Core Windows Processes

Task Manager is a built-in GUI-based Windows utility that allows users to see what is running on the Windows system. It also provides information on resource usage, such as how much each process utilizes CPU and memory. When a program is not responding, the Task Manager is used to terminate the process.

Note: ">" symbol represents a parent-child relationship. System (Parent) > smss.exe (Child)

• System
• System > smss.exe
• csrss.exe
• wininit.exe
• wininit.exe > services.exe
• wininit.exe > services.exe > svchost.exe
• lsass.exe
• winlogon.exe
• explorer.exe

Sysinternals

With the prior knowledge of Core Windows Processes, we can now proceed to discuss the available toolset for analyzing running artefacts in the backend of a Windows machine.

The Sysinternals tools are a compilation of over 70+ Windows-based tools. Each of the tools falls into one of the following categories:

• File and Disk Utilities
• Networking Utilities
• Process Utilities
• Security Utilities
• System Information