system

System is not a normal process. It is created directly by the kernel (ntoskrnl.exe) early in boot, before any user-mode process exists, and serves as the home for kernel-mode system threads. Its "modules" are the kernel executable itself plus loaded device drivers (.sys files) and a small number of kernel-mode DLLs. Tools disagree on how to display it: Task Manager reports the image path as ntoskrnl.exe, while Process Explorer shows no image path at all, because no executable file was ever mapped to start it.

Its identity is fixed. The PID is always 4 on Windows XP and later, it starts at boot, runs as NT AUTHORITY\SYSTEM (S-1-5-18), and has no parent (some tools display the Idle pseudo-process, PID 0, in the tree). Its only traditional user-mode child is smss.exe, the Session Manager, which the kernel-mode thread that finishes boot launches exactly once.

Modern Windows parents several minimal processes to System. Memory Compression (Windows 10 1607) holds the compressed standby pages of the memory manager and is hidden by Task Manager but visible in Process Explorer. Registry (Windows 10 1803) holds registry hive data on behalf of the kernel. Secure System appears when virtualization-based security is enabled and represents the secure kernel running in VTL1. Like System, none of these have an image file or command line.

Some network activity is attributed to PID 4. Kernel-mode components such as the SMB server (srv2.sys) and the HTTP listener (http.sys) run as system threads, so their sockets belong to System: listening on 445/tcp and 139/tcp, plus outbound SMB during share access and network logons.

Windows ships no executable named System.exe. Malware uses the name to blend in with the kernel process (T1036.005), sometimes with trailing spaces or look-alike spellings. A process named System with an on-disk image, a command line, or a PID other than 4 is not the kernel process.

Parent-PID spoofing (T1134.004) can make a payload appear as a child of PID 4. The legitimate child set is small, smss.exe plus the minimal processes, so other children of System, such as cmd.exe or powershell.exe, are worth investigating.

Kernel rootkits execute as System threads. A malicious driver, or a vulnerable signed driver loaded to be exploited (BYOVD), adds threads to System rather than creating a process of its own (T1014).