NTOP Shows Windows Services running with GMSA account owners as running with SYSTEM account

[GauravES]

We have some Windows Services running with AD GMSA accounts of the form domain\gmsa_string$

(https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview )

NTOP shows the Windows Service running as SYSTEM, while Windows own Task manager, services.msc and other process manager tools such as Process Hacker show them running with the correct gmsa account.

However we also have some IIS Pools running with the same GMSA Account and for them NTOP shows the correct GMSA account. So it seems for some processes it is able to detect the correct GMSA process owner, but not for all

[GauravES]

The following explanation may be of use to the author @gsass1

Explain the discrepancy you're seeing with the GMSA account ownership in Windows Server Core 2022.

When you see a service running under a Group Managed Service Account (GMSA) showing up as SYSTEM in some process management tools while showing as the actual GMSA in others, this is typically due to how these tools retrieve and display process ownership information.

This discrepancy occurs because:

GMSAs use a special authentication mechanism where the computer account manages the password on behalf of the service.

Different process monitoring tools use different Windows APIs to query process ownership:

Some tools might show the security context the process is actually running under (the GMSA)
Others might show the process starter (often SYSTEM when dealing with services)

The Windows Service Control Manager (SCM) starts many services under the SYSTEM account initially, and then the service may switch to the configured service account (the GMSA) through impersonation.

Process monitoring tools that show more detailed security token information will correctly identify the GMSA, while simpler tools might only show the initial launch context (SYSTEM).

[gsass1]

IIRC I default to "SYSTEM" if looking up the user name fails.

I can try taking a look on the weekend.