svchost.exe - The Most Important Windows Processes For Threat Hunting

svchost.exe: One Of The Most Important Windows Processes For Threat Hunting

“svchost.exe” (Service Host) is a system process in the Windows OS responsible for hosting and managing Windows services that run from dynamic-link libraries (.dll files). This process cannot start or end manually. “svchost” hosts a number of services to lower resource consumption and protect computing resources. If all the services ran under one process, in case…

"lsm.exe" Windows process

Lsm.exe: One Of The Most Important Windows Processes For Threat Hunting

“lsm.exe” is the Local Session Manager Service in the Windows OS. This process handles all the connections related to the terminal server on the hosted machine. “lsm.exe” is a core Windows process. In this new series, we analyze Windows processes and provide threat hunting tips. Image Path:  %SystemRoot%\System32\lsm.exe Parent Process:  wininit.exe Number of Instances:  One User…

services.exe Windows process threat hunting tips

services.exe: One Of The Most Important Windows Processes For Threat Hunting

“services.exe” launches the Services Control Manager which is primarily responsible for handling system services including starting and ending services, and interacting with services. Services are defined in HKLM\SYSTEM\CurrentControlSet\Services. In this new series, we analyze Windows processes and provide threat hunting tips. “services.exe” is the parent process of svchost.exe, dllhost.exe, taskhost.exe,spoolsv.exe, etc.   This process interacts with…

lsass.exe Windows process threat hunting tips

lsass.exe: One Of The Most Important Windows Processes For Threat Hunting

“lsass.exe” stands for Local Security Authority Subsystem Service. In this new series, we analyze Windows processes and provide threat hunting tips. “lsass.exe” Windows process is responsible for a variety of security tasks including: Authenticating users and verifying user logins to a Windows computer or server. Creating the user’s access token. Managing the Active Directory. Writing to…

wininit.exe Windows process

wininit.exe: One Of The Most Important Windows Processes For Threat Hunting

“wininit.exe” stands for Windows Initialization. This process is an essential part of the Windows OS and it runs in the background. “wininit.exe” is responsible for launching the Windows Initialization process. In this new series, we analyze Windows processes and provide threat hunting tips. This process’s primary function is launching the majority of the background applications that are…

smss.exe process

smss.exe: One Of The Most Important Processes For Threat Hunting

“smss.exe” is the Session Manager Subsystem for Microsoft Windows OS. The main system thread initiates this process.     This process manages the start of user sessions and various other activities including launching Winlogon.exe and Csrss.exe processes, setting system variables and other activities. If the 2 processes end normally after launch, smss.exe shuts down the…