Killing wininit.exe shuts down Windows

kernel windows

When I kill wininit.exe, Windows 7 suddenly shuts down. Can someone explain this using Windows mechanics?

I feel like this might because the process provides something important, or this might be a security feature.


From Windows Internals, Part 1

Windows Initialization Process (Wininit.exe)

  • Marks itself critical so that if it exits prematurely and the system is booted in debugging mode it will break into the debugger (if not, the system will crash).
  • Initalizes the user-mode scheduling infrastructure.
  • Creates the %windir%\temp folder
  • Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to run in session 0.
  • Creates Services.exe (Service Control Manager or SCM).
  • Starts Lsass.exe (Local Security Authentication Subsystem Server).
  • Starts Lsm.exe (Local Session Manager).
  • Waits forever for system shutdown.

This is correct. wininit.exe is flagged as critical.

enter image description here

and killing critical system processes is not allowed and Windows will bugcheck the system with CRITICAL_OBJECT_TERMINATION


A post on groovypost.com explains the origin of winit.exe ("Windows Initialize") and that today it primarily acts as a launcher for the majority of the background applications that are always running.

Look at the screenshot in that blog post which explains that killing the wininit.exe process will also affect anything that was launched by that process:

[...] wininit.exe is a critical system process the Windows requires in order to function. Ending this process will likely result in a critical system error in which you’ll need to restart your computer. As you can see in the chart below, wininit.exe is at the top of the process tree for all of windows services, including svchost.exe.

process explorer screenshot


The wininit.exe process is the windows start up application which is found in the %systemroot%\system32 folder (in most systems, %systemroot% maps to C:\Windows).

During boot, the smss.exe process creates wininit, which in turn create the lsass.exe (Local Security Authority Subsystem), services.exe (the services controller manager), and lsm.exe (Local Session Manager).

Like the csrss.exe process, termination of the wininit.exe process will crash the machine with STOP Code 0xF4 (CRITICAL_OBJECT_TERMINATION) (but interestingly, suspending the process is possible).

Since wininit.exe is in the system32 folder, if wininit.exe is found outside of it's folder (in C:\Windows\ or in your application data folder), then it is most likely malicious.

Related

Remove System Volume information folder from external drive
Incremental backup and sync software [closed]
Transferring lots of messages between IMAP accounts
How to setup a proxy for Modern UI (aka Metro) Apps in Windows 8?
How can I remap a play-button keypress from a Bluetooth headset on OS X?
How would I reinstall the grub-efi bootloader on Fedora Linux?
Synaptics - Windows 8.1, updating Synaptics failed
Touchpad does not respond when I am holding key on the keyboard
How to count pages in multiple PDF files?
Windows 7: Migrate user profile to another computer manually
How do I keep Windows 7's taskbar icon highlighting from getting stuck? [duplicate]
How to make shortcut to ftp site open in windows explorer not IE