![]() ![]() Will run Shell value located at Software\Microsoft\Windows NT\CurrentVersion\Winlogon within the registry.This includes running GPOs and logon scripts. Userinit initializes the user environment.Userinit.exe exits once it runs so you wont see this process running when you look.Malware will sometimes add additional values to this key, which will load malware upon successful logons. The userinit value in the registry should be: Userinit.exe, (note the comma).Loads Userinit within Software\Microsoft\Windows NT\CurrentVersion\Winlogon. ![]() Handles interactive user logons/logoffs when SAS keystroke combination is entered (Ctrl Alt Delete). PROCESS MONITOR WINDOWS XP VERIFICATIONOnce password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information. LogonUI will terminate once the user enters their password.Could have a child process of LogonUI if smartcard, etc.Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop.Sends the requests to smss.exe to start new sessions. Manages the state of terminal server sessions on the local machine.They should all be running within session 0.Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.-k values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key.Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.Should always have a parent of services.exe.Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE.Multiple instances of svchost.exe can/do exist/run.These “fake” names will not be a children of wininit.exe. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). Often targeted by malware as a means to dump passwords.Responsible for local security policy to include managing users allowed to login, password policies, writing to the security event log, etc.There should only be one services.exe process running.Loads a database of services into memory.Services are defined in SYSTEMCurrentControlSetServices Parent to services such at svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc.Performs user-mode initialization tasks.Created by smss.exe, but since smss.exe exits there is no parent to WININIT.Parent to services.exe (SCM), lsass.exe and lsm.exe.WININIT.EXE - Windows Initialization Process Its name is often used by malware to hide on systems (CSSRS.EXE, CSRSSS.EXE, etc.).Under Windows 7, the conhost process now does that functionality. In XP its used to draw text based console windows.Creates/Deletes processes and threads, Temp files, etc. ![]() 0 and 1 are for a single user logged onto the system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |