The System process manages the system memory and compressed memory in the NT kernel. The original file name is C:\Windows\System32\ntoskrnl.exe.
The System process is a single thread running on each processor. It is also the host of all kinds of device drivers such as USB, Touchpad, Ports, Audio, Network, etc.
In this new series, we analyze Windows processes and provide threat hunting tips.
Image Path: N/A – Not generated from an executable image
Parent Process: None
Number of Instances: One
User Account: Local System
Start Time: At boot time
Description: The System process is responsible for most kernel-mode threads. Modules run under System are primarily drivers (.sys files), but also several important DLLs as well as the kernel executable, ntoskrnl.exe.
Taken From SANS Digital Forensics Poster
In Windows 10, “System” has an additional task which is compressing old memory pages in order to provide more free memory space. This could be the reason why this process uses a lot of memory space and also it consumes 30% to 100% of CPU time.
If you check the Windows Task Manager, you can see that “System” always has the PID 4 (Process Identification); if it Does not, it is malware. You should also note that malware can be named anything. For that reason, you should check where the files of the running processes are located.
“System” Process Threat Hunting Tips
Usually the System process malicious activities occur in kernel-mode threads. the System process includes some DLLs as well as the kernel executable. Thus we absolutely recommend making a baseline or whitelist from these DLLs.
We also recommend to look for any misspellings and have them run from an actual folder for executables such as ntoskrnl.exe.
Secure Your Organization’s Mind with Securemind.se