Arc 1: Learning the System

"The Pulse" — Processes, Services, Memory & Devices

The IIS web server on MD-WEB01 has crashed, and there's something strange running on Marcus's workstation. Time to learn how Windows manages everything that runs.

What Is a Process?

Every program you see running on a Windows computer — from Notepad to Chrome to the operating system itself — lives inside a process. A process is not the program file on disk (that's the executable, like notepad.exe). A process is a running instance of that program, alive in memory, doing work.

When Windows creates a process, it sets up several critical components:

Process ID (PID) — A unique number identifying this specific running process. PIDs are assigned sequentially and are never reused while the process is alive. After the process ends, the PID can be recycled.
Virtual Address Space — Each process gets its own private block of memory. A 64-bit process can theoretically address up to 128 TB of memory, though the OS only allocates what is actually needed. This isolation means one process cannot read or write another process's memory (without special privileges).
Access Token — A security credential attached to every process. It contains the user's SID, group memberships, and privileges. When the process tries to access a file or resource, Windows checks this token against the resource's ACL. The token is inherited from the parent process that started it.
Threads — The actual units of execution within a process. A process must have at least one thread (the primary thread). The CPU doesn't execute processes — it executes threads. A web browser might have dozens of threads: one for the UI, one per tab for JavaScript, others for network I/O.
Handle Table — A list of OS objects (files, registry keys, mutexes, other processes) that this process currently has open. Handles are like numbered references to kernel objects.

Parent-Child Relationships: Every process (except the System process at PID 4) is created by another process — its parent. When you double-click an application in Explorer, explorer.exe is the parent and your application is the child. The child inherits certain properties from the parent, including the access token and environment variables. This parent-child tree is critical for security — if you see cmd.exe spawned by outlook.exe, something is very wrong.

Security Implication: Processes inherit the access token of their parent. This is why phishing attacks target applications like Outlook or your web browser — if an attacker can make your browser execute code, that code runs with your permissions, because it inherits your browser's token, which inherited your logon token.

Process vs. Service vs. Thread

These three terms are often confused. Here is how they relate to each other:

Concept	What It Is	Lifecycle	User Interaction	Example
Process	A running instance of a program with its own memory space, PID, and access token	Starts when launched, ends when closed or killed	Usually has a window (GUI) or console; user can interact directly	`notepad.exe` (PID 3456)
Service	A special type of process designed to run in the background without user interaction, managed by the Service Control Manager (SCM)	Can start at boot, on demand, or triggered by events; survives user logoff	No desktop window; controlled via `sc.exe`, `services.msc`, or PowerShell	W3SVC (IIS web server), Spooler (print)
Thread	A unit of execution within a process; shares the process's memory and token	Created and destroyed by the process; at least one (primary) thread must exist	Invisible to the user; managed by the OS scheduler	Chrome tab's JavaScript engine thread

Think of it this way: a process is a house. Threads are the people inside the house doing work. A service is a house that runs itself — no one needs to be home to answer the door; it just keeps working automatically. The Service Control Manager (SCM) is like a building superintendent who can start, stop, and monitor all the service houses in the neighborhood.

Critical Windows Processes

Windows runs a set of core processes that must be present for the OS to function. Knowing what these processes are, where they live, who runs them, and who their parent should be is fundamental to threat detection. Attackers frequently try to disguise malware by naming it after these processes or running it from the wrong location.

