The Windows Process Journey — wininit.exe (Windows Start-Up Application)

Shlomi Boutnaru, Ph.D.
2 min readDec 26, 2022

--

“wininit.exe” is an executable which is responsible for different initialization steps as described next. The executable is located at “%windir%\System32\wininit.exe” (On 64 bit systems there is only a 64 bit version with no 32 bit version — in contrast to other executables such as cmd.exe). It is started by the first “smss.exe” (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33) at session 0 under LocalSystem (S-1–5–18). Overall there should be only one running instance of “wininit.exe”.

Historically, “wininit.exe” was used mainly in order to allow uninstallers to process commands stored in the “WinInit.ini” file. By doing so it allowed programs to take action while the system is booting (https://social.technet.microsoft.com/Forums/ie/en-US/df6f5eeb-cbb9-404f-9414-320ea02b4a60/wininitexe-what-is-is-and-why-is-it-constantly-running).

Moreover, “wininit.exe” is responsible for a couple of system initialization steps. Among them are: creating the %windir%\temp folder, initializing the user-mode scheduling infrastructure, creating a window station (Winsta0) and two desktops (Winlogon and Default) for processes to run on in session 0, marking itself critical so that if it exits prematurely and the system is booted in debugging mode (it will break into the debugger) and waiting forever for system shutdown (https://learn.microsoft.com/en-us/answers/questions/405417/explanation-of-windows-processes-and-dlls.html).

Also, “wininit.exe” launches “services.exe” (SCM — Service Control Manager) , “lsass.exe” (Local Security Authority Subsystem) and “fontdrvhost.exe” (Usermode Font Driver Host) — as seen in the screenshot below. If you want more information about service management I suggest reading https://medium.com/@boutnaru/windows-services-part-1-5d6c2d25b31c and https://medium.com/@boutnaru/windows-services-part-2-7e2bdab5bce4. Regarding the last two (“lsass.exe” and “fontdrvhost.exe”) I am going to write something in the near future.

See you in the next writeup :-). You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).

--

--