Key-Windows-Processes
Comments
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
$
%
123
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
ABCDEFGHIJKLMNOPQRSTUVWXY
1
Process Name
Runs AsParent Process
How many instances?
NotesRule Coverage
2
svchost.exeLocal System, Network Service, Local Serviceservices.exeFive or moreShould always be run with a -k optionYes
3
lsm.exeLocal Systemwininit.exeOnly oneNo child processesYes
4
csrss.exeLocal System(exited) smss.exeTwo or moreYes
5
lsass.exeLocal Systemwininit.exeOnly oneNo child processesYes
6
winlogon.exeLocal System(exited) smss.exeOne or moreYes
7
wininit.exeLocal System(exited) smss.exeOnly oneYes
8
smss.exeLocal SystemSystemOne or moreYes
9
taskhost.exelogged-on users and/or local service accountsservices.exeOne or moreYes
10
services.exeLocal Systemwininit.exeOnly oneYes
11
explorer.exeLogged-on User(s)(exited) userinit.exeOne*
*RE: Instances - One per interacticaly logged-on user
Yes
12
dllhost.exelogged-on users and/or local service accountssvchost.exe, services.exeOne or more
Should be run with the following option: /Processid:{}
Yes
13
14
15
Sources:
16
http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
17
( and personal experience)
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Sheet1
Sheet2