HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
with key Userinit.
Mover over, the previous registry should have explorer.exe in the Shell key or it might be abused as a malware persistence method.HKLM\SYSTEM\CurrentControlSet\Services
and this process maintains a DB in memory of service info that can be queried by sc.exe.HKLM\System\CurrentControlSet\Control\Lsa
.
It writes to the Security event log.
There should only be 1 process.
Keep in mind that this process is highly attacked to dump passwords.-k
flag. This will launch a query to the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process.-k UnistackSvcGroup
will launch: PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc
-s
is also used with an argument, then svchost is asked to only launch the specified service in this argument.svchost.exe
. If any of them is not using the -k
flag, then thats very suspicious. If you find that services.exe is not the parent, thats also very suspicious.