The Computer Oracle

Killing wininit.exe shuts down Windows

--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------

Music by Eric Matyas
https://www.soundimage.org
Track title: Lost Civilization

--

Chapters
00:00 Killing Wininit.Exe Shuts Down Windows
00:17 Answer 1 Score 7
01:08 Answer 2 Score 20
01:25 Accepted Answer Score 41
02:22 Answer 4 Score 2
03:20 Thank you

--

Full question
https://superuser.com/questions/729618/k...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#windows #kernel

#avk47


ACCEPTED ANSWER

Score 41


From Windows Internals, Part 1

Windows Initialization Process (Wininit.exe)

  • Marks itself critical so that if it exits prematurely and the system is booted in debugging mode it will break into the debugger (if not, the system will crash).
  • Initalizes the user-mode scheduling infrastructure.
  • Creates the %windir%\temp folder
  • Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to run in session 0.
  • Creates Services.exe (Service Control Manager or SCM).
  • Starts Lsass.exe (Local Security Authentication Subsystem Server).
  • Starts Lsm.exe (Local Session Manager).
  • Waits forever for system shutdown.


ANSWER 2

Score 20


This is correct. wininit.exe is flagged as critical.

enter image description here

and killing critical system processes is not allowed and Windows will bugcheck the system with CRITICAL_OBJECT_TERMINATION



ANSWER 3

Score 7


A post on groovypost.com explains the origin of winit.exe ("Windows Initialize") and that today it primarily acts as a launcher for the majority of the background applications that are always running.

Look at the screenshot in that blog post which explains that killing the wininit.exe process will also affect anything that was launched by that process:

[...] wininit.exe is a critical system process the Windows requires in order to function. Ending this process will likely result in a critical system error in which you’ll need to restart your computer. As you can see in the chart below, wininit.exe is at the top of the process tree for all of windows services, including svchost.exe.

process explorer screenshot



ANSWER 4

Score 2


The wininit.exe process is the windows start up application which is found in the %systemroot%\system32 folder (in most systems, %systemroot% maps to C:\Windows).

During boot, the smss.exe process creates wininit, which in turn create the lsass.exe (Local Security Authority Subsystem), services.exe (the services controller manager), and lsm.exe (Local Session Manager).

Like the csrss.exe process, termination of the wininit.exe process will crash the machine with STOP Code 0xF4 (CRITICAL_OBJECT_TERMINATION) (but interestingly, suspending the process is possible).

Since wininit.exe is in the system32 folder, if wininit.exe is found outside of it's folder (in C:\Windows\ or in your application data folder), then it is most likely malicious.