When you execute it, it displays the following screen:<\/p>\n\n\n\n I have not explored these options.<\/p>\n\n\n\n Because… the far more interesting things happen under the hood. If you start Process Monitor before you execute servercoreshell.exe<\/em> program and then look at the events collected during a single test session you will find out that some of them are… well.. interesting!<\/p>\n\n\n\n It accesses a lot of interesting Registry locations, including:<\/p>\n\n\n\n And that HKLM\\SOFTWARE\\Microsoft\\ServerCore\\Shell Launcher\\Shell<\/em> is a DEFAULT persistent location that allows me to put this post in the Beyond good ol\u2019 Run key<\/em> series:<\/p>\n\n\n\n For starters, we can modify the content of the file c:\\WINDOWS\\System32\\servercoreshelllaunch.bat<\/em>. We can also change the value of the Registry entry that shell<\/em> points to. Then the only remaining bit is to ensure the servercoreshell.exe<\/em> program is executed at some time during system start, or after user logs in.<\/p>\n\n\n\n Bad news though — need Trusted Installer rights for that.<\/p>\n\n\n\n Still, this single program runs through many ‘shell’ initialization routines that Windows Symbols describe as:<\/p>\n\n\n\n During my tests, I played around and pointed some of the aforementioned registry settings to calculator, notepad, etc. and I discovered that the servercoreshell.exe<\/em> program often goes into a never-ending loop. When you launch it, then kill the main window, it will just continue to spawn its own copies. And when I set shell<\/em> value to a randomly named user under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ServerCore\\Shell Launcher\\Users\\Domain\\<user>\\Shell<\/em> to calculator, I ended up with a never-ending loop of new Calculator instances being spawn:<\/p>\n\n\n\n I suspect it’s a little buggy…<\/p>\n\n\n\n I also believe the servercoreshell.exe<\/em> program is related to this documented Shell Launcher<\/a> feature:<\/p>\n\n\n\n Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (Explorer.exe) with a Windows desktop application or a Universal Windows Platform (UWP) app. This feature is useful for creating a custom user experience on devices that are used for a specific purpose, including kiosks, ATMs, and digital signage.<\/p>\n<\/blockquote>\n\n\n\n Installing the latter on Windows 11 introduces a slightly different executable to the system though: ShellLauncherConfig.exe<\/em> and the shell<\/em> keys it relies on are located in a different place too:<\/p>\n\n\n\n Looks like the feature has at least 2 different, distinctive versions for server and non-server versions of Windows.<\/p>\n","protected":false},"excerpt":{"rendered":" I decided to add this post to this old series, but the scope of this post is – as you will find out soon – much wider. You will find servercoreshell.exe program to be present on both Windows Server 2022 … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/08\/servercoreshell_0.png\")
<\/a><\/figure>\n\n\n\n\n
<\/a><\/figure>\n\n\n\n\n
<\/a><\/figure>\n\n\n\n\n
<\/a><\/figure>\n\n\n\n\n
<\/a><\/figure>\n\n\n\n