When using Process Explorer on a Windows system, understanding the behavior and characteristics of legitimate processes helps identify suspicious activity. Here is a summary of common legitimate processes and indicators of potentially suspicious ones:
Legitimate Processes
System Idle (PID 0) and System (PID 4):
Kernel-level binaries.
The System process (PID 4) is the parent of the first user-mode process (Session Manager SubSystem - smss.exe).
Client Server Runtime SubSystem (csrss.exe):
Manages low-level Windows functions.
Several instances can run.
Must be launched from %SystemRoot%\System32 with no parent.
WININIT (wininit.exe):
Manages drivers and services.
Only one instance should be running.
Services.exe:
Hosts non-boot drivers and background services.
Should have a single instance running as a child of wininit.exe.
Other service processes should be children of services.exe or svchost.exe.
Services started by SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts are legitimate.
Local Security Authority SubSystem (lsass.exe):
Handles authentication and authorization services.
Single instance running as a child of wininit.exe.
WINLOGON (winlogon.exe):
Manages access to the user desktop.
One instance per user session with the Desktop Window Manager (dwm.exe) as a child process.
USERINIT (userinit.exe):
Sets up the shell (typically explorer.exe) and then quits.
Should only be seen briefly after log-on.
Explorer (explorer.exe):
The typical user shell.
Launched with the user's account privileges.
Likely to be the parent for all processes started by the logged-on user.
Indicators of Suspicious Processes
Unrecognized Process Names:
Any process name you do not recognize or is unusual.
Similar Names to Legitimate Processes:
Names similar to legitimate processes (e.g., "scvhost" instead of "svchost").
Lack of Identifying Information:
Processes without an icon, version information, description, or company name.
Unsigned Processes:
Processes that are unsigned, especially from well-known companies like Microsoft.
Mismatched Digital Signatures:
Processes whose digital signature doesn’t match the identified publisher.
Incorrect Parent/Child Relationships:
Processes that do not have a proper parent/child relationship with a principal Windows process.
Hosted by Unusual Windows Utilities:
Processes hosted by Windows utilities like Explorer, Notepad, or Task Manager without a valid reason.
Packed Processes:
Processes that are packed (compressed), highlighted in purple in Process Explorer.
By keeping these points in mind, you can better distinguish between legitimate and potentially malicious processes on a Windows system.
Akash Patel
Comments