smss.exe (Session Manager Subsystem alias Windows Session Manager), is responsible for creating new sessions. It
is the first user-mode process started by the kernel.
This process starts the kernel and user modes of the Windows subsystem. This subsystem includes
win32k.sys (kernel mode),
winsrv.dll (user mode), and
csrss.exe (user mode).
smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated
Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1,
which is the user session. The first child instance creates child instances in new sessions, done by
itself into the new session and self-terminating.
Any other subsystem listed in the
Required value of
HKLM\System\CurrentControlSet\Control\Session Manager\Subsystemsis also launched.
smss.exe is also responsible for creating environment variables and virtual memory paging files.
Number of Instances: One master instance and child instance per session. The child instance exits after creating the session.
User Account: Local System
Start Time: Within seconds of boot time for the master instance
A different parent process other than System (PID
The image path is different from
More than one running process. (children self-terminate and exit after each new session)
Useris not the
Unexpected registry entries for