Killing wininit.exe shuts down Windows
When I kill wininit.exe
, Windows 7 suddenly shuts down. Can someone explain this using Windows mechanics?
I feel like this might because the process provides something important, or this might be a security feature.
From Windows Internals, Part 1
Windows Initialization Process (Wininit.exe)
- Marks itself critical so that if it exits prematurely and the system is booted in debugging mode it will break into the debugger (if not, the system will crash).
- Initalizes the user-mode scheduling infrastructure.
- Creates the %windir%\temp folder
- Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to run in session 0.
- Creates Services.exe (Service Control Manager or SCM).
- Starts Lsass.exe (Local Security Authentication Subsystem Server).
- Starts Lsm.exe (Local Session Manager).
- Waits forever for system shutdown.
This is correct. wininit.exe
is flagged as critical.
and killing critical system processes is not allowed and Windows will bugcheck the system with CRITICAL_OBJECT_TERMINATION
A post on groovypost.com explains the origin of winit.exe
("Windows Initialize") and that today it primarily acts as a launcher for the majority of the background applications that are always running.
Look at the screenshot in that blog post which explains that killing the wininit.exe
process will also affect anything that was launched by that process:
[...] wininit.exe is a critical system process the Windows requires in order to function. Ending this process will likely result in a critical system error in which you’ll need to restart your computer. As you can see in the chart below, wininit.exe is at the top of the process tree for all of windows services, including svchost.exe.
The wininit.exe
process is the windows start up application which is found in the %systemroot%\system32
folder (in most systems, %systemroot% maps to C:\Windows).
During boot, the smss.exe process creates wininit, which in turn create the lsass.exe (Local Security Authority Subsystem), services.exe (the services controller manager), and lsm.exe (Local Session Manager).
Like the csrss.exe
process, termination of the wininit.exe process will crash the machine with STOP Code 0xF4 (CRITICAL_OBJECT_TERMINATION) (but interestingly, suspending the process is possible).
Since wininit.exe is in the system32 folder, if wininit.exe is found outside of it's folder (in C:\Windows\ or in your application data folder), then it is most likely malicious.