Process
secure system
Secure System represents the secure kernel of virtualization-based security (VBS). It is present only when VBS is enabled, has no on-disk image and no command line, and is parented by System.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Analysis
Secure System is a minimal process that stands in for the isolated secure environment that virtualization-based security creates. With VBS enabled, Hyper-V runs a second, more-trusted kernel (the secure kernel) in Virtual Trust Level 1, isolated from the normal kernel and drivers in Virtual Trust Level 0. Secure System is how that secure world is represented to the normal world; it owns an address space but runs no user-mode image of its own.
It is created by the kernel during boot when VBS is on, runs as NT AUTHORITY\SYSTEM, and is parented by System (PID 4); the PID is assigned at boot. Its presence is a function of configuration: machines with VBS, HVCI, or Credential Guard enabled show it, and machines without those features do not. Process Explorer lists it with no image path or command line.
Windows ships no executable for Secure System. The name is a candidate for masquerading (T1036.005), so a process using it that has an on-disk image, a command line, or a parent other than System is not the secure kernel. Its presence or absence reflects whether VBS is configured, not whether a host is compromised.
- A process named Secure System backed by an executable file on disk (there is no image for it)
- A process named Secure System with a command line
- A visible parent other than
System(PID 4) - Running as any account other than
NT AUTHORITY\SYSTEM
Telemetry
Not observed.
Not observed.