The master forensic reference for Windows core processes — the legitimate boot tree plus the most-investigated service and COM hosts. Every node carries its expected path, parent, account, session, command line, code-signer, MITRE ATT&CK abuse, corroborating artifacts, and the "Know Normal, Find Evil" baseline. Click any node to dissect it.
Select any process in the tree to reveal its full forensic profile and baseline.
Windows builds itself in a strict, repeatable order. The kernel starts as System (PID 4), which launches the Session Manager smss.exe. smss.exe bootstraps two worlds: Session 0 (the non-interactive OS services) via wininit.exe, and Session 1 (the interactive user) via winlogon.exe. A separate csrss.exe is spun up for each session.
Because smss.exe copies itself into each new session and that copy then exits, the processes it creates — csrss.exe, wininit.exe, winlogon.exe — normally appear with no living parent. The same is true of explorer.exe, whose parent userinit.exe exits as soon as the shell is up. These "orphans" are normal; knowing this is the whole point of the baseline.
This is the foundation of "Know Normal, Find Evil." Every node below carries its expected path, account, parent, command line, code-signer, instance count, and the anomalies that betray a malicious imposter — a wrong path, a misspelled name, a missing -k switch, the wrong parent, or one-too-many copies.
winload.efi, and the kernel (ntoskrnl.exe) — right up to the moment it hands control to smss.exe, the first process below.
| Process | PID | Parent | Account | Prio | Session | Instances | Timing |
|---|
| Indicator | Why It Matters |
|---|---|
| Wrong path | Core processes run from C:\Windows\System32 (explorer.exe from C:\Windows, WmiPrvSE.exe from System32\wbem). A copy in a user/temp folder is malware. |
| Misspelled name | scvhost.exe, csrsss.exe, lsas.exe — typosquatting the trusted name. |
| Wrong parent | e.g. svchost.exe not under services.exe, or lsass.exe not under wininit.exe. |
| Wrong / missing args | Every svchost.exe has a -k group; every legit dllhost.exe has a /Processid:{GUID}. Missing = suspect. |
| Wrong account | explorer.exe running as SYSTEM, or a SYSTEM process running as a user, breaks the model. |
| Too many instances | There is exactly one lsass.exe, services.exe, wininit.exe. A second copy is a strong alert. |
| Suspect children | lsass/spoolsv/wmiprvse spawning cmd/powershell = injection, PrintNightmare, or WMI lateral movement. |
| Process | Evolution |
|---|---|
| taskhost | taskhost.exe (Win7) → taskhostex.exe (Win8) → taskhostw.exe (Win10+). |
| taskeng | Win7/2008R2 scheduled-task engine → replaced by taskhostw.exe + Schedule svchost (Win8+). |
| lsm | lsm.exe (Win7) → merged into lsm.dll hosted by svchost.exe (Win8+). Seeing the EXE on a modern build is anomalous. |
| lsaiso | Only present when Credential Guard is enabled; isolates LSA secrets via virtualization-based security. |
| Registry / Secure System | Minimal processes added in Win10 (1803) for hive storage and VBS/VTL1 isolation respectively. |
| conhost | Introduced in Win7 to host console windows; child of the console-owning app, tied to csrss.exe. |
PIDs, command lines, and exact behaviour vary by Windows build, edition, and configuration. Only System Idle Process (PID 0) and System (PID 4) have fixed PIDs; all others are shown as Dynamic. Command lines are representative of a default install. Always validate against the host under investigation.
Crow-Eye builds the live process tree and checks every process against this exact baseline — path, parent, signer, session and instance count — flagging masqueraders, orphans, and wrong-parent anomalies for you.
Download Crow-Eye