# NT Kernel System



## AkA-NeMo (Dec 6, 2007)

Hey I use Symantec Enpoint Protection and I just got a Network Threat Protection warning saying that NT Kernel System has changed since the last time I used it and it is asking me whether or not I want to allow it access to the network. Was wondering if anyone can help me. Here are the details about the warning:

The executable has changed since the last time you used C:\WINDOWS\system32\ntoskrnl.exe
File Version: 5.1.2600.5657
File Description: NT Kernel & System
File Path: C:\WINDOWS\system32\ntoskrnl.exe
Digital Signature: 
Process ID: 0x4 (Hexadecimal) 4 (Decimal)

Connection origin: remote initiated
Protocol: UDP
Local Address: 192.168.2.255
Local Port: 137 (NETBIOS-NS - Browsing requests of NetBIOS over TCP/IP)
Remote Name: 
Remote Address: 192.168.2.103
Remote Port: 137 

Ethernet packet details:
Ethernet II (Packet Length: 110)
Destination: ff-ff-ff-ff-ff-ff
Source: 00-0a-eb-a6-be-3f
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0xd5b3 (Correct)
Source: 192.168.2.103
Destination: 192.168.2.255
User Datagram Protocol
Source port: 21924096
Destination port: 35072
Length: 8
Checksum: 0xe4fd (Correct)
Data (76 Bytes)

Binary dump of the packet:
0000: FF FF FF FF FF FF 00 0A : EB A6 BE 3F 08 00 45 00 | ...........?..E.
0010: 00 60 00 01 00 00 80 11 : B3 D5 C0 A8 02 67 C0 A8 | .`...........g..
0020: 02 FF 00 89 00 89 00 4C : FD E4 80 00 29 10 00 01 | .......L....)...
0030: 00 00 00 00 00 01 20 45 : 44 45 50 45 4D 45 50 46 | ...... EDEPEMEPF
0040: 44 46 45 45 50 45 4E 43 : 4E 44 49 45 44 44 4A 45 | DFEEPENCNDIEDDJE
0050: 47 44 47 44 49 41 41 00 : 00 20 00 01 C0 0C 00 20 | GDGDIAA.. ..... 
0060: 00 01 00 04 93 E0 00 06 : 00 00 C0 A8 02 67 | .............g 

Thanks in advance.


----------



## Glaswegian (Sep 16, 2005)

Hi

I have the same version - this is likely an update patch from MS that's made the change. As long as you have no other system issues then it will be fine. Make sure you have Automatic Updates switched on - this will ensure you are advised when update patches become available.


----------



## skyhigh1001 (Apr 20, 2009)

I am also seeing the NT Kernel & System process running on my computer with suspicious behaviour. I run a bandwidth monitor program so that I can watch how much ISP bandwidth is being used since my ISP degrades my bandwidth rate if I exceed a certain monthly limit. A number of times I have seen the bandwidth monitor showing large transfers in progress when the computer should be idle. On Windows Vista I then run perfmon (which comes with Vista) which will show the system cpu, disk, network, etc. utilization, and which will show the processes using the network utilization and the addresses they are transferring to. The NT Kernel & System process is always the one doing the transfer, and it has connections to addresses outside my local subnet, and it also has connections to other computers in my house and is actively transfering data between the computers. I don't have any programs running which should be transfering data between my computers that I know about. This seems very much like a virus and/or spyware spreading itself.


----------

