Por que abrir cmd.exe faz com que 2 processos sejam executados?

conhost.exe também é iniciado quando você executa cmd.exe . Verifique este thread MS para mais informações.

Quando você executa cmd.exe , um segundo processo chamado conhost.exe é sempre iniciado. É por isso que você vê mais 2 processos. Este conhost.exe foi adicionado em Windows 7 , para aumentar a segurança:

In previous versions of Windows, all GUI activity on behalf of non-GUI applications that ran on the desktop (console applications) was brokered by the system process CSRSS.exe. When a console application wanted to receive characters, it called one of a small set of “Console APIs” implemented in Kernel32.dll, and Kernel32 made an LPC call to CSRSS. CSRSS checked the input queue associated with the console window and returned the appropriate character-mode input through Kernel32 back to the console application.

The problem with this was that even if an application ran in the context of a regular user’s account, CSRSS.EXE runs under the Local System account. So it was possible under certain circumstances for malware to exploit weaknesses in an application in order to execute code under the more privileged Local System account in CSRSS.EXE. This kind of exploit is known as a “shatter attack” .

This exposure was addressed in Windows 7 and Windows Server 2008 R2 by running the console messaging code in the context of a new process, ConHost.exe. ConHost (Console Host) runs in the same security context as its associated console application. Instead of issuing an LPC request to CSRSS for message-handling, the request goes to ConHost. As a result, any attempts to exploit the message-handing code of the application will not result in an automatic escalation of privileges.

Então, acalme-se, tudo está bem com o seu Windows.