Wininit.exe starts key background processes within Session 0.
It starts the Service Control Manager (services.exe
), the Local Security
Authority process (lsass.exe
), and lsaiso.exe
for systems with Credential
Guard enabled. Note that prior to Windows 10, the Local Session Manager
process (lsm.exe
) was also started by wininit.exe. As of Windows 10, that
functionality has moved to a service DLL (lsm.dll
) hosted by svchost.exe
.
Executable’s image path.
%SystemRoot%\System32\wininit.exe
A process which spawned the analyzed process.
Created by an instance of `smss.exe` that exits, so tools usually do not provide the parent process name
Expected number of processes running which may normally run on Windows.
One
Windows account with which the process was launched. This defines what privileges given process has.
Local System
Expected time of process to be launched.
Within seconds of boot time