Process
memory compression
Memory Compression is a minimal Windows process (introduced in Windows 10 1607) that holds the compressed standby pages of the memory manager. It has no on-disk image and no command line, and is parented by System.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Analysis
Memory Compression is a minimal process: a kernel-created process that owns an address space but runs no user-mode image. When the memory manager would otherwise write standby and modified pages out to disk, it compresses them and keeps them in this process's working set instead, so they can be restored without a page-in from the pagefile. That makes the process's private working set large by design, because it literally is the compressed memory.
It is created by the kernel, runs as NT AUTHORITY\SYSTEM, and is parented by System (PID 4); the PID is assigned at boot. Task Manager folds its usage into the System line and does not show it separately, while Process Explorer lists it. Neither shows an image path or command line, because no executable was mapped to start it.
Windows ships no executable for Memory Compression. The name is a candidate for masquerading (T1036.005), so a process using it that has an on-disk image, a command line, or a parent other than System is not the memory manager's compression process. A large working set on the real process is expected and is not on its own a sign of anything.
- A process named Memory Compression backed by an executable file on disk (there is no image for it)
- A process named Memory Compression with a command line
- A visible parent other than
System(PID 4) - Running as any account other than
NT AUTHORITY\SYSTEM
Telemetry
Not observed.
Not observed.