What can cause an unexpected takeover of execution by the System process pid 4 on Windows?

92 views Asked by At

We are working on stress testing of an application and noticed a curious case where Windows kernel takes over execution of the stress test. The application under the stress test picks up system-wide IO events, mostly CRUD of files, using minifilter driver, similar to this passthough driver.

During the stress test using spddisk on one particular VM (Windows Server 2019 1809 17763.864 with no external AV or other security software installed), we noticed that System process with reserved pid 4 is "taking over" the stress payload execution. The same seems to be happening with a simple batch script as well (create, read, delete a file in a loop). I have never seen anything like this on any other systems and we cannot reproduce this behaviour anywhere else but on that single VM.

The "taking over" occurs after a few seconds into executing of the stress test and manifests itself in the following way:

  • Process id is changed to System reserved pid 4
  • Thread id is changed to another tid
  • User SID is changed from S-1-5-21-2874696658-2485333267-3621126573-500 to S-1-5-18
  • User is changed from win-saacuiping\administrator to NT AUTHORITY\SYSTEM

We have captured this in procmon

procmon dump

This feels like some sort of sandboxing, but I've never actually seen this before. The simplified command used for stress testing is this

diskspd.exe -c100b -b1K -t2 -d60 -w50 -W0 -Sh f1.tmp

Can anyone please explain, why execution is suddenly passed from one process to Windows kernel System 4?

0

There are 0 answers