Killing wininit.exe shuts down Windows

13

11

When I kill wininit.exe, Windows 7 suddenly shuts down. Can someone explain this using Windows mechanics?

I feel like this might because the process provides something important, or this might be a security feature.

Simon Kuang

Posted 2014-03-16T05:15:55.410

Reputation: 481

This is pure speculation, but I'd guess wininit is similar to linux's init. This starts every other running process (and they are therefore its child processes), so killing it shuts down every process - thereby shutting down the system. – w4etwetewtwet – 2014-03-16T13:57:28.967

5That speculation is wrong, and there is a specific Windows NT mechanism at play here, as mentioned in some of the answers. – JdeBP – 2014-03-16T14:50:56.183

7To a lot of people, killing wininit.exe (a system process) causing a crash is not at all a surprise, so you may want to explain why you have asked the question at all. It is analogous to asking Hey, why does my system turn off when I yank out the power cord?; there is a perfectly good, but too obvious answer, so some people may think it is silly and pointless. My best guess why you are asking is because you think it is supposed to be only part of the boot process because of the name, and so you expect it to not be used after a successful boot up. – Synetech – 2014-03-16T21:39:11.130

@Synetech I do not find the matter as transparent as you seem to. – Simon Kuang – 2014-03-17T19:07:15.270

1Sure, but a remark about why you find it surprising would lend more credence to the question. Sometimes people ask questions that seem too obvious which are looked down upon because others think that the poster is not really looking for an answer and is only trying to farm some rep points. Your question could fall in either category, and I just thought an explanation of your confusion would help clarify. This question seems obvious because wininit.exe is a high-priority, protected, SYSTEM process and not easily ended, so it should not be a surprise that it causes problems if killed. – Synetech – 2014-03-18T01:23:41.780

Answers

41

From Windows Internals, Part 1

Windows Initialization Process (Wininit.exe)

  • Marks itself critical so that if it exits prematurely and the system is booted in debugging mode it will break into the debugger (if not, the system will crash).
  • Initalizes the user-mode scheduling infrastructure.
  • Creates the %windir%\temp folder
  • Creates a window station (Winsta0) and two desktops (Winlogon and Default) for processes to run in session 0.
  • Creates Services.exe (Service Control Manager or SCM).
  • Starts Lsass.exe (Local Security Authentication Subsystem Server).
  • Starts Lsm.exe (Local Session Manager).
  • Waits forever for system shutdown.

David Marshall

Posted 2014-03-16T05:15:55.410

Reputation: 6 698

6+1 A sourced and detailed answer — what a rarity – kinokijuf – 2014-03-16T16:15:27.873

20

This is correct. wininit.exe is flagged as critical.

enter image description here

and killing critical system processes is not allowed and Windows will bugcheck the system with CRITICAL_OBJECT_TERMINATION

magicandre1981

Posted 2014-03-16T05:15:55.410

Reputation: 86 560

7

A post on groovypost.com explains the origin of winit.exe ("Windows Initialize") and that today it primarily acts as a launcher for the majority of the background applications that are always running.

Look at the screenshot in that blog post which explains that killing the wininit.exe process will also affect anything that was launched by that process:

[...] wininit.exe is a critical system process the Windows requires in order to function. Ending this process will likely result in a critical system error in which you’ll need to restart your computer. As you can see in the chart below, wininit.exe is at the top of the process tree for all of windows services, including svchost.exe.

process explorer screenshot

mok

Posted 2014-03-16T05:15:55.410

Reputation: 415

2But killing a process in Windows does not force termination of the processes it's created. Windows doesn't work that way. – Jamie Hanrahan – 2014-08-11T02:37:41.120

3

The wininit.exe process is the windows start up application which is found in the %systemroot%\system32 folder (in most systems, %systemroot% maps to C:\Windows).

During boot, the smss.exe process creates wininit, which in turn create the lsass.exe (Local Security Authority Subsystem), services.exe (the services controller manager), and lsm.exe (Local Session Manager).

Like the csrss.exe process, termination of the wininit.exe process will crash the machine with STOP Code 0xF4 (CRITICAL_OBJECT_TERMINATION) (but interestingly, suspending the process is possible).

Since wininit.exe is in the system32 folder, if wininit.exe is found outside of it's folder (in C:\Windows\ or in your application data folder), then it is most likely malicious.

Justin Krejcha

Posted 2014-03-16T05:15:55.410

Reputation: 1 923

This just duplicates David Marshall’s answer. – kinokijuf – 2014-03-16T21:20:49.957

2@kinokijuf, still 10 reps earned (and that's just so far), not bad =) – Andrew Savinykh – 2014-03-17T09:16:45.550

Asked: 2014-03-16T05:15:55.410

Viewed: 13 944 times

Active: 2015-06-19T06:14:43.787