Task 1 Introduction
Task 2 Task Manager
Task 3 System
What PID should System always be?
From our reading we know the pid for System should always be 4
Task 4 System > smss.exe
Aside from csrss.exe, what process does smss.exe spawn in Session 1?
From our reading we can see it also spawns winlogon.exe
Task 5 csrss.exe What was the process which had PID 384 and PID 488?
If we look inside of process hacker we actually don’t see these PID’s because they self terminated which is smss.exe
Task 6 wininit.exe
Which process might you not see running if Credential Guard is not enabled?
We know that lsaiso.exe is not seen if credentialguard andkey guard are not enabled
Task 7 wininit.exe > services.exe
How many instances of services.exe should be running on a Windows system?
There should only be one instance of services.exe running. If there are more it is a IOC.
Task 8 wininit.exe > services.exe > svchost.exe
What single letter parameter should always be visible in the Command line or Binary path?
From the reading we know that the -k is how the svchost.exe is called.
Task 9 lsass.exe
What is the parent process for LSASS?
From our reading we can see the parent process for Lsass is wininit.exe. We should also note there should only be one instance of lsass.exe running.
Task 10 winlogon.exe
What is the non-existent parent process for winlogon.exe?
From our pervious reading in task 4 we should remember that smss.exe is the parent process for winlogon.exe
Task 11 explorer.exe
What is the non-existent process for explorer.exe?
From our reading we know that Userinit.exe is the parent process, however it deletes itself once explorer.exe spawns.
Task 12 Conclusion
R3ap3rd0g 