Troubleshoot memcompression

[ravi prakash saini]

emsisoft behaviour blocker is verifying something called memcompression but unable to detect WTH is this
same condition with Kaspersky and comodo.
not able to see it's properties and unable to open it's location
my experience says it is related to Windows
my brain says go get all details about it.
system showing no symptoms of infections,no fever ,cough ,constipation etc
Google is also using its right to remain silent

 

[SHvFl]

You are correct it's from windows. Emsisoft not verifying it's a bug they have and apparently fixed in version 2017.5 but last night i was checking it out and was not verifying so not sure if it's actually 100% fixed. I didn't have time to restart and see what happens.
Anw nothing to worry. It's safe assuming it's the one started by system.

 

[brambedkar59]

Here's a good read.

 

[Parsh]

@ravi prakash saini in the past week, I too came across it in ESET SysInspector and it is still unknown to ESET.

However, in Process Explorer, 'memcompression' is not found and instead it has the 'System and Compressed Memory' (the one indicated in Windows Task Manager). But the details as seen in the below picture are still not satisfactory except that it states its parent is 'System(4)'.

In Comodo KillSwitch, details similar to PE are shown and the rating is unknown, though it's not a very new process acc. to search.
The Image File Name of Memory Compression process is 'MemCompression', the one in discussion.


So yes, as @rockstarrocks shared and what I believe is that the latter (System and..mory) is already safe (as a Windows process) and memcompression should be related to it, or be its image.

 

[Parsh]

Unfortunately, the Microsoft tech support could also not answer the same query, neither did they attempt to present an insight into the concerned process (whether legit).
Submission to Comodo (via KillSwitch) fails too.
To be 100% sure, I think, disabling Memory Compression if feasible, and checking the process' status should do the verification.
Here's some blog post info that may help:

Another change of the Anniversary update is that originally the System process did own all of the compressed pages. MS had decided that too many users were confused by the large memory footprint of the System process because it holds all of the compressed memory in its working set. Now another hidden process owns all of the compressed memory which shows up in Process Explorer/Hacker under the name Memory Compression. It is a child of the System process. In ETW traces it is called MemCompression. These caches are therefore not visible in the process list of task manager except for the (Compressed) number in the overview which tells you how much working set the Memory Compression process currently has.

 

[ravi prakash saini]

thanks all the member for your valuable input. Emsiosft now showing it under trusted application. Tomorrow i will check it with kaspersky and comodo.I do not remember exactly but i think 360 was also flagging it.
now my brain is again going southwards thinking when security software are unable to identify windows process then what about malicious one. So they are going the safe path default deny.I am not against it but i do not like the idea ,I mean i will not go out because Microsoft,google,FBI,NASA,KGB can see me and i do not allow anyone to enter my home cause Taliban may enter my home.
Are we going backward or forward

 

[brambedkar59]

Unfortunately, the Microsoft tech assistants could not answer the same query, neither did they attempted to present an insight into the concerned process.

Too be honest MS tech assistant, rarely give useful info. Most of the time they just give you standard troubleshooting steps which you have already tried.