What is unusual behavior for this process?

<aside> 💡 Credits belong to TryHackMe https://tryhackme.com/room/btwindowsinternals

</aside>

System

• A parent process (aside from System Idle Process (0))
• Multiple instances of System. (Should only be 1 instance)
• A different PID. (Remember that the PID will always be PID 4)
• Not running in Session 0

Session Manager Subsystem (smss.exe)

• A different parent process other than System(4)
• Image path is different from C:\Windows\System32
• More than 1 running process. (children self-terminate and exit after each new session)
• User is not SYSTEM
• Unexpected registry entries for Subsystem

Client Server Runtime Process (csrss.exe)

• An actual parent process. (smss.exe calls this process and self-terminates)
• Image file path other than C:\Windows\System32
• Subtle misspellings to hide rogue process masquerading as csrss.exe in plain sight
• User is not SYSTEM

Windows Initialization Process (wininit.exe)