Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TCPView lists [System Process] and cannot provide file location.


  • Please log in to reply
4 replies to this topic

#1 Thelps

Thelps

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 PM

Posted 03 July 2016 - 05:56 PM

TCPView is listing one or more [System Process] entries, with a PID of 0. 

 

It cannot provide file locations to these processes.

 

How can I identify which programs/services/features are causing these network connections?

 

Is this suspicious activity?

 

I'm very interested in maintaining complete control of network traffic to and from my computer. These [System Process] entries are network active but I don't have a way to identify them as of yet.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:35 AM

Posted 03 July 2016 - 06:30 PM

Hi Thelps :)

An explanation for these entries can be found in the links below.

http://forum.sysinternals.com/system-process0-in-tcpview_topic18712.html
http://forum.sysinternals.com/topic3278_post10352.html#10352

To make it short, the process that originally initiated the connection doesn't exist anymore, and therefore have no PID or process name associated to it, but since the connection isn't totally terminated yet (mostly because of the TIME_WAIT delay), the connection is automatically associated to the "SYSTEM" process. A good example of this would be you using Internet Explorer to run tons of searches, queries, etc. and then exiting the program, which would exit the process as well.

What you should be looking at is the URLs/IPs these connections contact, and from there, look into them to see if they are malicious are not. I'll give you a heads-up first: a lot of these will probably contact Akamai, Amazon, etc. servers, which is entirely normal.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 PM

Posted 03 July 2016 - 07:55 PM

The IPs the websites contact are indeed very uniform and usually from large corporations.

 

Unfortunately whois lookups don't yield information that can be acted upon with any success.

 

My primary concern being maintaining privacy whilst browsing the publicly available internet I'm forced to look into any and all means of maintaining anonymity whilst using online services to further my business efforts.

 

Presently I'm looking into OS-resident keyloggers and malware versions of such. Any leads beyond running a commercially available antivirus would be welcome.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 04 July 2016 - 04:04 PM

Just to clarify a detail: when the connection is closed (in TIME_WAIT) but the process that created the connection still exists, then the PID is also 0.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 PM

Posted 06 July 2016 - 02:06 PM

I still experience regular (joking) comments about websites I look at online. This includes even the most trivial of internet activity. That indicates either I have malware (keyloggers or somesuch) resident on my machine, or that my ISP is releasing log files to third parties or that my VPN provider is doing so (despite repeated assurances that they don't keep logs).

 

I'd consider all of this an inordinate amount of attention to apply to a home internet user so I'm keen to either achieve a maximum level of internet-anonymity, identify who is profiling me or both.

 

I'm aware that websites record my browsing habits but that is justified for marketing purposes, and I know how to block/ignore ads. The fact that it runs into day-to-day life away from the computer is the problem, and I interpret it as needless harassment.

 

Any ideas as to how to proceed to address any of the above problems would be helpful. I know it will require something of an expert in the field. PM me if anyone can think of particularly effective measures to anonymize internet usage.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users