Share via

Explanation of Windows Processes and dlls

aredubbya 1 Reputation point
2021-05-22T00:34:19.01+00:00

Hi everyone,

I am looking for a resource that will explain what all Windows processes and dll's (if possible) are meant to do/what their purpose is, as originally designed by Microsoft. I am looking for something that will tell me for example what these process do,

wininit.exe
lsass.exe
rundll32.exe

I want to get an understanding of why they run, how it is meant to work. I know I can Google this stuff but I don't know how reliable the explanations in the search results are. When analysing malware etc it helps to understand how something was originally designed to operate, as a means of comparing that against the activity you see.

What do other people use to get this info? If there are websites or books you can advise please let me know thanks.

Windows for business Windows Client for IT Pros User experience Other

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-05-24T09:04:18.547+00:00

    Hi,

    Welcome to our Q&A platform.

    For the Windows operating systems, much of the functionality of the operating system is provided by DLL. Additionally, when you run a program on one of these Windows operating systems, much of the functionality of the program may be provided by DLLs. For example, some programs may contain many different modules, and each module of the program is contained and distributed in DLLs.

    The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. So, the operating system and the programs load faster, run faster, and take less disk space on the computer.

    When a program uses a DLL, an issue that is called dependency may cause the program not to run. When a program uses a DLL, a dependency is created. If another program overwrites and breaks this dependency, the original program may not successfully run.

    For more details regarding of DLL, please refer to the following links:

    What is a DLL

    Dynamic-link library
    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Anonymous
    2021-05-24T09:12:00.453+00:00

    As for process wininit.exe, lsass.exe and rundll32.exe, unfortunately, there is no such official documents regarding of these processes.

    I also found the following articles and similar threads for your reference:

    What is wininit.exe?

    How to remove the Isass virus

    What is rundll32.exe?

    wininit.exe - What is is and why is it constantly running

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope my answer will help you.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. User989846-7900 1 Reputation point
    2022-01-17T11:09:16.26+00:00

    Hello,
    I stumbled on this article which could be a good start:
    https://nasbench.medium.com/windows-system-processes-an-overview-for-blue-teams-42fa7a617920

    0 comments
  4. Castorix31 90,521 Reputation points
    2022-01-17T11:42:47.227+00:00

    Everything is in MSDN + M. Russinovich books :

    Windows Initialization Process (Wininit.exe)
    The Wininit.exe process performs the following system initialization functions:

    • Marks itself critical so that if it exits prematurely and the system is booted in debugging mode,
      it will break into the debugger (if not, the system will crash).
    • Initializes the user-mode scheduling infrastructure.
    • Creates the %windir%\temp folder.
    • Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to
      run on in session 0.
    • Creates Services.exe (Service Control Manager or SCM). See upcoming paragraphs for a brief
      description or Chapter 4 for more details.
    • Starts Lsass.exe (Local Security Authentication Subsystem Server). See Chapter 6 for more
      information on Lsass.
    • Starts Lsm.exe (Local Session Manager). See the upcoming “Local Session Manager (Lsm.exe),”
      section for a brief description.
    • Waits forever for system shutdown

    Local Security Authority subsystem (LSASS)
    A user-mode process running the image %SystemRoot%\System32\Lsass.exe that is responsible for the local system security policy
    (such as which users are allowed to log on to the machine, password policies, privileges
    granted to users and groups, and the system security auditing settings), user authentication,
    and sending security audit messages to the Event Log. The Local Security Authority service
    (Lsasrv—%SystemRoot%\System32\Lsasrv.dll), a library that LSASS loads, implements most of
    this functionality

    rundll32

    0 comments
  5. cheong00 3,486 Reputation points Volunteer Moderator
    2022-01-17T11:45:47.157+00:00

    IMO the best explanation of RunDLL32 is written by Raymond Chen:
    https://devblogs.microsoft.com/oldnewthing/20130104-00/?p=5643

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.