Open in app

Sign in

Write

Sign in

Knowing the “Normal” & unmasking svchost.exe

Praj Shete
7 min readNov 4, 2024

--

In Windows, several core processes run to keep the system functional, secure, and responsive. Knowing these key processes and their normal behavior is foundational for effective incident response. By familiarizing yourself with these processes, you’ll be better equipped to recognize signs of compromise on a Windows host.

Let’s dive into some of the most common Windows processes and understand their typical roles, structures, and interactions.

TLDR

SYSTEM(PID 4) - hosts threads that only run in kernel mode | path: %Systemroot%\System32\ntoskrnl.exe (Task Manager / Process Hacker)
   - SMSS.exe(master) - responsible for creating the list of the environment variables, the security descriptors that’ll be used by the various system resources, initializing the rest of the registry
       - SMSS.exe(child)(Session 0 (OS))
            - wininit.exe -  initialization process is responsible for initializing and setting a lot of things | path: %Systemroot%\System32\wininit.exe
                 - services.exe - service control manager is responsible for handling (Start, Stop…etc.) services defined in the system | path: %Systemroot%\System32\services.exe
                      - spoolsv.exe
                      - svchost.exe - process responsible for hosting DLL services | Path: %Systemroot%\System32\svchost.exe
                 - lsass.exe - responsible for managing authentication on the machine | Path: %Systemroot%\system32\lsass.exe
       - SMSS.exe(child)(Session 1 (User))
            - winlogon.exe - Handles everything related to user’s logons/logoffs and user initialization | Path: %SystemRoot%\System32\winlogon.exe
                 - LogonUI.exe - Launched by “winlogon.exe” to show the logon interface and initialize the credential providers (Username/Password, Windows Hello | Path: %SystemRoot%\System32\LogonUI.exe
                 - userinit.exe - responsible for user initialization, launching the logon scripts, reestablishing network connections, and launching the windows shell | Path: %Systemroot%\system32\userinit.exe
                      - explorer.exe

Why Knowing Normal Behavior Matters

When investigating a security incident on a Windows machine, the first step is identifying any unusual or suspicious behavior. Attackers often attempt to disguise their malicious processes by mimicking legitimate system processes. Understanding the normal activity and characteristics of Windows processes allows responders to detect anomalies effectively, such as:

  1. Unusual Resource Usage: Malicious processes often cause high CPU or memory usage.
  2. Unexpected Network Activity: System processes rarely need external connections so that outgoing traffic can be a red flag.
  3. Unusual Process Paths or Parent-Child Relationships: Malicious processes often execute from non-standard locations or appear in unusual process trees.

Establishing a baseline for what’s “normal " can help you spot these deviations quickly and accurately during an investigation.

Core Windows Processes and Their Functions

1. SYSTEM (PID 4)

  • Role: SYSTEM, or PID 4, is a kernel-level process that manages threads running exclusively in kernel mode. It is tied to the Windows kernel and is a high-priority component that controls all critical system operations.
  • Path: %SystemRoot%\System32\ntoskrnl.exe
  • Normal Behavior: SYSTEM should always run, as it is integral to core Windows functions. Abnormal termination or high resource usage could indicate a severe system issue or kernel-level rootkit.

2. SMSS.exe (Session Manager Subsystem)

  • Role: smss.exe is responsible for initializing various system components. It sets environment variables, creates initial registry settings, and prepares the system for running user sessions.
  • Path: %SystemRoot%\System32\smss.exe
  • Normal Behavior: smss.exe generally runs at startup in two sessions:
  • Session 0 (OS): Handles core system initialization.
  • Session 1 (User): Prepares the system for user logins.
  • Key Child Processes:
  • wininit.exe (system initialization)
  • winlogon.exe (user login management)

3. wininit.exe (Windows Initialization)

  • Role: wininit.exe is a critical initialization process that sets up core components, including launching services.exe and lsass.exe.
  • Path: %SystemRoot%\System32\wininit.exe
  • Normal Behavior: wininit.exe is crucial for system bootup and typically should not terminate after initialization.

4. services.exe (Service Control Manager)

  • Role: services.exe manages all services on a Windows system, including starting, stopping, and interacting with services. It is essential for running background tasks and system maintenance processes.
  • Path: %SystemRoot%\System32\services.exe
  • Normal Behavior: This process is always running, as it manages both user-mode and system-mode services. An attacker might attempt to compromise this process to manipulate services, but any alterations or abrupt terminations should be closely examined.
  • Child Processes Managed by services.exe:
  • spoolsv.exe: Manages print spooling.
  • svchost.exe: Hosts various system services.

5. svchost.exe (Service Host)

  • Role: svchost.exe is a shared service process that loads services from DLLs to reduce resource consumption by consolidating multiple services into fewer processes.
  • Path: %SystemRoot%\System32\svchost.exe
  • Normal Behavior: Multiple instances of svchost.exe will run on a typical system, each hosting different sets of services based on service groups.
  • Investigative Tip: Look out for svchost.exe processes running from unusual paths, which could indicate malware attempting to hide by mimicking this system process.

6. lsass.exe (Local Security Authority Subsystem Service)

  • Role: lsass.exe handles local security policies, authentication, and Active Directory interactions. It’s also responsible for managing passwords, user logins, and tokens.
  • Path: %SystemRoot%\System32\lsass.exe
  • Normal Behavior: As a crucial part of Windows authentication, lsass.exe should be protected, and any attempt to access or dump its memory (such as to obtain credentials) is usually a strong indication of malicious activity.