Process	Normal Path	Normal Parent	Runs As	Purpose	What's Suspicious
System (PID 4)	N/A (kernel)	None (first process)	SYSTEM	Hosts kernel-mode threads. All kernel drivers run as threads under this process. Always PID 4.	PID is not 4. Multiple instances. Running from a file path on disk.
smss.exe	`C:\Windows\System32\`	System (PID 4)	SYSTEM	Session Manager Subsystem. First user-mode process. Creates sessions, starts csrss.exe and wininit.exe/winlogon.exe for each session. Sets up page file and environment variables.	Parent is not System. Running from any path other than System32. More than one instance running for an extended period (it spawns copies for new sessions but those exit quickly).
csrss.exe	`C:\Windows\System32\`	smss.exe (but parent exits, so shows as "non-existent" in tools)	SYSTEM	Client/Server Runtime Subsystem. Manages console windows, thread creation/deletion, and the Win32 subsystem. Critical process — killing it causes a blue screen.	Only one instance per session (expect 2 total: Session 0 + Session 1). Running from wrong path. Unexpected parent.
wininit.exe	`C:\Windows\System32\`	smss.exe (parent exits)	SYSTEM	Windows Initialization process. Starts services.exe, lsass.exe, and lsm.exe. Only runs in Session 0 (the services session).	More than one instance. Running from wrong path. Running in a user session instead of Session 0.
services.exe	`C:\Windows\System32\`	wininit.exe	SYSTEM	Service Control Manager (SCM). The parent of all service processes (svchost.exe, spoolsv.exe, etc.). Starts, stops, and manages Windows services. Only one instance.	More than one instance. Parent is not wininit.exe. Running from wrong path.
lsass.exe	`C:\Windows\System32\`	wininit.exe	SYSTEM	Local Security Authority Subsystem Service. Handles all user authentication: password validation, Kerberos ticket generation, NTLM authentication. Stores credentials in memory. Enforces security policies.	More than one instance. Parent is not wininit.exe. Running from wrong path (a classic: lsass.exe vs. 1sass.exe or lsass.exe in a temp folder). Any tool reading its memory (credential dumping).
svchost.exe	`C:\Windows\System32\`	services.exe	SYSTEM, LOCAL SERVICE, or NETWORK SERVICE	Generic service host. Loads and runs services implemented as DLLs. Many instances are normal — each hosts a group of related services (e.g., network services, RPC services). Command line always contains `-k <group>`.	Running from any path other than System32. Parent is not services.exe. Running as a regular user account. No `-k` parameter in command line. Misspellings (svch0st.exe, scvhost.exe).
explorer.exe	`C:\Windows\`	userinit.exe (but parent exits, so appears orphaned)	Logged-in user	Windows desktop shell. Provides the taskbar, Start menu, file browser, and desktop. One instance per logged-in user session.	Running as SYSTEM. Multiple instances for the same user. Running from wrong path. Spawning unusual child processes (like cmd.exe or powershell.exe in unexpected contexts).

High-Value Target — lsass.exe: Because lsass.exe stores user credentials in memory, it is the #1 target for credential-stealing attacks. Tools like Mimikatz read lsass.exe's memory to extract plaintext passwords, NTLM hashes, and Kerberos tickets. Windows Credential Guard (available in Enterprise editions) moves credentials into a hardware-isolated container that even SYSTEM cannot access, specifically to protect against lsass.exe memory dumping.

svchost.exe Spoofing: Attackers love to name their malware svchost.exe because it is expected to have many instances running. The key differentiator is the path: real svchost.exe always runs from C:\Windows\System32\svchost.exe and its parent is always services.exe. If you see svchost.exe running from C:\Users\ or C:\Temp\, it is malware.

Services and the Service Control Manager (SCM)

A Windows Service is a background program that starts automatically (or on demand) and runs without requiring a user to be logged in. Services are managed by the Service Control Manager (SCM), which is the services.exe process.

Every service is defined by a registry entry under HKLM\SYSTEM\CurrentControlSet\Services\ that specifies:

The binary path (executable or DLL)
The startup type (Automatic, Manual, Disabled, Delayed Auto-Start)
The account the service runs under
Recovery actions if the service crashes
Dependencies (other services that must start first)

Service Accounts

Services don't run as regular users. Windows provides three built-in service accounts with different privilege levels:

Account	Privileges	Network Access	Typical Use
LocalSystem `NT AUTHORITY\SYSTEM`	Highest privileges on the local machine. Full access to all files, registry, and OS components. More powerful than a local Administrator.	Accesses network resources as the computer account (MACHINE$)	Core OS services: SCM, WMI Provider, Windows Update
LocalService `NT AUTHORITY\LOCAL SERVICE`	Minimal local privileges. Similar to a standard user account. Cannot access most system files.	Accesses network as Anonymous (no credentials)	Low-risk services: DNS Client, TCP/IP NetBIOS Helper
NetworkService `NT AUTHORITY\NETWORK SERVICE`	Minimal local privileges, same as LocalService.	Accesses network using the computer's credentials (Kerberos), presenting the machine identity	Services that need network access: RPC, DHCP Client

