The Local Session Manager has moved under the hood of svchost.exe The Local Session Manager Service lsm.exe does not show up in your preferred Task Viewer any longer as its own entry, but in the Services console as an “unchangeable” service. Starting from Windows 8, lsm.exe is started inside a Service Host process from svchost.exe from the command line %systemroot\system32\svchost.exe -k DcomLaunch. The super-process winit.exe spawns services.exe, lsass.exe and the invisible lsm.exe process to start the Local Session Manager. Process view on a Windows 10 virtual machine Some old and new changes

Every additional user on this host (either as a “Switched User” or via Remote Desktop Connection) has its own Client Server Runtime Process since Windows NT. There are still two Client Server Runtime Processes (csrss.exe), one of which has the same parent as wininit.exe from an ended smss.exe process. All services are started from executable files from their former locations, if not mentioned otherwise in this article. I will also mention that it still resides at %systemroot%\system32\.

System still has the PID 4 and is the parent of the Windows Session Manager.

Some players are new and some players have changed their position on the playground. The tool Process Hacker () still functions in Windows 10 and shows well-known process names, parent-child relationships and familiar faces from former Windows Operating Systems. To make it easier for you to read the screenshots, I have chosen USERNAME and HOSTNAME as names for themselves.

On the 29th of June, Microsoft announced the release of Windows 10, so it is time to have a deeper look at this new Operating System from the perspective of an Incident Responder.