I would really like to be able to understand the rule behind the scenes for the Windows System process group. I have seen some other postings looking to break certain processes out of this process group (lsass.exe) but just a general understanding of hey we lump these processes because of "X" would be great to be able to communicate with my customers.
They probably use the environment variables to assign processes into the Windows System Process group. In the below link it talks about customizing the grouping for Windows services and that is the method they suggest to do so.
Thanks David, after reading that I was super excited to give it a shot. I'm specifically trying to break out a certain windows service, "Active Directory Domain Services" on our primary domain controller where I have an infrastructure only agent running. I went through the steps and added the variable in the registry and restarted the service but haven't seen anything break out. I do see that this host has a restart that's going to happen tonight so I'll let that happen naturally and see if, since it was a registry change, that perhaps it needed a reboot of the actual host.
I really appreciate the link.
Ok, ran through this again with no luck. Added registry entry on secondary domain controller that has lsass.exe running on it(NTDS service). Setup a process group detection rule looking for an environment variable equal to DT_CLUSTER_ID. Restarted the NTDS service. Nothing...
Also added a Process Group Monitoring rule looking for an exe running with name equatl to "lsass.exe". Restarted the process again....nothing.
Hi all, just realized that I might also has to answer customer's question on this later in near future.
Any new idea or discoveries? The way I see it I can only customer based on port number (for example in this screenshot I know 3389 is for RDP)
But then, I am not quite sure this way of looking at the listening port number is a verification approach or identification approach. It most fellow community member also get these ports numbers in their environment then we've got our answer.
Windows services, which are run under or started by svchost.exe (which is the case for most infrastructure services) are grouped into a special process group, called Windows System. It is not visible on the main host screen, but you should see it if you click the ‘All processes’ button.
Please note that there are exceptions from the above rule. For some selected processes, like IIS for example, we report them separately. However, it is not currently possible to configure which processes are added to Windows System group.