Listen to this Post
Introduction
Process creation in Windows is more complex than a simple `CreateProcess` call. Often, multiple processes collaborate to spawn a new application, involving RPC calls, WinRT activation, and system services. Understanding this chain is crucial for debugging, security auditing, and performance optimization.
Learning Objectives
- Understand the role of
Explorer.EXE,sihost.exe, and `svchost.exe` in process creation. - Learn how RPC and WinRT activation frameworks interact during process spawning.
- Identify debugging techniques for tracing multi-process execution chains.
1. The Role of Explorer.EXE in Process Launch
When a user double-clicks an application, `Explorer.EXE` initiates the chain via:
BOOL CRunDlg::OKPushed()
This function triggers the execution path leading to AssociationLaunchExecuteCommandBase::Execute().
What This Means:
– `Explorer.EXE` is the parent process for many user-initiated applications.
– Security Note: Malware often hijacks this process—monitor child processes spawned by Explorer.
2. RPC Calls and WinRT Activation
The next step involves:
HRESULT ApplicationActivationManagerProxy::ActivateApplicationForContractByAcidAsUserWithHost(...)
This leads to an RPC call to `sihost.exe` (Shell Infrastructure Host), responsible for modern UI handling.
Debugging Tip:
Use Process Monitor (`ProcMon`) to trace RPC calls:
1. Filter for `Process Name = sihost.exe`.
2. Look for `RPC` events under `Operation`.
3. svchost.exe and DCOM Activation
The chain continues with:
HRESULT AppActivation::CreateActivatableApplication(...)
This triggers `svchost.exe -k RPCSS -p` (RPC Endpoint Mapper) and later `svchost.exe -k DcomLaunch -p` (DCOM Server Process Launcher).
Security Consideration:
- DCOM (
DcomLaunch) is a common lateral movement vector—restrict unnecessary DCOM permissions via:Get-WmiObject -Namespace "root\cimv2" -Class Win32_DCOMApplication
4. Final Process Creation via CreateProcessAsUserW
The actual process is spawned using:
CreateProcessAsUserW
This Windows API ensures the new process runs under the correct user context.
Verification Command:
Check process ancestry with:
Get-CimInstance Win32_Process | Select-Object Name, ProcessId, ParentProcessId
What Undercode Say
- Key Takeaway 1: Windows process creation is a multi-stage collaboration between Explorer, RPC services, and DCOM.
- Key Takeaway 2: Attackers can abuse this chain—monitor `sihost.exe` and `DcomLaunch` for suspicious activity.
Analysis:
Understanding these internals helps in forensic investigations and hardening Windows environments. For example, disabling unnecessary COM objects (OleViewDotNet) can reduce attack surfaces. Future Windows versions may streamline this process, but legacy compatibility will likely keep these mechanisms intact.
Prediction
As Microsoft shifts toward WinUI 3.0 and Core OS, expect more process isolation and reduced reliance on sihost.exe. However, backward compatibility means security teams must still monitor these legacy pathways for exploitation.
For deeper analysis, check the full stack traces here.
IT/Security Reporter URL:
Reported By: Alex S – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
