Windows Processes, Part III

Our third installment is going to cover several processes svchost.exe, lsass,exe, lsalso.exe and explorer.exe. While this three-part series isn’t comprehensive by any means, it is a good basic primer for anyone troubleshooting windows problems — or looking for Threats/Threat actors. Many of these services have been (and may still be) attacked; knowing what their default behavior should be is key to finding and fixing issues, rather than playing ‘whack a mole’ with multiple tools.

Our first process, the Windows Service Host (svchost.exe) is used to manage Windows Services (to quickly see a list of running services, use the PowerShell Get-Services command like this: Get-Service |where status -eq "Running" |Out-Gridview). The services are implemented in DLLs, and will be placed in the registry under HKLM\SYSTEM\CurrentControlSet\Services%ServiceName%\parameters. For example, the DCOMLaunch Service (rpcss.dll) would be found under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters, with a binary path of C:%SYSTEMROOT%\system32\svchost.exe -k DcomLaunch -p. ( Note the -k option will always be present) At a command prompt, you can find a list of all processes launched by instances of svchost.exe with the command: tasklist /svc | find "svchost.exe"

All running services will be launched with the -k The Windows Service Host itself is often a target for malicious use and is frequently misplaced or added with a misspelled version. This Site has a list of misspellings for svchost.exe (and other processes often hijacked as well) that have been discovered during security scans. Any services launched without the -k parameter should also be suspect — -and the launching svchost.exe file should be as well.

The Local Security Administration Subsystem (lsass.exe) is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, creates access tokens, and writes to Windows Security Log. It also creates security tokens in the SAM (Security Account Manager), in AD (Active Directory), and NETLOGON. The authentication packages used by lsass are specified in HKLM\System\CurrentControlSet\Control\lsa

The compliment to lsass.exe is lsalso.exe. Lsalso.exe is an executable file associated with the Credential Guard and KeyGuard process. The process of this file typically runs in a secure environment called Virtual Secure Mode (VSM) as an Isolated User Mode (IUM) process. You will only see it running if you have Windows Defender Credential Guard installed.

Both of these processes will have wininit.exe as their parent process, and there should only be one instance of them running. They are frequently targeted by credential dumping tools like mimikatz. For additional reading, this site and this site provide more information.

The final service I am going to cover is Windows Explorer (explorer.exe). Windows Explorer provides file and folder access to system users. The winlogon process runs userinit.ext, which launches the value in HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Shell. Userinit.exe will also exit once explorer.exe has started. When viewed in a task explorer, such as Task Manager or Process Explorer, you should not see a parent process running. The parent folder should be %SystemRoot%\Windows\System32, and the user should be SYSTEM. Also, if any outbound TCP/IP connections are noted, this could be an indicator of compromise.

The Windows Systinternals is a great resource to learn more, plus there are a myriad of resources on the web.