Friday, March 6, 2015

Critical Windows Processes - System

This "System" is one of the critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.



































- Uses PID 4
- Similarly to "System Idle Process" this is not actually a true process as it is not tied to any user mode application, i.e. there is no "System.exe"

































- Runs only in Kernel mode

Why does this matter? Still Easy! If you see any process on your system running as "System" which is pointed to a specific executable, that should be a clear sign that your system is more than likely infected with malware or is being used for some other malicious activity.


References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html

No comments:

Post a Comment