Quick fix: Run Get-Process | Where-Object {$_.SessionId -eq 0} from elevated PowerShell to list every process in Session 0 (the pre-sign-in session). For boot-time auditing, use wevtutil qe Microsoft-Windows-Diagnostics-Performance/Operational and look at boot duration breakdowns.

You want to know exactly which processes start before any user signs in — for security review, performance diagnosis, or just curiosity. Windows runs many things in Session 0 (the kernel session for services and system processes). Task Manager shows them with the user “SYSTEM,” but it doesn’t organize them by launch order or boot phase.

Symptom: You need to audit which processes run before sign-in for diagnostics or security.
Affects: Windows 11 (any edition).
Fix time: 15 minutes.

What runs in Session 0

Session 0 is the kernel-managed session for services. Windows starts services here based on their startup type (Boot Start, Automatic, Automatic Delayed Start, Manual). User session(s) get session IDs 1, 2, etc. on sign-in.

Method 1: List current Session 0 processes

Open elevated PowerShell.
Run:

Get-Process | Where-Object {$_.SessionId -eq 0} | Select-Object Name, Id, Path
Output: every system process currently running.

Method 2: Get boot-phase timeline from Event Log

Open Event Viewer → Applications and Services Logs → Microsoft → Windows → Diagnostics-Performance → Operational.
Look for events with ID 100 (Boot Performance Monitoring). Each event shows total boot time, broken into phases.
For driver-level boot tracking, also look at Event ID 109 (Boot/Shutdown Performance).

Method 3: Use Sysinternals Autoruns to inventory startup

Download Autoruns from learn.microsoft.com/sysinternals.
Run as Administrator.
Tabs show every auto-start location: Services, Drivers, Scheduled Tasks, Image Hijacks, etc.
Filter to show only items not signed by Microsoft to find third-party Session 0 entries.

How to verify

Compare the Get-Process output to your expected services.
Unexpected processes name foreign software that may need investigation.

If none of these work

For deep auditing, use Windows Performance Analyzer (WPA, part of Windows ADK) to record a boot trace and analyze it in detail. WPA shows microsecond-level timing per process and service initialization.

Bottom line: Session 0 is the pre-sign-in scope. Get-Process by SessionId 0 lists current; Autoruns inventories startup sources; Event Viewer’s Diagnostics-Performance log times boot phases.