Windows Processes
Writer Khadijah Alamoudi
Email
LinkedIn https://www.linkedin.com/in/khadijah-alamoudi-6aa1211bb
All in One Summarized Table
Processes Purpose Executable Path Parent # of Instance Username
Session Manager, create new
sessions.
NT
• Session 0 starts csrss.exe and
smss.exe %SystemRoot%\System32\smss.exe System 1 AUTHORIT
wininit.exe. (OS services)
(S-1-5-18)
• Session 1 starts csrss.exe and
winlogon.exe. (User session)
Client/Server Run Subsystem Created by
Process; manages processes and child instance
threads, provides Windows API, of SMSS.EXE
NT
maps drive letters, creates temp but
csrss.exe %SystemRoot%\System32\csrss.exe 2 AUTHORIT
files, handles shutdown. • will be that process
(S-1-5-18)
available per newly created user will exist so will
session. appear as no
parent
Created by a
child instance
Windows Logon Process; handles
of SMSS.EXE ,
user logons/logoffs, launches NT
winlogon.exe but
LogonUI.exe for login, and passes %SystemRoot%\System32\winlogon.exe AUTHORIT
winlogon.exe
credentials to LSASS.exe for (S-1-5-18)
will appear as if
verification.
it has no parent
process.
Created by
child instance
of SMSS.EXE
Windows Initialization Process;
but NT
wininit.exe responsible for launching
%SystemRoot%\System32\wininit.exe that process 1 AUTHORIT
services.exe , lsass.exe , and
will exist so will (S-1-5-18)
lsm.exe in Session 0.
appear as no
parent
Local Session Manager; works
with smss.exe to create, destroy,
NT
lsm.exe or manage user sessions.
%SystemRoot%\System32\lsm.exe wininit.exe 1 AUTHORIT
Manages logon/off, shell
(S-1-5-18)
start/end, and desktop
lock/unlock.
Service Control Manager; loads
services and device drivers into
memory, and manages service
NT
services.exe operations. ~ responsible for %SystemRoot%\System32\services.exe
wininit.exe 1 AUTHORIT
handling system services
(S-1-5-18)
including starting and ending
services, and interacting with
services.
Local Security Authority
Subsystem; handles user NT
lsass.exe
authentication, generates access %SystemRoot%\System32\lsass.exe wininit.exe 1 AUTHORIT
tokens, and enforces security (S-1-5-18)
Writer Khadijah Alamoudi
LinkedIn https://www.linkedin.com/in/khadijah-alamoudi-6aa1211bb
All in One Summarized Table
Processes Purpose Executable Path Parent # of Instance Username
Session Manager, create new
sessions.
NT
• Session 0 starts csrss.exe and
smss.exe %SystemRoot%\System32\smss.exe System 1 AUTHORIT
wininit.exe. (OS services)
(S-1-5-18)
• Session 1 starts csrss.exe and
winlogon.exe. (User session)
Client/Server Run Subsystem Created by
Process; manages processes and child instance
threads, provides Windows API, of SMSS.EXE
NT
maps drive letters, creates temp but
csrss.exe %SystemRoot%\System32\csrss.exe 2 AUTHORIT
files, handles shutdown. • will be that process
(S-1-5-18)
available per newly created user will exist so will
session. appear as no
parent
Created by a
child instance
Windows Logon Process; handles
of SMSS.EXE ,
user logons/logoffs, launches NT
winlogon.exe but
LogonUI.exe for login, and passes %SystemRoot%\System32\winlogon.exe AUTHORIT
winlogon.exe
credentials to LSASS.exe for (S-1-5-18)
will appear as if
verification.
it has no parent
process.
Created by
child instance
of SMSS.EXE
Windows Initialization Process;
but NT
wininit.exe responsible for launching
%SystemRoot%\System32\wininit.exe that process 1 AUTHORIT
services.exe , lsass.exe , and
will exist so will (S-1-5-18)
lsm.exe in Session 0.
appear as no
parent
Local Session Manager; works
with smss.exe to create, destroy,
NT
lsm.exe or manage user sessions.
%SystemRoot%\System32\lsm.exe wininit.exe 1 AUTHORIT
Manages logon/off, shell
(S-1-5-18)
start/end, and desktop
lock/unlock.
Service Control Manager; loads
services and device drivers into
memory, and manages service
NT
services.exe operations. ~ responsible for %SystemRoot%\System32\services.exe
wininit.exe 1 AUTHORIT
handling system services
(S-1-5-18)
including starting and ending
services, and interacting with
services.
Local Security Authority
Subsystem; handles user NT
lsass.exe
authentication, generates access %SystemRoot%\System32\lsass.exe wininit.exe 1 AUTHORIT
tokens, and enforces security (S-1-5-18)
