search cancel

Odd NTOSKRNL hashes on the SEP 15 console

book

Article ID: 175383

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Cause

NTOSKRNL is a special SYSTEM process with PID 4. Due to how Windows locks the file, SEP is unable to get the hash, so it was hard-coded with a static value.

MD5: 53797320000000000000000000000000

SHA-256: 5379732000000000000000000000000000000000000000000000000000000000

Resolution

This value is a hexadecimal representation of text:
Hex: 53 79 73 20
Ascii: "Sys "

The reported hash on NTSOKRNL.exe is by design. No further action is required.