userinit.exe

userinit.exe is launched by winlogon.exe as soon as a user authenticates, and it runs as that user from C:\Windows\System32\userinit.exe. Its job is the per-user setup that turns a bare session into a working desktop: applying Group Policy, running any logon scripts, and restoring mapped network drives.

Once that setup is done, userinit.exe starts the user's shell and exits right away. Because its parent is gone almost immediately, explorer.exe and the rest of the session appear as orphans in the process tree, with no living parent. The shell it launches is whatever the Shell value names under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, normally explorer.exe.

The genuine userinit.exe is a trusted, signed Microsoft system file. It runs for only a second or two at each logon and then exits, so it rarely shows up in a point-in-time process listing.

Like other trusted system processes, userinit.exe is sometimes imitated by malware attempting to avoid detection (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Be suspicious of copies running from other locations and of near-miss spellings of the name.

Its name in the registry is a long-standing persistence target (T1547.004). winlogon.exe reads the Userinit value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to decide what to run at logon, and the value accepts a comma-separated list. Malware appends its own executable so it launches alongside the real userinit.exe at every sign-in. Anything in that value beyond C:\Windows\system32\userinit.exe warrants a review.

Because the real userinit.exe does nothing but set up the session and start the shell, its children are short-lived and predictable. A command shell or script host launched by userinit.exe, rather than the expected explorer.exe, points to a logon script or registry entry running attacker code (T1059.003).