question

aredubbya-5168 avatar image
0 Votes"
aredubbya-5168 asked cheong00 answered

Explanation of Windows Processes and dlls

Hi everyone,

I am looking for a resource that will explain what all Windows processes and dll's (if possible) are meant to do/what their purpose is, as originally designed by Microsoft. I am looking for something that will tell me for example what these process do,

wininit.exe
lsass.exe
rundll32.exe

I want to get an understanding of why they run, how it is meant to work. I know I can Google this stuff but I don't know how reliable the explanations in the search results are. When analysing malware etc it helps to understand how something was originally designed to operate, as a means of comparing that against the activity you see.

What do other people use to get this info? If there are websites or books you can advise please let me know thanks.


windows-10-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Just want to confirm the current situations.


Please feel free to let us know if you need further assistance.


Best Regards,
Sunny

0 Votes 0 ·

Hi SunnyQi,

Thankyou for your considerate reply,

I work analysing malware which often uses the default executables and dlls in, the exe's I listed were just examples. How can I find out what all the exe's and dll's in Windows are meant to do by default (as designed by Microsoft) so I can use that as a baseline and better understand when these harmless files are being used in ways not designed for by Microsoft. I know there are sites out there that you listed and I am thankful, however is there a chance they say slightly different things and so the true definition of what they do is not the same. I was hoping there would be a single point of truth example this.

0 Votes 0 ·

Hi,

Thanks for your update.

So sorry that I am not professional with this issue. I will keep consult with other technical engineers to find out the solution. Meanwhile, hope others could share their experience or knowledge here.

Thank you so much for your understanding.

Best Regards,
Sunny

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Welcome to our Q&A platform.

For the Windows operating systems, much of the functionality of the operating system is provided by DLL. Additionally, when you run a program on one of these Windows operating systems, much of the functionality of the program may be provided by DLLs. For example, some programs may contain many different modules, and each module of the program is contained and distributed in DLLs.

The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. So, the operating system and the programs load faster, run faster, and take less disk space on the computer.

When a program uses a DLL, an issue that is called dependency may cause the program not to run. When a program uses a DLL, a dependency is created. If another program overwrites and breaks this dependency, the original program may not successfully run.

For more details regarding of DLL, please refer to the following links:

What is a DLL

Dynamic-link library
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

As for process wininit.exe, lsass.exe and rundll32.exe, unfortunately, there is no such official documents regarding of these processes.

I also found the following articles and similar threads for your reference:

What is wininit.exe?

How to remove the Isass virus

What is rundll32.exe?

wininit.exe - What is is and why is it constantly running

Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Hope my answer will help you.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

User989846-7900 avatar image
0 Votes"
User989846-7900 answered

Hello,
I stumbled on this article which could be a good start:
https://nasbench.medium.com/windows-system-processes-an-overview-for-blue-teams-42fa7a617920

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Castorix31 avatar image
0 Votes"
Castorix31 answered

Everything is in MSDN + M. Russinovich books :

Windows Initialization Process (Wininit.exe)
The Wininit.exe process performs the following system initialization functions:
- Marks itself critical so that if it exits prematurely and the system is booted in debugging mode,
it will break into the debugger (if not, the system will crash).
- Initializes the user-mode scheduling infrastructure.
- Creates the %windir%\temp folder.
- Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to
run on in session 0.
- Creates Services.exe (Service Control Manager or SCM). See upcoming paragraphs for a brief
description or Chapter 4 for more details.
- Starts Lsass.exe (Local Security Authentication Subsystem Server). See Chapter 6 for more
information on Lsass.
- Starts Lsm.exe (Local Session Manager). See the upcoming “Local Session Manager (Lsm.exe),”
section for a brief description.
- Waits forever for system shutdown

Local Security Authority subsystem (LSASS)
A user-mode process running the image %SystemRoot%\System32\Lsass.exe that is responsible for the local system security policy
(such as which users are allowed to log on to the machine, password policies, privileges
granted to users and groups, and the system security auditing settings), user authentication,
and sending security audit messages to the Event Log. The Local Security Authority service
(Lsasrv—%SystemRoot%\System32\Lsasrv.dll), a library that LSASS loads, implements most of
this functionality

rundll32


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cheong00 avatar image
0 Votes"
cheong00 answered

IMO the best explanation of RunDLL32 is written by Raymond Chen:
https://devblogs.microsoft.com/oldnewthing/20130104-00/?p=5643

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.