The Windows Process Journey — smss.exe (Session Manager Subsystem)
“smss.exe” is the first user-mode process which is executed from %SystemRoot%\System32\smss.exe and it’s part of Windows since Windows NT 3.1 (1993). Thus, it starts as part of the OS startup phase and performs different tasks such as those we are doing to detail next (The order of writing is not the order of execution).
Performing delayed renaming/file deletion changes based on configuration in the Registry - “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations” (for now we should know the Registry central repository for Windows configuration, more on this in the future).
Creation of DOS device mapping based on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices” such as AUX, CON, PIPE and more (a short explnation could be found here - http://winapi.freetechsecrets.com/win32/WIN32DefineDosDevice.htm).
Loading the subsystems which are configured in the Registry - “HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems”. At minimum we have have the kernel part of the Win32 Subsystem (aka win32k.sys) and on session 0, which is the session in which Windows’ services are executed - smss.exe starts
“csrss.exe” and “wininit.exe” (I will explain on both of them in separate writeups).
Also, on session 1, which is the first user session - smss.exe starts “csrss.exe” and “winlogon.exe”. Of course, they could be multiple sessions if more users are logged on (locally or using RDP).
Moreover, both the page files (used for virtual memory) and environment variables (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment”) are created by “smss.exe”. There are also more actions regarding memory management, KnownDlls, power management and more that are going to be discussed in the future. “smss.exe” also takes part when creating a new RDP session, we will detail this process after taking more in depth about sessions, desktops and windows stations in a future writeup - so stay tuned.
Anyhow, we should expect only one instance of “smss.exe” running without any children processes on session 0, with PPID 4 (“System Process”, on which we will also have a seperate writeup). This “smss.exe” is called the master,it is responsible for creating at minimum 2 instances of itself for session 0 and 1 (in order to do the work we detailed above). The other instances of “smss.exe” (the non-master) will terminate after finishing the session initialization phase of a new session. On the screenshot below we can see “wininit.exe” from session 0 and “winlogon.exe” from session 1 both of them having a non-existent parent.
You can also check my twitter account @boutnaru (https://twitter.com/boutnaru) - for more stuff on Windows/Linux/etc.
