I would really like to be able to understand the rule behind the scenes for the Windows System process group. I have seen some other postings looking to break certain processes out of this process group (lsass.exe) but just a general understanding of hey we lump these processes because of "X" would be great to be able to communicate with my customers.
Solved! Go to Solution.
Definitely came across that link and while it is very helpful to understand how DT identifies processes and groups them, it doesn't provide the rule behind "What falls into the Windows System Process group".
They probably use the environment variables to assign processes into the Windows System Process group. In the below link it talks about customizing the grouping for Windows services and that is the method they suggest to do so.
Thanks David, after reading that I was super excited to give it a shot. I'm specifically trying to break out a certain windows service, "Active Directory Domain Services" on our primary domain controller where I have an infrastructure only agent running. I went through the steps and added the variable in the registry and restarted the service but haven't seen anything break out. I do see that this host has a restart that's going to happen tonight so I'll let that happen naturally and see if, since it was a registry change, that perhaps it needed a reboot of the actual host.
I really appreciate the link.
Well, unfortunately from my testing the custom process group detection is not working and the final method that is explained if all else does not work is just not very clear what to do. It would be great if someone else in the community could give it a whirl.
I did but nothing ever showed. I even setup the rule and made the changes just prior to a scheduled reboot of the system so everything, registry wise, should have been fresh.
I need to give this another shot.
Ok, ran through this again with no luck. Added registry entry on secondary domain controller that has lsass.exe running on it(NTDS service). Setup a process group detection rule looking for an environment variable equal to DT_CLUSTER_ID. Restarted the NTDS service. Nothing...
Also added a Process Group Monitoring rule looking for an exe running with name equatl to "lsass.exe". Restarted the process again....nothing.
Hi all, just realized that I might also has to answer customer's question on this later in near future.
Any new idea or discoveries? The way I see it I can only customer based on port number (for example in this screenshot I know 3389 is for RDP)
But then, I am not quite sure this way of looking at the listening port number is a verification approach or identification approach. It most fellow community member also get these ports numbers in their environment then we've got our answer.
Do you need to split the processes on the listening port? This won't be possible as the process detection happens actually before the application even starts and listening sockets are created by the application itself.
Windows services, which are run under or started by svchost.exe (which is the case for most infrastructure services) are grouped into a special process group, called Windows System. It is not visible on the main host screen, but you should see it if you click the ‘All processes’ button.
Please note that there are exceptions from the above rule. For some selected processes, like IIS for example, we report them separately. However, it is not currently possible to configure which processes are added to Windows System group.