Windows Process List

Application Information [AppInfo] — enables and brokers User Account Control (UAC) elevation requests on behalf of standard-user processes. When a program requires administrative privileges, the UAC prompt and the resulting elevation token are orchestrated by AppInfo. Without it, privilege escalation dialogs do not function. It also interacts closely with the Program Compatibility Assistant and is involved in logging execution attempts that require elevated rights.

• Look for strings referencing elevated process launches, particularly from unusual parent paths.
• UAC bypass techniques often manipulate AppInfo's COM interfaces — strings like ICMLuaUtil or named pipe handles are indicators.
• Strings referencing consent.exe or auto-elevation COM CLSIDs indicate an elevation event or bypass attempt.

Hosted as a svchost.exe instance.

Base Filtering Engine [BFE] — the core policy engine underpinning Windows Firewall and the entire WFP (Windows Filtering Platform). It stores and enforces firewall rules, IPsec policies and callout filters registered by third-party security products. All inbound and outbound filtering decisions ultimately run through BFE. Disabling it disables all Windows-based packet filtering.

• Strings referencing firewall rule modifications, particularly allow-all rules or rules targeting specific remote IPs.
• Attackers who disable the Windows Firewall via netsh advfirewall set allprofiles state off interact with BFE — look for policy flush strings.
• Newly registered WFP callouts from unexpected driver paths are a sign of network interception malware.

Note: mpssvc (Windows Firewall service) and Radeon Software (AMD GPU driver) leave similar WFP-related string traces in this process. Hosted as a svchost.exe instance.

Connected Devices Platform User Service [CDPUserSvc] — powers the cross-device experience features introduced in Windows 10, including timeline, clipboard history sync, "Continue on PC" and nearby sharing via Bluetooth or Wi-Fi Direct. It runs per user session and communicates with Microsoft's cloud services to broker device discovery and activity synchronization. It essentially tracks everything the user does across their device ecosystem.

• Strings containing Microsoft account identifiers, device GUIDs and activity sync endpoints.
• Clipboard content strings if clipboard history sync is active — a potential exfiltration vector on compromised machines.
• Bluetooth and Wi-Fi Direct peer strings indicating nearby device connections.

Hosted as a svchost.exe instance (per-user instance, typically suffixed with a session ID).

Client Server Runtime Process [CSRSS] — one of the most critical processes in Windows. It manages the Win32 console subsystem, handles console window creation and destruction, process and thread lifecycle notifications and shutdown coordination. There are always exactly two csrss.exe instances per Windows session: one for Session 0 (services) and one for the interactive desktop session. Terminating csrss causes an immediate BSOD.

• Fake csrss processes running from any path other than C:\Windows\System32\csrss.exe are a direct malware indicator.
• Look for only two instances. Additional csrss instances or ones with unexpected parent processes (anything other than the Session Manager) are suspicious.
• Console output from attacker-launched tools is routed through csrss — command strings can appear in its memory.

CTF Monitor [ctfmon] — activates the Alternative User Input and Office Language Bar, providing input method editor (IME) support, speech recognition integration and handwriting recognition. It runs per user and mediates input between Windows Text Services Framework (TSF) and applications. It is a legitimate and expected process on all modern Windows installations.

• ctfmon is sometimes used as a persistence or hollowing target because it is expected to be present and is rarely monitored.
• Any ctfmon.exe running from a path other than C:\Windows\System32\ctfmon.exe is immediately suspicious.
• Memory strings referencing unusual TSF provider paths or loaded COM servers outside System32 can indicate exploitation of the CTF protocol vulnerability (CVE-2019-1162 and related).

Connected User Experiences and Telemetry [DiagTrack] — Microsoft's telemetry and diagnostics collection service. It collects system health data, crash reports, application usage metrics and diagnostic traces and transmits them to Microsoft endpoints. On enterprise systems it is frequently disabled via Group Policy. The volume of data it processes makes its memory a rich source of system activity snapshots.

• Strings referencing recently run applications, crash telemetry payloads and system health metrics can reconstruct user and system activity timelines.
• Look for strings containing vortex.data.microsoft.com or similar telemetry endpoints as confirmation of outbound telemetry activity.
• On compromised systems where DiagTrack has been re-enabled or manipulated, its upload queue can contain attacker-influenced data.

