Share via

My System Has been Hacked ntoskml.exe has effectively Replaced all functionality of ntoskrnl.exe What to DO ??

Anonymous
2025-04-23T12:43:25+00:00

I am writing to raise urgent concern regarding a stealthy malware that has persisted for over a decade (dating back to at least 2013) and continues to affect systems running Windows 11 and Older Systems. This malware cleverly disguises itself as a core Windows process and avoids detection by Microsoft Defender and most security tools, severely impacting performance, battery life, and the reputation of Microsoft and hardware partners.

Observed Behavior & Impact

  • The malware runs under a Official Core Service "System Idle Process"
  • It consumes 90–95% of CPU usage when the system is idle, leading to:
    • Severe lag, thermal spikes, fan noise 🎛️
    • Worsened battery life 🔋
    • System performance that recovers instantly upon opening Task Manager, implying process pausing or concealment behavior.
  • This process seems to embed itself into the core of Windows 11, rendering it undetectable by Windows Defender and often bypassing even advanced scans.

Techniques & Concerns

  • Masquerading: The malware either mimics or has hacked a trusted core component like “System Idle Process,” fooling both users and superficial scans.
  • Anti-Forensics: It detects the launch of Task Manager or monitoring tools and reduces or suspends activity to avoid discovery.
  • Kernel-Level Persistence: It likely leverages advanced techniques such as Direct Kernel Object Manipulation (DKOM) to integrate at a low level, possibly hijacking system resources invisibly.
  • False Blame: Users often attribute the poor performance to Windows 11 itself or to their hardware, damaging trust in Microsoft and PC manufacturers.

Community Reports & Longevity

  • This issue has been widely reported in communities like Reddit, SuperUser, Tom’s Hardware, and even YouTube since 2013, with no official fix or acknowledgment.
  • Many users mistake it for normal Windows behavior, leading to delayed detection and underreporting.

Urgent Requests

  1. Immediate Investigation into this process and its behavior across Windows 11 systems.
  2. Enhanced Detection Capabilities in Microsoft Defender and other Windows security modules for deceptive, kernel-integrated threats.
  3. Public Advisory or patch to clarify this is not a Windows component and to restore trust among users and OEM partners.
  4. Telemetry Analysis to trace affected systems and determine scope of damage.

This issue is causing long-term damage to Microsoft’s reputation and user experience. I urge the security team to prioritize this as a critical malware threat and help the community regain control over their systems.

Thank you for your attention and continued commitment to security. 🛡️

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-06-25T00:58:10+00:00

    Have you looked into this type hack personally? Have you researched it or anything about hooking, patching or Hollowing? Because from reading his post, that's exactly what it does, and I can confirm. I have Ep-Sieve outputs for ntoskrnl's PID, listing 3644 patches. If you need confirmation I'd be happy to share them. I believe him and you should too, it's no joke. Hackers don't always target businesses, or government facilities. If you're waiting to hear a plausible motive for consumers before you believe someone then you really aren't thinking. Example the system that I found this on runs 128gb 60000MHZ ddr5 , a 13900ks custom looped, with a 5gb connection. That's the only reason I'd need if I were a hacker looking for a foothold to host attacks. A digital WMD, and a hackers dream. Often consumer networks aren't monitored effectively, consistently. They have ISP'S like Frontier who apparently doesn't maintain strong cybersecurity. Network hardware vendors like Tp-Link who's routers recieve only a handful of firmware updates offering zero mitigations from new threats. The reasons for targeting homes are vast, and dismissing consumers claims is either out ignorance or willful blindness.

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2025-04-23T14:40:19+00:00

    You have not been hacked niether is there any malware, or virus that cannot be detected/prevented by any main brand AV/Security

    Personally I wouldnt rely on Defender alone, it doesnt do that well in independanty testing.

    "ntoskml.exe" issues can be caused by Win updating from the wrong sources

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2025-06-25T02:27:40+00:00

    This is all normal behavior.

    System Idle process is used for measuring how much 'idle' time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+ of processor time on average (this is the value in the CPU column). In non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system.

    ntoskrnl.exe (aka kernel image} is responsible for various system services such as hardware virtualization, process and memory management. Routines in ntoskrnl use various function prefixes to indicate in which component of ntoskrnl they are defined...i.e. File system cache, I/O manager, Local Procedure Call, Local Security Authority, Memory Management and many more.

    0 comments
  4. Anonymous
    2025-06-25T00:43:57+00:00

    They can hide in ntoskrnl through hooking or patches which evade all detection from consumer grade AV's. ThorLite is a free consumer version of Thor. It's fairly obvious when you run the right software. THORLite64 uses Ep-Sieve to scan for hollowed, patched and hook processes. If ThorLite64's output log finds anomalies it lists them, and their PID. Get Ep-Sieve and run it in an elevated Administrator Cmd prompt. Using the PID's that ThorLite64 lists and save the output. It saves as a JSON, you'll know that its tampered with if you find patches on NTOSKRNL for instance. It's highly irregular to have system level processes patched in that way, especially if you find a high number of them.

    0 comments
  5. Anonymous
    2025-04-23T17:07:31+00:00

    Hello, I’m Virginia, a fellow user like yourself.

    Sorry to hear you’re experiencing problems.

    Try running these programs:

    MS Safety scanner: https://learn.microsoft.com/microsoft-365/secur...

    MBAM free: https://www.malwarebytes.com/mwb-download/ ensure scan for rootkits is enabled.

    Eset online scanner: http://www.eset.com/us/online-scanner/

    Adwcleaner: https://www.malwarebytes.com/adwcleaner/

    https://malwaretips.com/blogs/ntoskrnl-exe-what...

    If these find one or more infections but do not fully remove them it will be wise to register with a malware removal site to receive dedicated malware removal instructions, an expert will remain with you throughout the process until confirmation that your PC is 100% clean.

    Malwarebytes virus/malware removal forum:

    https://forums.malwarebytes.com/forum/7-windows...

    Bleeping computer malware/virus removal forum:

    https://www.bleepingcomputer.com/forums/forum22...

    If nothing is found I’d try an in place repair.

    In a nutshell you just download the Windows 11 .iso, right click & choose Mount, then double click on setup & follow instructions to continue with the install.

    Ensure keep apps & files is automatically selected.

    Please note a repair install is not a reset, this is a last attempt at repairing a PC without a clean install. If this fails to repair the problem then usually a clean install is required.

    Download here:

    https://www.microsoft.com/software-download/win...

    Disclaimer - This post contains reference to non-Microsoft websites and there may be ads on the page for products & services including products frequently classified as a PUP (Potentially Unwanted Product). Please thoroughly research any product / service advertised on the page before you decide to use them. Your discretion is very much advised.

    0 comments