Service Recovery Options

The SCM can automatically respond when a service crashes. For each service, you can configure what happens on the first failure, second failure, and subsequent failures:

Restart the Service — Most common. SCM waits a configurable delay, then restarts.
Run a Program — Execute a script or binary (useful for notifications or cleanup).
Restart the Computer — Nuclear option. Used for critical services where the whole system may be unstable.
Take No Action — Just log it and leave the service stopped.

Real-World Context: In our scenario, the W3SVC (IIS World Wide Web Publishing Service) on MD-WEB01 has crashed. The SCM detected the failure and, because recovery is configured as "Restart on first failure," it will attempt to bring the service back automatically. Understanding this recovery mechanism is essential for IT operations.

Memory Management

Windows uses a sophisticated memory management system that creates the illusion that each process has its own private, contiguous block of memory — even though physical RAM is shared among all running processes.

Virtual Memory

Every process works with virtual addresses, not physical RAM addresses. The CPU's Memory Management Unit (MMU) translates virtual addresses to physical addresses using page tables maintained by the OS. This translation is invisible to the application.

Virtual memory provides two critical benefits:

Isolation — Process A's virtual address 0x00400000 maps to a completely different physical location than Process B's virtual address 0x00400000. They cannot see each other's memory.
Overcommit — The total virtual memory used by all processes can exceed physical RAM. Pages that haven't been accessed recently are written to the page file on disk (C:\pagefile.sys).

Key Memory Concepts

Term	Meaning
Working Set	The pages of memory currently resident in physical RAM for a process. When RAM is scarce, Windows trims working sets by moving less-used pages to the page file.
Commit Charge	The total virtual memory allocated (reserved and committed) across all processes. If commit charge exceeds physical RAM + page file, the system is out of memory.
Page File	A file on disk (`C:\pagefile.sys`) used as overflow when physical RAM is full. The OS swaps pages between RAM and the page file as needed. Size is typically 1-3x physical RAM.
Paging	The act of moving memory pages between RAM and disk. When a process accesses a page that's been moved to disk, a page fault occurs, and the OS loads it back into RAM.

Security Features in Memory

Feature	What It Does	Why It Matters
ASLR (Address Space Layout Randomization)	Randomizes the base addresses where executables, DLLs, the stack, and the heap are loaded in memory. Each time a process starts, addresses are different.	Makes buffer overflow exploits much harder. Attackers can't predict where their shellcode will land or where critical functions are located in memory.
DEP (Data Execution Prevention)	Marks memory pages as either executable or writable, but never both. Data pages (stack, heap) are marked non-executable.	Prevents attackers from injecting code into data areas and executing it. Even if an attacker writes shellcode to the stack via a buffer overflow, the CPU will refuse to execute it.

Why Attackers Care About Memory: Credential theft attacks (like those targeting lsass.exe) work by reading another process's memory. Process injection attacks write code into a victim process's address space and create a thread to execute it. Understanding how memory isolation works — and how it can be bypassed with sufficient privileges — is essential for both attack and defense.

Device Drivers

Applications never talk directly to hardware. Instead, the communication flows through layers:

I/O Communication Stack

Application Ring 3 · user mode

Win32 API ReadFile(), WriteFile()

▼ syscall boundary ▼

I/O Manager Ring 0 · kernel mode

Device Driver Translates I/O requests

Hardware (Device) CPU, Disk, NIC, GPU

A device driver is a piece of software that translates generic OS I/O requests into specific hardware commands. When you print a document, the application calls the Win32 API, which passes the request to the I/O Manager, which sends it to the printer driver, which sends the actual data to the printer hardware.