Hosted as a svchost.exe instance.

DNS Client [dnscache] — resolves and caches DNS queries on behalf of all processes on the machine. Rather than each process querying a DNS server independently, they send requests to dnscache, which manages the local resolver cache. This centralises resolution and improves performance. From a forensic standpoint the DNS cache in memory is a direct record of every hostname the machine has resolved recently.

• Memory strings contain all recently resolved domain names — including C2 domains, exfiltration endpoints and attacker infrastructure.
• DGA (Domain Generation Algorithm) patterns are visible as strings of seemingly random hostnames in the cache.
• DNS-over-HTTPS bypasses dnscache entirely — its absence from the cache when you know network activity occurred is itself an indicator.
• Internal hostnames resolved during lateral movement are also cached here.

Hosted as a svchost.exe instance.

Diagnostic Policy Service [DPS] — enables automated problem detection, troubleshooting and resolution for Windows components. It runs diagnostic packages in response to system faults and feeds data into the Problem Reports and Solutions infrastructure. It operates silently in the background and has broad read access to system state.

• Strings referencing diagnostic packages being loaded from unusual paths are suspicious — DPS processes can be abused to load attacker-controlled diagnostic plugins.
• Error strings from failed component operations can confirm system state at a specific point in time.
• Look for strings referencing C:\Windows\System32\DiagSvcs\ and any deviation from expected diagnostic package paths.

Hosted as a svchost.exe instance.

Data Usage Monitoring Service [DusmSvc] — tracks per-app and per-connection network data usage across all network interfaces. It powers the "Data usage" view in Windows Settings and enforces metered connection limits. The service maintains an internal database of byte counts grouped by application and network interface, updated in real time.

• Memory strings contain application identifiers alongside interface GUIDs and byte-count values — useful for confirming which process performed large data transfers.
• Anomalously large usage values for unexpected processes are a data exfiltration indicator.
• Interface strings reveal which network adapter was used for transfers, helping correlate with physical access events.

Hosted as a svchost.exe instance.

Desktop Window Manager [DWM] — composites and renders all visual output on the Windows desktop using GPU-accelerated DirectX surfaces. It manages Aero Glass effects, transparency, live thumbnails and the visual layer above every application window. DWM runs in an isolated session in Session 0 with direct access to the display output pipeline.

• Window title strings from every visible application are processed through DWM — its memory can contain recently active window titles, including from applications already closed.
• Screenshot-taking malware that hooks into DWM's rendering pipeline leaves COM interface strings and hook-related artifacts.
• Any dwm.exe running outside of C:\Windows\System32\dwm.exe is a direct masquerading indicator.

Windows Event Log [Eventlog] — manages the collection, storage and retrieval of all Windows event log entries across every log channel. It receives log records from the ETW (Event Tracing for Windows) infrastructure, applies channel routing and writes records to .evtx files. The service holds a write buffer for pending log records in memory before flushing to disk.

• Pending log entries not yet flushed to disk are recoverable from Eventlog process memory — this can recover log records even after an attacker clears the .evtx files.
• Anti-forensic tools that target Eventlog (such as those manipulating the log via undocumented APIs) leave strings indicating stopped or manipulated channels.
• Provider registration strings for unexpected or third-party providers may indicate malware logging suppression or custom channel registration for evasion.

Hosted as a svchost.exe instance.

Windows Explorer [Explorer] — the interactive shell process for the Windows desktop, taskbar, Start menu and file system browser. It hosts the ShellExecute logic that launches applications on behalf of the user. Almost all user-initiated program launches, file opens and folder navigation events pass through explorer.exe's process space, making it an exceptionally rich memory target.

• Recently accessed file paths, typed folder paths and search queries are held in memory — an excellent supplement to ShellBags and RecentDocs registry artifacts.
• PCA client strings (pcaclient) are visible in explorer.exe memory because the PCA client component hooks into the shell execution path to monitor launched programs.
• Strings from recently opened Office documents, PDFs and archives appear in explorer.exe memory due to thumbnail generation and preview handler invocations.
• Injected DLL paths and COM server strings in explorer.exe are a classic persistence and injection indicator — many RATs target explorer for long-term injection.

