- Uses PID 4
- Similarly to "System Idle Process" this is not actually a true process as it is not tied to any user mode application, i.e. there is no "System.exe"
- Runs only in Kernel mode
Why does this matter? Still Easy! If you see any process on your system running as "System" which is pointed to a specific executable, that should be a clear sign that your system is more than likely infected with malware or is being used for some other malicious activity.
References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html
No comments:
Post a Comment