Key Driver Concepts

Driver Signing — Since Windows Vista (64-bit), all kernel-mode drivers must be digitally signed by Microsoft or a trusted publisher. This prevents attackers from loading arbitrary code into the kernel. Secure Boot extends this protection to boot-time drivers.
Plug and Play (PnP) — Windows automatically detects new hardware, loads the appropriate driver, and configures the device. The PnP Manager maintains a database of devices and their drivers.
Driver Verifier — A diagnostic tool that stress-tests drivers by monitoring their behavior. It can detect memory leaks, buffer overflows, and improper API usage in drivers. Useful for identifying unstable drivers that cause blue screens.

BYOVD Attacks (Bring Your Own Vulnerable Driver): Because kernel drivers run at Ring 0 with full system access, attackers have found a devastating technique: they install a legitimately signed but vulnerable driver, then exploit its vulnerability to gain kernel-level code execution. The driver passes signature checks because it is genuinely signed — but it contains a known flaw. This technique has been used by advanced threat groups to disable security software, hide malware, and bypass all OS protections. Windows maintains a vulnerable driver blocklist, but it cannot cover every known vulnerable driver.

Process Creation: From Double-Click to Running Code

Click any layer to explore what happens at each stage of process creation and why it matters for security.

🌳 Critical Windows Process Tree

This tree shows the normal parent-child relationships of critical Windows processes. Any deviation from this tree is a strong indicator of malicious activity.

System (PID 4)

Kernel Threads

↓

smss.exe

Session Manager

↓

csrss.exe

Session 0

↓

wininit.exe

↓

services.exe

SCM

svchost.exe -k netsvcs

svchost.exe -k LocalService

svchost.exe -k DcomLaunch

spoolsv.exe (Print)

w3wp.exe (IIS)

lsass.exe

Authentication

csrss.exe

Session 1

↓

winlogon.exe

↓

userinit.exe

↓

explorer.exe

Desktop Shell

↓

User Apps

notepad, chrome, etc.

Reading the Tree: Arrows show parent-child relationships. Red-bordered processes are high-value security targets. Blue-bordered processes are SCM-managed services. Green-bordered processes handle session setup. Teal-bordered processes are user-facing. If a process has the wrong parent, it is a red flag.

X-Ray Mode: IIS Service Crash & Recovery

Watch step by step what happens when the W3SVC (IIS) service crashes on MD-WEB01 and how the Service Control Manager detects and recovers from the failure.

Press Play to begin X-Ray walkthrough...

Investigation Lab: Crashed Server & Suspicious Workstation

Scenario: Priya calls you over: "The company website is down — MD-WEB01's IIS server has crashed. Get it back up. And while you're at it, Marcus from Engineering says his workstation MD-WS-ENG05 feels 'sluggish.' Take a look at what's running on it."

Part 1: Restart the IIS Web Server on MD-WEB01

Run sc query W3SVC to check the current status of the IIS web service. Is it running or stopped?

Hint: Look at the STATE field in the output

Run sc start W3SVC to restart the web service (alternatively: net start W3SVC).

Hint: Watch for the START_PENDING state followed by success

Run sc query W3SVC again to confirm the service is now running.

Run sc qc W3SVC to view the service configuration — check the start type and binary path.

Run tasklist /svc to see which processes are hosting which services.

Run Get-Service | Where-Object {$_.Status -eq 'Stopped'} to find any other stopped services that might need attention.

Part 2: Investigate Marcus's Workstation (MD-WS-ENG05)

Switch to the second terminal below. Run tasklist to see all running processes. Do you notice anything unusual?

Hint: Look at the process names carefully — do any look like system processes that shouldn't be there?

Run tasklist /v for verbose output. Check which user account each process is running under.

Hint: Real svchost.exe always runs as SYSTEM, LOCAL SERVICE, or NETWORK SERVICE — never as a regular user

Run wmic process where "name='svchost.exe'" get ProcessId,ExecutablePath to see the full path of every svchost.exe process.

Hint: The real svchost.exe is always at C:\Windows\System32\svchost.exe

Run schtasks /query /fo LIST /v to check scheduled tasks. Look for anything that runs a suspicious command.

Hint: Legitimate system tasks don't run PowerShell scripts from user temp directories