I saw that there was only one smss.exe in the log.

I did miss the bit you quoted, that’s why I thought it strange he was trying to get rid of it. Not that he had got rid of the one not in windows\system32.