This
"System" is one of the critical processes to be aware of
on Windows systems. Many times, malicious processes will have the same
or similar names as legitimate processes, so it's important that we are
able to differentiate between what's legit and what's not legit.
- Uses PID 4
- Similarly to "System Idle Process" this is not actually a true process as it is not tied to any user mode application, i.e. there is no "System.exe"
- Runs only in Kernel mode
Why
does this matter? Still Easy! If you see any process on your system running
as "System" which is pointed to a specific executable, that
should be a clear sign that your system is more than likely infected
with malware or is being used for some other malicious activity.
References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html
No comments:
Post a Comment