diff --git a/pkg/kevent/kevent_windows.go b/pkg/kevent/kevent_windows.go
index c6d9d767a..98f721a89 100644
--- a/pkg/kevent/kevent_windows.go
+++ b/pkg/kevent/kevent_windows.go
@@ -211,6 +211,7 @@ func (e Kevent) IsTerminateProcess() bool { return e.Type == ktypes.TerminatePro
 func (e Kevent) IsTerminateThread() bool  { return e.Type == ktypes.TerminateThread }
 func (e Kevent) IsUnloadImage() bool      { return e.Type == ktypes.UnloadImage }
 func (e Kevent) IsLoadImage() bool        { return e.Type == ktypes.LoadImage }
+func (e Kevent) IsImageRundown() bool     { return e.Type == ktypes.ImageRundown }
 func (e Kevent) IsFileOpEnd() bool        { return e.Type == ktypes.FileOpEnd }
 func (e Kevent) IsRegSetValue() bool      { return e.Type == ktypes.RegSetValue }
 func (e Kevent) IsProcessRundown() bool   { return e.Type == ktypes.ProcessRundown }
diff --git a/pkg/kstream/processors/image_windows.go b/pkg/kstream/processors/image_windows.go
index 6b29564a5..f335a384b 100644
--- a/pkg/kstream/processors/image_windows.go
+++ b/pkg/kstream/processors/image_windows.go
@@ -90,7 +90,7 @@ func (m *imageProcessor) ProcessEvent(e *kevent.Kevent) (*kevent.Kevent, bool, e
 		}
 		return e, false, m.psnap.RemoveModule(pid, mod)
 	}
-	if e.IsLoadImage() {
+	if e.IsLoadImage() || e.IsImageRundown() {
 		return e, false, m.psnap.AddModule(e)
 	}
 	return e, true, nil
diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go
index 69b028060..6a715935e 100644
--- a/pkg/ps/snapshotter_windows.go
+++ b/pkg/ps/snapshotter_windows.go
@@ -38,6 +38,9 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+// SystemPID designates the pid of the system process that acts as the container for system threads
+const SystemPID uint32 = 4
+
 var (
 	// reapPeriod specifies the interval for triggering the housekeeping of dead processes
 	reapPeriod = time.Minute * 2
@@ -196,8 +199,9 @@ func (s *snapshotter) AddModule(e *kevent.Kevent) error {
 	moduleCount.Add(1)
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if pid == 0 {
-		pid = e.PID
+	if pid == 0 && e.IsImageRundown() {
+		// assume system process if pid is zero
+		pid = SystemPID
 	}
 	proc, ok := s.procs[pid]
 	if !ok {