Endpoint Security Monitoring - Part 2

Endpoint Security Fundamentals

Core Windows Processes

Before we dive into exploring endpoint logs in detail, it's important to first understand the basics of how the Windows Operating System functions. Without this foundational knowledge, it can be difficult to differentiate unusual events from a large volume of data.

If you want to learn about the essential processes in Windows, there's a useful tool called Task Manager. It lets you see and understand the important tasks happening inside your Windows computer.

Task Manager is a handy tool that comes pre-installed with Windows and has a graphical user interface (GUI). It allows users to view the active processes running on their Windows system. Task Manager also provides valuable information about resource usage, such as CPU and memory usage for each process. In cases where a program becomes unresponsive, Task Manager can be used to end or terminate the problematic process.

Task Manager shows normal Windows processes running in the background. Examples include the System Idle Process, System, Windows Explorer, Service Host Processes (svchost.exe), Antivirus Software, and various Background Processes.

Note: ">" symbol represents a parent-child relationship. System (Parent) > smss.exe (Child)

The following is a summary of the normal behavior of Windows processes:

• - System: The parent process that oversees various system operations.
• - System > smss.exe: The child process responsible for managing session initialization.
• - csrss.exe: Manages the creation and deletion of Win32 processes.
• - wininit.exe: Handles the Windows startup process.
• - wininit.exe > services.exe: Controls system services.
• - wininit.exe > services.exe > svchost.exe: Hosts multiple services within a single process.
• - lsass.exe: Manages local security and authentication.
• - winlogon.exe: Handles user login and logout.
• - explorer.exe: Manages the graphical user interface, including the desktop and file management.

It's important to note that processes without a depiction of a parent-child relationship, except for the System process with the System Idle Process (0) as its parent, are not expected to have a parent process under normal circumstances.

Continued...

-Tharindu Damith