Share via

Suspicious "Secure System" Process in Task Manager

Anonymous
2021-07-05T14:09:12+00:00

I was looking through my task manager processes the other day and noticed a process I'd never seen before called "Secure System".

The name is so innocuous it actually stuck out to me as a bit suspicious.

While looking it up online, I found some mentions that it's a process that might run on Windows Server installs. The thing is, I'm using Windows 10 Home.

Along with this "Secure System" process, there were also a few others that are apparently only supposed to show up on Server, such as "Credential Guard and Key Guard"(Lsalso.exe). I've also seen a Hyper-V Service running once, yet I cannot find Hyper-V on the Windows Features menu.

(I also have some weirdly named svchost processes, such as cbdhsvc_338d7. Thought I might as well mention these while we're at it)

The Secure System process currently sits at the bottom of CPU and RAM usage, but it has used quite a bit of resources at one point in the past.

Maybe I'm just being ignorant and paranoid, but is this normal by any chance? I was suspecting a virus or rootkit of some sort, but I've since run multiple AV and AR utilities (Win Defender, MBAM, Adwcleaner, MBAR, TDSSKiller, and RogueKiller) and none of them have found anything. Should I be worried? Would it be better to reinstall W10 just to be safe?

Thanks in advance.

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Koch 25,465 Reputation points Volunteer Moderator
    2021-07-05T18:01:17+00:00

    Your discussion with Dave including especially the Secure System and Hyper-V virtualization fit with other discussions we've had here recently with others asking questions about the Core Isolation and Memory Integrity features of Windows 10.

    Since enabling Memory Integrity requires that virtualization be enabled so that a Hyper-V virtual machine can be opened to contain the core Windows operating system components, the addition of a Secure System service to monitor this process seemed reasonable as well.

    Enable virtualization-based protection of code integrity - Windows security | Microsoft Docs

    Since I've got this operating on my own Windows Home based Microsoft Surface Go tablet running in S Mode, I looked and found both the Secure System and Lsalso.exe processes running on this system as well.

    I checked for the Secure System process both before and after disabling the Memory Integrity option in Core isolation found under Device security in the Windows Security at a glance console and it disappeared and returned as expected. However, I forgot to look for the Lsalso.exe process before returning Memory Integrity to enabled, so you'll need to test this yourself if you want to be certain this is related to the same setting as well.

    You'll notice under Windows Security - Device security - Core isolation that Virtualization-based security is specifically mentioned, so the above all makes perfect sense.

    So you two were very close, just hadn't made the final leap to the primary reason behind these virtualization-based elements of Windows 10 being enabled on any system capable of operating with Memory integrity enabled.

    Rob

    84 people found this answer helpful.
    0 comments