Local Security Authority Subsystem Service [LSASS] — the gatekeeper of authentication on every Windows system. It handles all local and domain logon authentication, enforces security policies, generates access tokens and manages the Security Account Manager (SAM) database. LSASS holds credential material for all currently and recently authenticated users in its working memory — NTLM hashes, Kerberos tickets, and in older configurations, plaintext passwords via the WDigest provider.

• The primary target of credential dumping tools like Mimikatz, which read LSASS memory directly to extract hashes and tickets.
• NTLM hash strings, Kerberos ticket binary blobs and domain controller hostnames are all present in LSASS memory.
• Any process attempting to open a handle to LSASS with PROCESS_VM_READ rights is a credential dumping indicator — look for handle strings referencing the LSASS PID.
• Injected modules in LSASS space, particularly from unexpected paths, indicate an SSP (Security Support Provider) implant or in-memory credential stealer.

Microsoft Malware Protection Engine [MsMpEng] — the scanning and detection engine at the core of Windows Defender Antivirus. It performs real-time file, process and behavior monitoring, scheduled full scans and cloud-assisted sample analysis. MsMpEng has a broad memory footprint because it loads and analyzes the content of files it scans into its own address space.

• Strings from recently scanned files, including malicious samples that triggered detection, can persist in MsMpEng memory even after the source file is deleted.
• Detection name strings, AMSI scan buffers and cloud lookup query strings reveal what Defender has been evaluating.
• Defender exclusion paths loaded from policy are visible as strings — attackers frequently add exclusions to hide staging directories.
• AMSI bypass attempts often target the MsMpEng AmsiScanBuffer function — look for strings referencing amsi.dll in unexpected process contexts.

Microsoft Network Realtime Inspection Service [NisSrv] — the network-level inspection component of Windows Defender. It analyzes network streams in real time using WFP callouts to detect exploit patterns, malicious payloads and network-based attacks. It works in conjunction with MsMpEng and the cloud protection service to provide behavioral network monitoring.

• Signatures and rule strings loaded from the latest definition update are present in memory — useful for confirming whether a specific detection capability was loaded at the time of an incident.
• Network packet buffer strings containing suspicious payloads that NisSrv inspected may persist briefly in memory.
• Strings referencing bypassed or disabled inspection modes indicate an attacker has tampered with network-level protection.

Program Compatibility Assistant Service [PcaSvc] — the service side of the Program Compatibility Assistant framework. It monitors application launches for compatibility issues, logs execution events to the PCA SQLite databases and triggers compatibility shims when required. It works alongside the pcaclient component that hooks into explorer.exe and other shell processes.

• Recent execution paths and timestamps held in memory before being flushed to the PCA database — useful for recovering executions not yet written to disk.
• Strings containing full paths of recently launched executables, including portable tools run from USB drives or temp directories.
• Note: the pcaclient component also runs inside explorer.exe and other shell host processes, leaving PCA-related strings across multiple process memory spaces — not just inside pcasvc itself.

Hosted as a svchost.exe instance.

Registry Process [registry] — a kernel-level process introduced in Windows 10 version 1803 that hosts the registry hive data entirely in kernel memory. Previously, hive data was stored in paged pool; this dedicated process improves memory management and security isolation. It is always PID 4 or a very low PID and its executable is listed as Registry with no image path because it is a kernel process, not a userland binary.

• Because the registry process hosts hive data in memory, carving it can recover registry key names, values and data from all loaded hives — including recently modified or deleted keys.
• Any process other than the kernel claiming the name "registry" or running with a user-space image path is masquerading malware.
• Transactional registry operations (TxR) in flight are visible in its memory, revealing pending registry changes that have not yet been committed.

Task Scheduler [Schedule] — manages the Windows Task Scheduler infrastructure. It loads task definitions from C:\Windows\System32\Tasks\ and the registry, evaluates triggers (time-based, event-based, logon-based) and launches task actions at the defined moments. It is widely abused for persistence because scheduled tasks survive reboots and execute with high reliability.

