svchost.exe -> explorer.exe on win10

December 7, 2017 in Forensic Analysis, Incident Response, Malware Analysis

When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job – see below; so, if you see explorer.exe under svchost.exe it doesn’t necessary mean malware.

There is additional information in this thread that mentions this is a mechanism to prevent spawning an elevated Explorer process.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>ExplorerShellUnelevated</Author>
    <URI>\CreateExplorerShellUnelevatedTask</URI>
  </RegistrationInfo>
  <Triggers>
    <RegistrationTrigger id="CreateExplorerShell_Trigger">
      <Enabled>true</Enabled>
      <Delay>PT0S</Delay>
    </RegistrationTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>6</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\explorer.exe</Command>
      <Arguments>/NOUACCHECK</Arguments>
    </Exec>
  </Actions>
  <Principals>
    <Principal id="Author">
      <UserId>xxxxxxxxxx\user</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>

Comments are closed.