> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe.md).

# smss.exe

### what is smss.exe ?

**smss.exe** (Session Manager Subsystem) is a critical Windows system process responsible for initializing user sessions and managing key subsystems during OS startup. It is launched by the kernel (`System` process, PID 4) and operates with `NT AUTHORITY\SYSTEM` privileges.

## Behavior Analysis

<table data-header-hidden><thead><tr><th width="181.6666259765625"></th><th></th><th></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>Attribute</strong></mark></td><td><mark style="color:green;"><strong>Normal Behavior</strong></mark></td><td><mark style="color:red;"><strong>Abnormal Behavior</strong></mark></td></tr><tr><td><strong>Image Path</strong></td><td><code>%SystemRoot%\System32\smss.exe</code></td><td>Path differs from <code>C:\Windows\System32</code></td></tr><tr><td><strong>Parent Process</strong></td><td><code>System</code> (PID 4)</td><td>Any process other than <code>System</code> (PID 4)</td></tr><tr><td><strong>Process Instances</strong></td><td>- 1 master instance<br>- Child instances exit after session creation</td><td>Multiple persistent instances</td></tr><tr><td><strong>User Account</strong></td><td><code>NT AUTHORITY\SYSTEM</code></td><td>Non-SYSTEM user (e.g., Admin, User)</td></tr><tr><td><strong>Start Time</strong></td><td>Within seconds of system boot (master instance)</td><td>Starts post-boot (unexpected timing)</td></tr><tr><td><strong>Registry Entries</strong></td><td>Default subsystems in:<br><code>HKLM\SYSTEM\CurrentControlSet\Control\Session Manager</code></td><td>Unauthorized/modified subsystem entries</td></tr></tbody></table>

***

### Key Notes:

✅**Normal Operation**:

* Single **master** `smss.exe` persists.
* **Child** instances terminate after spawning `csrss.exe`/`winlogon.exe`.
* Runs **only** from `System32`.

1. ❌**Malware Indicators**:
   * Paths like `C:\Temp\smss.exe` or `AppData\smss.exe`.
   * Parent processes like `explorer.exe` or `svchost.exe`.
   * Multiple instances that don't self-terminate.
2. **Verification Commands**:

   ```powershell
   # Check process tree:
   Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "smss.exe" } | 
     Select-Object ProcessId, ParentProcessId, ExecutablePath | Format-Table
   ```

### MITRE ATT\&CK Mapping

<figure><img src="/files/gGpNMMgZ8MTrDq7TJaU5" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.