• Task XML definitions loaded into memory contain the full action command line, including arguments — excellent for recovering deleted task persistence.
• Strings referencing tasks in non-standard paths like C:\Users\ or C:\ProgramData\ indicate attacker-created tasks.
• COM handler strings for task actions reveal persistence mechanisms that use COM object activation rather than executable paths.
• Recently triggered task names and their execution timestamps are present in memory before being written to the Task Scheduler event log.

Hosted as a svchost.exe instance.

Windows Search Indexer [SearchIndexer] — builds and maintains the Windows Search index by crawling file content and metadata across local drives, SharePoint and Outlook data stores. It reads and parses file content from documents, emails and media files to extract indexable text. Because it processes the content of every file it indexes, its memory contains fragments of recently indexed file content.

• Strings from documents, PDFs and emails processed during indexing may persist in memory — including content from files that were subsequently deleted.
• User search query strings submitted to Windows Search are processed here and may be present in memory, complementing the WordWheelQuery registry artifact.
• File paths actively being indexed at the time of acquisition reveal the file system state and recently accessed or created content.

System Guard Runtime Monitor Broker [SgrmBroker] — part of Windows Defender System Guard, providing runtime attestation and integrity monitoring of the secure boot chain and kernel state. It works with the underlying VSM (Virtualization-Based Security) infrastructure to verify that the system has not been tampered with at a low level. It was designed to protect against firmware and bootkit-level attacks.

• Attestation report strings and TPM measurement chain data are present in memory — useful for understanding the integrity state of the machine at the time of acquisition.
• Strings referencing failed integrity checks or unexpected measurement values can indicate tampering with early-boot components.
• Its absence or an unexpected termination string is itself an indicator — attackers disabling VBS/System Guard leave traces in its last known state.

Note: SgrmBroker was discontinued starting with Windows 10 version 22H2 and is no longer present as a standalone process in current Windows 10 and Windows 11 builds. Its functionality was absorbed into revised System Guard attestation components.

Windows SmartScreen [SmartScreen] — evaluates the reputation of downloaded files and URLs before execution. When a file with the Mark of the Web (MOTW) alternate data stream is launched, SmartScreen queries Microsoft's cloud reputation database using the file hash. It is also integrated into Edge for URL-level phishing and malware detection.

• Strings containing file hashes, full paths and reputation query responses reveal every file SmartScreen assessed — including those the attacker attempted to execute.
• Files that bypassed SmartScreen (stripped MOTW, renamed extension, executed via LOLBins) won't appear here — their absence is an indicator.
• SmartScreen bypass techniques often involve IAttachmentExecute manipulation — look for COM interface strings referencing this interface in unexpected process contexts.

SysMain [SuperFetch / Superfetch] — proactively loads frequently used application data into RAM to reduce launch times. It builds a long-term usage profile by tracking which applications and files the user accesses most frequently and at what times of day. This profile is stored in the C:\Windows\Prefetch\ directory (as the Prefetch backing data) and used to pre-populate the disk cache.

• The application usage profile in memory reflects the historical execution pattern of the user — applications appearing in this profile have been executed repeatedly over time.
• Strings referencing unusual or newly appearing executables that SysMain has begun tracking suggest recent introductions to the system.
• The service also backs the ReadyBoost and ReadyBoot features — related strings indicate these features are active and reflect storage access patterns.

Hosted as a svchost.exe instance.

Task Host for Windows [taskhostw] — a generic host process that runs scheduled task DLL actions, COM-based tasks and in-process task payloads that cannot run as standalone executables. Unlike tasks that launch external executables, DLL-based task actions are loaded directly into a taskhostw instance, executed and then the host exits. Multiple instances may run simultaneously for parallel task processing.

• Strings containing the task name, action DLL path and command-line arguments reveal exactly which task was executing at the time of acquisition.
• Attacker-controlled tasks with DLL actions load their payload directly into taskhostw — the injected DLL's strings, including C2 addresses and encoded payloads, are fully readable in its memory.
• Persistence via DLL-based tasks is harder to detect from the task XML alone — the running taskhostw instance may be the only live indicator of a malicious action DLL.