Jasper Alblas
TryHackMe: Core Windows Processes Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Core Windows Processes Room on TryHackMe. Explore the core processes within a Windows operating system and understand what normal behaviour is. This foundational knowledge will help you identify malicious processes running on an endpoint!
Room URL:
https://tryhackme.com/room/btwindowsinternals
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on! This is going to be a long one!
Table of Contents
Task 1: Introduction
This room focuses on understanding core Windows system processes to distinguish normal behavior from malicious activity. Since Windows is the most widely used OS, many users don’t understand its inner workings—they just expect it to function. Previously, antivirus software was sufficient, but modern malware has evolved, making it ineffective alone.
Today, a layered security approach includes tools like Endpoint Detection and Response (EDR), yet even these aren’t foolproof. Security professionals (SOC Analysts, Threat Hunters, etc.) must investigate suspicious processes to determine if they are benign or malicious. Understanding normal system behavior is crucial for effective threat detection.
A virtual machine is provided for hands-on practice, accessible via RDP with given credentials.
Machine IP: MACHINE_IP
User: administrator
Password: letmein123!
Questions
I’ve read the intro and deployed the attached virtual machine.
Answer: No answer needed
Task 2: Task Manager
Task Manager is a built-in Windows utility that allows users to monitor system processes, resource usage (CPU, memory), and terminate unresponsive programs.
Opening Task Manager:
- Right-click the Taskbar and select Task Manager.
- If minimal details are displayed, click More details to expand the view.
Key Features & Tabs:
- Processes Tab: Displays running applications, background processes, and Windows processes.
- Columns:
- Type: Categorizes processes (Apps, Background, Windows).
- Publisher: Author of the program.
- PID: Unique process identifier.
- Process Name: The executable filename.
- Command Line: Full command used to launch the process.
- CPU & Memory: Displays resource usage.
Details Tab:
- Provides a more technical view of running processes.
- Sorting by PID can help identify process relationships.
- Adding columns like Image path name and Command line helps detect suspicious processes.
- Task Manager lacks parent-child process tracking, which is crucial for identifying anomalies like rogue svchost.exe processes.
Alternative Tools:
- Process Hacker & Process Explorer: Offer advanced analysis, including parent-child process relationships.
- Command-line alternatives:
tasklist(CMD)Get-Processorps(PowerShell)wmic(legacy command)
While Task Manager is a fundamental troubleshooting tool, security analysts often rely on specialized tools for deeper process analysis.
Questions
On to the next task…
Since we see these on ports 67 and 69, the only prot that had a succesful connections is port 68.
Answer: No answer needed
Task 3: System
The System process (PID 4) in Windows is a kernel-mode process that runs system threads, which execute code from the Windows kernel (Ntoskrnl.exe) or device drivers. Unlike user-mode processes, it has no user address space and uses system memory pools for dynamic storage.
Normal Behavior:
- Image Path: N/A (Process Explorer) or
C:\Windows\system32\ntoskrnl.exe(Process Hacker) - Parent Process: None (Process Explorer) or System Idle Process (0) (Process Hacker)
- Instances: Only one
- User Account: Local System
- Start Time: At boot
Unusual Behavior:
- A parent process other than System Idle Process (0)
- Multiple instances of the System process
- A different PID (should always be 4)
- Not running in Session 0
Any deviations from these norms may indicate malware or system issues.
Questions
What PID should System always be?
The System process should always be running on PID 4.
Answer: 4
Task 4: System > smss.exe
The smss.exe (Session Manager Subsystem) is the first user-mode process started by the Windows kernel. It is responsible for creating new sessions and launching key system processes like csrss.exe and wininit.exe in Session 0 (for the OS) and csrss.exe and winlogon.exe in Session 1 (for the user session). It also manages environment variables and virtual memory paging files.
Normal Behavior:
- Image Path:
%SystemRoot%\System32\smss.exe - Parent Process: System (PID 4)
- Instances: One master instance, plus a child instance per session (child terminates after session creation)
- User Account: Local System
- Start Time: Within seconds of boot
Unusual Behavior:
- A parent process other than System (4)
- Image path differs from
C:\Windows\System32\smss.exe - Multiple running instances (except temporary child processes)
- Running under a user other than SYSTEM
- Unexpected registry entries in
HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems
Deviations may indicate malware or system corruption.
