Share via

Suspicious "Secure System" Process in Task Manager

Anonymous
2021-07-05T14:09:12+00:00

I was looking through my task manager processes the other day and noticed a process I'd never seen before called "Secure System".

The name is so innocuous it actually stuck out to me as a bit suspicious.

While looking it up online, I found some mentions that it's a process that might run on Windows Server installs. The thing is, I'm using Windows 10 Home.

Along with this "Secure System" process, there were also a few others that are apparently only supposed to show up on Server, such as "Credential Guard and Key Guard"(Lsalso.exe). I've also seen a Hyper-V Service running once, yet I cannot find Hyper-V on the Windows Features menu.

(I also have some weirdly named svchost processes, such as cbdhsvc_338d7. Thought I might as well mention these while we're at it)

The Secure System process currently sits at the bottom of CPU and RAM usage, but it has used quite a bit of resources at one point in the past.

Maybe I'm just being ignorant and paranoid, but is this normal by any chance? I was suspecting a virus or rootkit of some sort, but I've since run multiple AV and AR utilities (Win Defender, MBAM, Adwcleaner, MBAR, TDSSKiller, and RogueKiller) and none of them have found anything. Should I be worried? Would it be better to reinstall W10 just to be safe?

Thanks in advance.

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Koch 25,875 Reputation points Volunteer Moderator
    2021-07-05T18:01:17+00:00

    Your discussion with Dave including especially the Secure System and Hyper-V virtualization fit with other discussions we've had here recently with others asking questions about the Core Isolation and Memory Integrity features of Windows 10.

    Since enabling Memory Integrity requires that virtualization be enabled so that a Hyper-V virtual machine can be opened to contain the core Windows operating system components, the addition of a Secure System service to monitor this process seemed reasonable as well.

    Enable virtualization-based protection of code integrity - Windows security | Microsoft Docs

    Since I've got this operating on my own Windows Home based Microsoft Surface Go tablet running in S Mode, I looked and found both the Secure System and Lsalso.exe processes running on this system as well.

    I checked for the Secure System process both before and after disabling the Memory Integrity option in Core isolation found under Device security in the Windows Security at a glance console and it disappeared and returned as expected. However, I forgot to look for the Lsalso.exe process before returning Memory Integrity to enabled, so you'll need to test this yourself if you want to be certain this is related to the same setting as well.

    You'll notice under Windows Security - Device security - Core isolation that Virtualization-based security is specifically mentioned, so the above all makes perfect sense.

    So you two were very close, just hadn't made the final leap to the primary reason behind these virtualization-based elements of Windows 10 being enabled on any system capable of operating with Memory integrity enabled.

    Rob

    Was this answer helpful?

    80+ people found this answer helpful.
    0 comments
  2. DaveM121 876.6K Reputation points Independent Advisor
    2021-07-05T15:13:12+00:00

    Hi Leif76,

    Rest assured they are genuine and many people have reported those processes running on the home version, usually that is caused by a VM or Emulator that was running at some time on the PC and that initiated those services in the Home version, either way, you have nothing to worry about.

    Was this answer helpful?

    10+ people found this answer helpful.
    0 comments
  3. DaveM121 876.6K Reputation points Independent Advisor
    2021-07-05T14:44:51+00:00

    Hi Leif76

    I am Dave, an Independent Advisor, I will help you with this.

    Open the Settings App, then go to Update and Security - Activation, what version of Windows 10 do you have installed on your PC, is that Home, Pro or Enterprise?

    All the processes you list are genuine Windows processes, though they usually are only running in the Enterprise version, though Microsoft are constantly making IWndows10 more secure, but you can rest assured, those are legitimate processes

    Was this answer helpful?

    10+ people found this answer helpful.
    0 comments
  4. Anonymous
    2021-07-05T15:10:14+00:00

    Hi Dave,

    The settings say I'm running Windows 10 Home (winver specifies build 19043.1052, if it matters).

    I was just worried that, since these are typically Enterprise processes (not Server, oops), they could have been fake or hijacked processes (don't know if that's even possible), but seems like that isn't the case then huh?

    If you say they're all genuine, then that's that.

    But just out of curiosity, what could be a possible reason for these processes to be running on Home Edition, and is there any way to disable them? Would there be any benefit in doing so?

    In any case, thanks for the reply.

    Was this answer helpful?

    10+ people found this answer helpful.
    0 comments
  5. DaveM121 876.6K Reputation points Independent Advisor
    2021-07-05T16:05:40+00:00

    Hi Leif76, glad to help!

    Was this answer helpful?

    9 people found this answer helpful.
    0 comments