Processes & threads
How Windows represents work, isolates applications, and schedules execution.
In 30 seconds
A process is a container for threads, handles, and virtual memory; the kernel tracks it in EPROCESS while user tools see PID and image name.
You understand this if…
- ✓You can explain why csrss and smss exist at session boundaries.
- ✓You know the difference between a process handle table and a kernel object.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
Process tree explorer
Walk a sample parent/child tree from System to Explorer and a user app.
Open labOfficial Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
Processes and threads are the runtime shape of everything you do on Windows. They connect directly to handles, scheduling, security, and debugging.
Mental model
A process is a container for identity and resources; a thread is the execution path that actually runs instructions.
Schematic
System
The System process hosts core kernel threads and is not just another desktop application.
Windows building blocks
Names and paths you can look for in Task Manager, Explorer, or documentation.
- ProcessSystem
Kernel/system process (not the same as 'Idle')
- Processcsrss.exe
Per-session subsystem process
- Processsmss.exe
Session Manager — creates sessions
Go one level deeper
Extra detail for readers who want more precision before opening a child topic.
- EPROCESS/KPROCESS (kernel) and PEB/TEB (user) describe complementary views of the same execution entity.
- Most tools show the user-mode view; kernel debuggers expose the kernel structures.
How it works
- 1A process gets an address space, token, handle table, and bookkeeping structures.
- 2Threads inside that process are scheduled independently by the dispatcher.
- 3Kernel objects let processes coordinate and refer to shared resources safely.
Key terms
- EPROCESS
- Kernel structure that represents a process.
- ETHREAD
- Kernel structure that represents a thread.
- Handle
- An indirect reference to a kernel object owned through a process handle table.
Opening Task Manager
Task Manager shows friendly process names, but Windows internally tracks much richer structures such as tokens, sessions, priority classes, and handle tables.
Common misconception
A process is not the same thing as a single line in Task Manager. It is a container for multiple threads, objects, and policies.
Guided exercise
Use this topic to move from theory into practice.
- 1Open Process tree lab and click from System down to a user application.
- 2Note which components are session-specific vs machine-wide (services.exe).
- 3On Windows, compare with Process Explorer tree or Get-CimInstance Win32_Process.
Go deeper
Kernel objects
Handles, object manager, names, and reference counting basics.
Scheduling
Dispatcher queues, priorities, and how Windows decides what runs next.
Job objects
Grouping processes with shared limits, UI restrictions, and teardown rules.
Ntdll & the user/kernel boundary
How user-mode code reaches native system services through ntdll and syscalls.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
Kernel objects
Handles, object manager, names, and reference counting basics.
Next step in your guided path
intermediate
Job objects
Grouping processes with shared limits, UI restrictions, and teardown rules.
Go deeper in this branch
intermediate
Ntdll & the user/kernel boundary
How user-mode code reaches native system services through ntdll and syscalls.
Go deeper in this branch
Related topics
Kernel objects
Handles, object manager, names, and reference counting basics.
VAD tree
How Windows tracks ranges of virtual memory for a process.
Access tokens
SIDs, privileges, impersonation, and the identity payload every process carries.
DLL loader, PEB, and module lists
How Windows loads shared libraries and tracks runtime module state.