7. winlogon.exe

  • Role: This process handles user logon/logoff and session management.
  • Path: %SystemRoot%\System32\winlogon.exe
  • Normal Behavior: winlogon.exe should always run in the background, as it manages user logons. Malware that mimics winlogon.exe might try to trick users, so always verify its path and properties.

8. LogonUI.exe

  • Role: Launched by winlogon.exe when needed, LogonUI.exe displays the Windows login screen and facilitates credential input.
  • Path: %SystemRoot%\System32\LogonUI.exe
  • Normal Behavior: LogonUI.exe runs only when a login screen is displayed, such as at startup or when locking the screen. Persistent presence could indicate a compromised system.

9. userinit.exe

  • Role: userinit.exe is responsible for initializing user environments, launching login scripts, and starting the Windows shell (explorer.exe).
  • Path: %SystemRoot%\System32\userinit.exe
  • Normal Behavior: Runs briefly during the login process and then hands control over to explorer.exe. Persistent or repeated activity could signal an issue.

10. explorer.exe

  • Role: The graphical shell, explorer.exe provides the interface for navigating the file system, opening windows, and accessing system settings.
  • Path: %SystemRoot%\System32\explorer.exe
  • Normal Behavior: explorer.exe should always be running when a user is logged in. Malware sometimes attempts to imitate explorer.exe to trick users or hide in plain sight.

Unmasking svchost.exe: Understanding Its Role and Command-Line Flags

svchost.exe—a critical component in Windows—is frequently misunderstood. Many see it as a "mysterious" process, and it's often mistaken as malicious. Why? Mostly due to two reasons: malware frequently tries to disguise itself, and the traditional Task Manager lacks the detailed insights needed to understand what this process is doing.

Let’s delve into the essential functions of, its connection to Windows services, and break down the significance of command-line flags like -k and -s.

Why Does svchost.exe Have a Reputation?

The design of Task Manager in earlier Windows versions contributed to confusion around svchost.exe. For years, Task Manager grouped system processes without offering details on their purpose, which made svchost.exe look like a cryptic process handling an unknown number of system tasks. Malware developers exploited this by naming their malicious software svchost.exe, effectively hiding among legitimate processes.

Today’s Windows versions, including Windows 10 and 11, provide improved transparency, allowing users to examine the services running under each svchost.exe instance. But before we get into how to understand these services, let’s look at the key processes that manage Windows services.

Behind the Scenes: The Role of services.exe (Service Control Manager)

The Service Control Manager, managed by services.exe, is the primary process responsible for handling services on Windows. This system process, located in System32, coordinates the startup, management, and termination of all Windows services. It keeps a comprehensive record of each installed service, which is stored in a registry database located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

At startup, services.exe loads all services flagged for automatic launch. It then spawns individual service processes as needed, including multiple instances of svchost.exe that handle various groups of services.

svchost.exe: The Service Host Process

svchost.exe (Service Host) serves as a container for services loaded from DLLs rather than standalone executables. This design choice helps Windows efficiently manage memory and reduce resource consumption by grouping related services into a single svchost.exe process.

You’ll notice that each svchost.exe instance can host multiple services, which helps optimize performance. To identify which services are bundled into a specific svchost.exe instance, use tools like Task Manager or Process Explorer. While Task Manager in Windows 10 and 11 provides some clarity, third-party tools like Process Explorer offer deeper insights.

Command-Line Flags: Unpacking -k and -s

Now, let’s dig into the command-line options commonly seen with svchost.exe.

The -k Flag

The -k flag allows svchost.exe to load specific service groups based on registry configurations. When svchost.exe runs with the -k flag, it references this registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Each value here corresponds to a service group, listing multiple services to be loaded under a single svchost.exe instance. For instance, if svchost.exe -k netsvcs is executed, the process looks for the "netsvcs" group and loads all services registered within that group.

To further break it down, each listed service is referenced in the registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]

The -s Flag

The -s flag is less commonly seen but provides additional control. When svchost.exe is launched with the -s flag, it loads only a single, specified service rather than an entire group. For example:

svchost.exe -k UnistackSvcGroup -s CDPUserSvc

This command starts only the CDPUserSvc service from the UnistackSvcGroup, allowing for precise control over which services are activated within the svchost.exe process.

Identifying Services Within svchost.exe Instances

To view which services a particular svchost.exe instance is hosting, you have a few options:

  1. Task Manager (Windows 10/11): Right-click on an svchost.exe instance and select "Go to Services." This highlights the services associated with that process.
  2. Command Prompt: Use tasklist /svc to display running processes along with the services they host.
  3. Process Explorer: This tool from Sysinternals provides detailed insights into svchost.exe instances and their associated services.

Security Considerations

svchost.exe is often targeted by malware due to its high visibility and lack of specific detail in older Windows versions. Malware that mimics svchost.exe can blend in with legitimate processes, making it challenging for users to detect. Watching for abnormal behavior—such as
- high memory usage or |
- unexpected network traffic
- unusual parent process (not services.exe)
- missing -k flag
- direct DLL load
- spawning cmd/powershell.exe
- suspicious command line
- if nothing from above, yet something looks suspicious, check for process injections into either svchost.exe or services.exe

Windows
Malware
Endpoint Security
Cybersecurity
Threat Intelligence

--

--

Praj Shete

Written by Praj Shete

7 Followers

Passionate Cybersecurity enthusiast, curious about protecting digital assets!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams