How to create a HIPS rule for ntoskrnl.exe?

I would like to create a HIPS rule for “ntoskrnl.exe” and I would like to know if I should choose “Allowed Application” or “Windows System Application” as the rule set. I noticed that in the second case for the “Run an executable” item an asterisk is added on the exclusions, in the “Allowed Files/Folder” tab, will this allow the system to work correctly?
I guess it’s a very important file for the functioning of the system, and I don’t want to cause trouble…

Hi Nis thank you for reporting please check Active HIPS Rules, Network Access, Internet Protection | Internet Security v7.0

Thanks 1807

With it being a system process I would suggest setting it as Trusted if your using HIPS in Custom Mode but running HIPS in Safe Mode when Containment is enabled is more than sufficient and will allow trusted files automatically.

1 Like

Hi EricCrypted are you facing any issues if so kindly report to us.

Thanks 1807

I would like to try to create a rule, because practically since forever with the version of CFW if there isn’t a HIPS rule for an executable it can suffer slowdowns, for example with some games I had continuous lag if I didn’t define a rule for they, I don’t know if this also involves ntoskrnl.exe, but I noticed that it is the system file that performs the most writings in my PC, sometimes it can even reach 600Mb, but others it stops at 150Mb, so to verify that it doesn’t depend from CFW, I would try to define a rule for it to see if it changes anything, or if it’s normal windows operation.

No, just trying to assist Nils.

You could try ticking the option to create rules for safe applications.

Hi EricCrypted we also are helping him

Thanks 1807

Nis- Although High CPU use for ntoskrnl can be due to far too many reasons to easily diagnose, it is often caused not by that file itself but instead a couple of other things are usually the culprit.

If you want to check this, try this before you do anything else- it’s really easy. You may need to make 2 simple changes- but be certain to write down the current vakues before changing anything so that you can revert if you need to:

Open Regedit and first go to:



(the value of dword should be 00000003 already, but if not change it

Now go to:



Once again, check to see if the value is 00000003, and if not change it.

Now reboot and check the CPU use again- if there is no change, you can use regedit to undo the 1 or 2 changes that you made.

(ps- making a HIPS rule for ntoskrnl won’t have any positive effect but potentially can cause major issues, so avoid doing this!)

1 Like

No, I don’t seem to have high CPU usage issues, at least not with ntoskrnl, it only happens when MS telemetry starts, usually at night or after installing/updating a software. I’m more worried about SSD writes, however the first registry key is as you wrote, while in the second one [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysMain]
I have “DisplayName”=@%SystemRoot%\system32\sysmain.dll,-1000
while “Start”=dword:00000002
“DisplayName” is very different from what you reported, what does that mean?

However now I tried to disable the COMODO logs, because I noticed that the process cmdagent.exe it also gets to write more than 1GB after many hours of PC use, and I’ll keep an eye on it in the next few days to see if it was due to it, and if so I’ll move it to the secondary drive, which is a HDD.