From 164ea6623aa357ef83942832a77b6820c14cbefa Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 5 Mar 2026 18:44:22 +0100
Subject: [PATCH] fix(accessor): Ignore System process PE parsing

---
 pkg/filter/accessor_windows.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/filter/accessor_windows.go b/pkg/filter/accessor_windows.go
index 8eee0e4e7..f3da5b4de 100644
--- a/pkg/filter/accessor_windows.go
+++ b/pkg/filter/accessor_windows.go
@@ -1078,6 +1078,11 @@ func newPEAccessor() Accessor {
 }
 
 func (pa *peAccessor) Get(f Field, e *event.Event) (params.Value, error) {
+	// ignore System process
+	if e.PID == psnap.SystemPID {
+		return nil, nil
+	}
+
 	var p *pe.PE
 	if e.PS != nil && e.PS.PE != nil {
 		p = e.PS.PE