Home Core Windows Processes
Post
Cancel

Core Windows Processes

Explore the core processes within a Windows operating system and understand what normal behaviour is. This foundational knowledge will help you identify malicious processes running on an endpoint!

THM Room https://tryhackme.com/room/btwindowsinternals

TASK 1 : Introduction

I’ve read the intro and deployed the attached virtual machine.

No Answer

TASK 2 : TASK Manager

On to the next task…

No Answer

TASK 3 : System

What PID should System always be?

Answer : 4

TASK 4 : System > smss.exe

What other two processes does smss.exe start in Session 1? (answer format: process1, process2)

Answer : csrss.exe, winlogon.exe

TASK 5 : csrss.exe

What was the process which had PID 384 and PID 488?

Answer : smss.exe

TASK 6 : wininit.exe

Which process you might not see running if Credential Guard is not enabled?

Answer : lsaiso.exe

TASK 7 : wininit.exe > services.exe

How many instances of services.exe should be running on a Windows system?

Answer : 1

TASK 8 : wininit.exe > services.exe > svchost.exe

What single letter parameter should always be visible in the Command line or Binary path?

Answer : k

TASK 9 : lsass.exe

What is the parent process for LSASS?

Answer : wininit.exe

TASK 10 : winlogon.exe

What is the non-existent parent process for winlogon.exe?

Answer : smss.exe

TASK 11 : explorer.exe

What is the non-existent process for explorer.exe?

Answer : userinit.exe

TASK 12 : Conclusion

Thanks for stopping by.

No Answer

This post is licensed under CC BY 4.0 by the author.