The Windows Logon,
winlogon.exe, is responsible for handling the Secure Attention Sequence (SAS). It is the
ALT+CTRL+DELETE key combination users press to enter their username & password.
This process is also responsible for loading the user profile. It loads the user’s
userinit.exe loads the user’s shell.
And it is also responsible for locking the screen and running the user’s screensaver, among other functions.
smss.exe launches this process along with a copy of
csrss.exe within Session 1.
Parent Process: Created by an instance of
smss.exethat exits, so analysis tools usually do not provide the parent process name.
Number of Instances: One or more
Start Time: Within seconds of boot time for the first instance (for Session 1). Additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.
An actual parent process. (
smss.execalls this process and self-terminates)
Image file path other than
Subtle misspellings to hide rogue processes in plain sight
Not running as
Shell value in the registry other than