Questions
Aside from csrss.exe, what process does smss.exe spawn in Session 1?
Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session.
Answer: winlogon.exe
Task 5: csrss.exe
The csrss.exe (Client Server Runtime Process) is a critical user-mode process responsible for managing the Win32 console window, process thread creation/deletion, drive letter mapping, and system shutdown. Terminating it will cause a system failure. It is launched by smss.exe at startup for Session 0 (system) and Session 1 (user).
Normal Behavior:
- Image Path:
%SystemRoot%\System32\csrss.exe - Parent Process: Initially spawned by
smss.exe, which then self-terminates - Instances: Two or more (one for Session 0, one for Session 1)
- User Account: Local System
- Start Time: Within seconds of boot for the first two instances; additional instances only when new sessions are created
Unusual Behavior:
- A visible parent process (smss.exe should self-terminate)
- Image path different from
C:\Windows\System32\csrss.exe - Misspellings (e.g.,
crss.exe,csrs.exe) used by malware to disguise itself - Not running under SYSTEM user
Deviations from these norms may indicate malware or a compromised system.
Questions
What was the process which had PID 384 and PID 488?
Look at the screenshots in the TryHackMe task theory. In the screenshots the process is non-existent since these processes are spawned by smss.exe, which self-terminates itself.
Answer: smss.exe
Task 6: wininit.exe
The wininit.exe (Windows Initialization Process) is a critical system process responsible for launching services.exe (Service Control Manager), lsass.exe (Local Security Authority), and lsaiso.exe (if Credential Guard is enabled) within Session 0. It runs in the background and is essential for system stability.
Normal Behavior:
- Image Path:
%SystemRoot%\System32\wininit.exe - Parent Process: Initially created by
smss.exe, which then self-terminates - Instances: Only one
- User Account: Local System
- Start Time: Within seconds of boot
Unusual Behavior:
- A visible parent process (smss.exe should self-terminate)
- Image path different from
C:\Windows\System32\wininit.exe - Misspellings (e.g.,
winit.exe,winlnit.exe) used by malware to blend in - Multiple running instances (should only be one)
- Not running as SYSTEM user
Deviations from these norms may indicate malware or a compromised system.
Questions
Which process might you not see running if Credential Guard is not enabled?
If Credential Guard is disabled you will not see lsaiso.exe running.
Answer: lsaiso.exe
Task 7: wininit.exe > services.exe
The Service Control Manager (SCM), managed by services.exe, is responsible for handling system services, including loading, interacting with, and starting or stopping them. It also manages device drivers marked for auto-start and stores service-related information in the Windows registry at HKLM\System\CurrentControlSet\Services. Additionally, it sets the Last Known Good Configuration registry value during user login. The process is critical for system stability and is the parent to several key processes like svchost.exe, spoolsv.exe, msmpeng.exe, and dllhost.exe.
Normal Behavior:
- Image Path: %SystemRoot%\System32\services.exe
- Parent Process: wininit.exe
- User Account: Local System
- Start Time: Occurs shortly after boot
- Number of Instances: Typically one instance
Unusual Behavior:
- A parent process other than wininit.exe
- Image path outside C:\Windows\System32
- Multiple instances running
- Running under an account other than SYSTEM
- Misspellings in process names to disguise rogue processes
Questions
How many instances of services.exe should be running on a Windows system?
There should only be one running instance.
Answer: 1
Task 8: wininit.exe > services.exe > svchost.exe
The Service Host (svchost.exe) is responsible for hosting and managing Windows services, running services implemented as DLLs. The service details, including the DLL path, are stored in the registry at HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters. Svchost.exe uses the -k parameter to group similar services in a single process, helping reduce resource consumption. However, in newer Windows versions, each service may run in its own process, especially on systems with more than 3.5 GB of memory.
Normal Behavior:
- Image Path: %SystemRoot%\System32\svchost.exe
- Parent Process: services.exe
- User Account: Varies (SYSTEM, Network Service, Local Service, or logged-in user)
- Start Time: Starts within seconds of boot; other instances may start after boot
- Number of Instances: Many instances
Unusual Behavior:
- A parent process other than services.exe
- Image path outside C:\Windows\System32
- Misspellings or variations in the name (e.g., scvhost.exe) to hide malware
- Missing -k parameter used to group services
Questions
What single letter parameter should always be visible in the Command line or Binary path?
