Friday, March 6, 2015

Critical Windows Processes - System Idle process

This "System Idle Process" is one of the critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.

System Idle process

































- This is not actually a true process as it is not tied to any user mode application, i.e. there is no "System Idle Process.exe"
    From the image seen above, there is no "path", "command line", "current directory", etc.
- Uses PID 0
- It's primary purpose is to keep the processor busy when no other thread is running

- From the graph below, at the time the snapshot was taken, this system was 21.5% busy as the CPU usage for the System Idle Process is 78.25%

































- Runs completely in kernel mode 

- Below we see that this process spends all its time in kernel mode and none in user mode. While below shows thread 0, this is basically the same for the 3 other threads.



   





























- One thread for each CPU.
- From the image above, we can see this system has 4 CPUs represented by thread 0, 1, 2 & 3
Why does this matter? Easy! If you see any process on your system running as "System Idle Process" which is pointed to a specific executable, that should be a clear sign that your system is more than likely infected with malware or is being used for some other malicious activity.


References:

https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx

https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html

No comments:

Post a Comment