabled, lsass.exe splits into two processes (itself and lsaiso.exe). Lsass.exe maintains most functions, lsaiso.exe stores credentials in an isolated environment.

Service Host Process (svchost.exe)

PID: Random
Image: %SystemRoot%\System32\svchost.exe
Parent Processes: services.exe
Child Processes: Multiple
Number of Instances: Multiple
User: Multiple

  • NT AUTHORITY\SYSTEM
  • NT AUTHORITY\LOCAL SERVICE
  • NT AUTHORITY\NETWORK SERVICE

Start Time: Within seconds of system boot

Description: Hosts DLLs/Windows Services, runs with the -k flag to reference the services to launch from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Registry key (SHOULD ALWAYS RUN WITH THE -K FLAG AT A MINIMUM). The -s flag specifies a specific service from those keys to load. The -p flag enforces a specific policy when running that service.

Windows Runtime Broker (RuntimeBroker.exe)

PID: Random
Image: %SystemRoot%\System32\RuntimeBroker.exe
Parent Processes: svchost.exe
Child Processes: None
Number of Instances: 1+
User: Typically logged-on user(s)
Start Time: Varies

Description: Proxy between Universal Windows Platform (UWP) applications and the full Windows API due to UWP limitations with hardware & filesystem access.

User Logon

Windows Logon Process (winlogon.exe)

PID: Random
Image: %SystemRoot%\System32\winlogon.exe
Parent Processes: Session 0 smss.exe (Orphaned)
Child Processes: Multiple

  • LogonUI.exe

  • userinit.exe

  • dwm.exe

  • fondrvhost.exe

  • Anything else listed in Userinit value

Number of Instances: 1 for each user session
User: NT AUTHORITY\SYSTEM
Start Time: Within seconds of system boot

Description: Handles everything related to user logon/logoff. After successful logon and validation by LSASS launches processes listed in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Windows Logon User Interface (LogonUI.exe)

PID: Random
Image: %SystemRoot%\system32\LogonUI.exe
Parent Processes: winlogon.exe
Child Processes: None
Number of Instances: 1 for each logged-on user with a locked screen
User: NT AUTHORITY\SYSTEM
Start Time: At user logon

Description: Launched by winlogon.exe to show logon interface and initialize authentication/credential providers (ie. Username\Password, PIN, Token, etc.)

User Initialization (userinit.exe)

PID: Random
Image: %SystemRoot%\system32\userinit.exe
Parent Processes: winlogon.exe
Child Processes: Multiple

  • explorer.exe

  • Anything executed via logon script in UserInitLoginScript

Number of Instances: 0 (exits after launching explorer.exe)
User: Logged on user
Start Time: After user authentication

Description: Initializes user, launches logon scripts, reestablishes network connections & launches Windows shell (default explorer.exe, read from HKLM\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) as well as logon script UserInitLoginScript (from the same Registry key)

Windows Explorer (explorer.exe)

PID: Random
Image: %SystemRoot%\system32\explorer.exe
Parent Processes: userinit.exe (Orphaned)
Child Processes: Multiple
Number of Instances: 1 for each logged-on user
User: Logged on user
Start Time: After user initialization

Description: Windows Graphical User Interface (GUI)

Desktop Window Manager (dwm.exe)

PID: Random
Image: %SystemRoot%\System32\dwm.exe
Parent Processes: winlogon.exe
Child Processes: None
Number of Instances: 1 per logged-on user
User: Window Manager\DWM-X (X = logged on user session)
Start Time: After user initialization

Description: Renders GUI programs on-screen