We are working on stress testing of an application and noticed a curious case where Windows kernel takes over execution of the stress test. The application under the stress test picks up system-wide IO events, mostly CRUD of files, using minifilter driver, similar to this passthough driver.
During the stress test using spddisk on one particular VM (Windows Server 2019 1809 17763.864 with no external AV or other security software installed), we noticed that System process with reserved pid 4 is "taking over" the stress payload execution. The same seems to be happening with a simple batch script as well (create, read, delete a file in a loop). I have never seen anything like this on any other systems and we cannot reproduce this behaviour anywhere else but on that single VM.
The "taking over" occurs after a few seconds into executing of the stress test and manifests itself in the following way:
- Process id is changed to System reserved pid 4
- Thread id is changed to another
tid - User SID is changed from
S-1-5-21-2874696658-2485333267-3621126573-500toS-1-5-18 - User is changed from
win-saacuiping\administratortoNT AUTHORITY\SYSTEM
We have captured this in procmon
This feels like some sort of sandboxing, but I've never actually seen this before. The simplified command used for stress testing is this
diskspd.exe -c100b -b1K -t2 -d60 -w50 -W0 -Sh f1.tmp
Can anyone please explain, why execution is suddenly passed from one process to Windows kernel System 4?