Svchost.exe uses the -k parameter to group similar services in a single process, helping reduce resource consumption.
Answer: k
Task 9: lsass.exe
The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing security policies on Windows systems. It handles user logins, password changes, and access token creation, and it writes to the Windows Security Log. LSASS interacts with the Security Account Manager (SAM), Active Directory (AD), and NETLOGON services and uses authentication packages stored in the registry at HKLM\System\CurrentControlSet\Control\Lsa.
Normal Behavior:
- Image Path: %SystemRoot%\System32\lsass.exe
- Parent Process: wininit.exe
- Number of Instances: One
- User Account: Local System
- Start Time: Starts within seconds of boot time
Unusual Behavior:
- A parent process other than wininit.exe
- Image path outside C:\Windows\System32
- Misspellings or variations in the name (e.g., lsasss.exe) to disguise malware
- Multiple instances running
- Not running as SYSTEM
Questions
What is the parent process for LSASS?
The parent process is wininit.exe.
Answer: wininit.exe
Task 10: winlogon.exe
The Windows Logon (winlogon.exe) is responsible for handling the Secure Attention Sequence (SAS), triggered by the ALT+CTRL+DELETE key combination, to initiate user login. It loads the user profile by importing the NTUSER.DAT file into HKCU and starts the user’s shell through userinit.exe. Winlogon also handles screen locking and running the user’s screensaver.
Normal Behavior:
- Image Path: %SystemRoot%\System32\winlogon.exe
- Parent Process: Created by smss.exe, which exits afterward
- Number of Instances: One or more, depending on sessions (e.g., Remote Desktop or Fast User Switching logons)
- User Account: Local System
- Start Time: Starts within seconds of boot for the first instance (Session 1)
Unusual Behavior:
- A parent process other than smss.exe
- Image path outside C:\Windows\System32
- Misspellings or variations in the name (e.g., winlgon.exe) to disguise rogue processes
- Not running as SYSTEM
- Shell registry value other than explorer.exe
Questions
What is the non-existent parent process for winlogon.exe?
Winlogon.exe is created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
Answer: smss.exe
Task 11: explorer.exe
Windows Explorer (explorer.exe) provides users with access to folders, files, and other features like the Start Menu and Taskbar. It is launched by userinit.exe, which is initiated by winlogon.exe. After launching explorer.exe, userinit.exe exits, leaving no parent process.
Normal Behavior:
- Image Path: %SystemRoot%\explorer.exe
- Parent Process: Created by userinit.exe, which exits afterward
- Number of Instances: One or more per interactively logged-in user
- User Account: Logged-in user(s)
- Start Time: First instance starts when the first interactive user logon session begins
Unusual Behavior:
- An actual parent process (other than userinit.exe)
- Image path outside C:\Windows
- Running under an unknown user
- Misspellings or variations in the name (e.g., explorr.exe) to disguise rogue processes
- Outbound TCP/IP connections
Questions
What is the non-existent process for explorer.exe?
Explorer.exe is created by userinit.exe, which exists after creating the process.
Answer: userinit.exe
Task 12: Conclusion
Understanding core Windows processes is essential for defenders to identify unusual activity on endpoints. With the introduction of Windows 10, new processes have been added, and it’s important to understand how they function normally.
Key processes discussed include:
- lsaiso.exe: A child process of wininit.exe that works with lsass.exe to enhance password protection when Credential Guard is enabled.
- RuntimeBroker.exe and taskhostw.exe (formerly taskhost.exe and taskhostex.exe) are additional processes introduced in Windows 10 that should be understood for normal operation.
Researching these processes, along with others of interest, is crucial for understanding their purpose and identifying any abnormal behavior.
The information provided is sourced from various materials, including:
Further reading of these resources is encouraged to deepen your understanding of core Windows processes.
Questions
Thanks for stopping by.
Answer: No answer needed.
Congratulations on completing Core Windows Processes!
Congratulations on completing Core Windows Processes. It was nice to an overview over all the relevant Windows processes, but I am a bit uncertain whether the theory will stick, since the questions were very easy to answer. Time will tell I guess?
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find more of my walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] TryHackMe: Core Windows Processes Walkthrough (SOC Level 1) […]