What is SgrmBroker.exe and Why is it Running?
What is SgrmBroker.exe and is it a virus? Let’s dig into the details and review what the purpose of this Windows 10 Service is and why it’s running.
If you’re going through Task Manager on a Windows 10 (1709 Fall Creators Update or later) machine, you’ve probably seen SgrmBroker.exe running in the background. Is it a valid file? Is it a virus? Great questions. Let’s review what it is and if you should be concerned or not.
Jumping right to the end — everything is fine. You don’t need to worry about SgrmBroker.exe. The System Guard Runtime Monitor Broker (SgrmBroker.exe) is a service created by Microsoft and built into the core OS as of Windows 10 version 1709.
What is SgrmBroker.exe?
System Guard Runtime Monitor Broker (SgrmBroker) is a Windows Service running and part of the Windows Defender System Guard. It can be easily mistaken for the RuntimeBroker that handles universal apps, however, they are different processes and both safe.
System Guard Runtime Monitor Broker is responsible for monitoring and attests to the integrity of the Windows platform. The service has three key areas it monitors:
- Protect and maintain the integrity of the system as it starts up.
- Protect and maintain the integrity of the system after it’s running.
- Validate the system integrity has truly been maintained through the local and remote attestation.
That’s a fairly high-level explanation of what the SgrmBroker.exe service is responsible for so let’s dig into each of the areas a bit more.
1- Protect and maintain the integrity of the system as it starts up
This ensures that no unauthorized firmware or software can start before the windows bootloader. This would include firmware often called a bootkit or rootkit — nasty stuff. Only properly signed and secure Windows files and drivers can start on the device during startup.
One thing to note, for the most advanced functions to work properly, you will need a computer with a modern chipset that supports TPM 2.0. It must also be enabled in the bios UEFI.
What is TPM 2.0?
Trusted Platform Module (TPM) exists in version 1.2 and the newer 2.0. Another standard for a secure cryptoprocessor, a sort of hardware chip in your computer.
2 – Protect and maintain the integrity of the system after it’s running
Windows 10 hardware isolates the most sensitive Windows services and data. In short, this means that if an attacker gains SYSTEM level privilege or comprises the kernel itself, they cannot control or bypass all your systems defenses.
3 – Validate that system integrity has truly been maintained through the local and remote attestation
The TPM 2.0 chip helps to measure the integrity of your device by isolating top-level processes and data away from Windows. It measures, for example, device firmware, hardware configuration state, and windows boot-related components. Remote attestation would require enterprise systems such as Intune or System Center Configuration Manager.
Registry and System File Locations for SgrmBroker.exe
Relevant registry and system file locations for the process are:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker %SystemRoot%\system32\SgrmBroker.exe
Don’t Worry, SgrmBroker.exe is Safe
As we’ve discussed, SgrmBroker.exe is a safe security service created by Microsoft to keep you and your system secure. Hence you should not try to stop or remove the service in any way. On a healthy system, this process will run most of the time with low RAM usage.
If any issues, you can verify that the file is signed by Microsoft and running from the c:\windows\system32 folder. It helps us to ensure it is not a copycat file running from another location.
Do you have additional questions about SgrmBroker.exe which I didn’t answer? Please post your question or comment on our free Windows 10 discussion forum.
