{"id":4473,"date":"2017-12-07T23:44:54","date_gmt":"2017-12-07T23:44:54","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4473"},"modified":"2017-12-07T23:56:21","modified_gmt":"2017-12-07T23:56:21","slug":"svchost-exe-explorer-exe-on-win10","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/12\/07\/svchost-exe-explorer-exe-on-win10\/","title":{"rendered":"svchost.exe -> explorer.exe on win10"},"content":{"rendered":"

When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task C:\\Windows\\Tasks\\CreateExplorerShellUnelevatedTask.job – see below; so, if you see explorer.exe under svchost.exe it doesn’t necessary mean malware.<\/p>\n

There is additional information in this thread<\/a> that mentions this is a mechanism to prevent spawning an elevated Explorer process.<\/p>\n

<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.3\" xmlns=\"http:\/\/schemas.microsoft.com\/windows\/2004\/02\/mit\/task\">\r\n\u00a0 <RegistrationInfo>\r\n\u00a0\u00a0\u00a0 <Author>ExplorerShellUnelevated<\/Author>\r\n\u00a0\u00a0\u00a0 <URI>\\CreateExplorerShellUnelevatedTask<\/URI>\r\n\u00a0 <\/RegistrationInfo>\r\n\u00a0 <Triggers>\r\n\u00a0\u00a0\u00a0 <RegistrationTrigger id=\"CreateExplorerShell_Trigger\">\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <Enabled>true<\/Enabled>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <Delay>PT0S<\/Delay>\r\n\u00a0\u00a0\u00a0 <\/RegistrationTrigger>\r\n\u00a0 <\/Triggers>\r\n\u00a0 <Settings>\r\n\u00a0\u00a0\u00a0 <MultipleInstancesPolicy>IgnoreNew<\/MultipleInstancesPolicy>\r\n\u00a0\u00a0\u00a0 <DisallowStartIfOnBatteries>false<\/DisallowStartIfOnBatteries>\r\n\u00a0\u00a0\u00a0 <StopIfGoingOnBatteries>false<\/StopIfGoingOnBatteries>\r\n\u00a0\u00a0\u00a0 <AllowHardTerminate>true<\/AllowHardTerminate>\r\n\u00a0\u00a0\u00a0 <StartWhenAvailable>true<\/StartWhenAvailable>\r\n\u00a0\u00a0\u00a0 <RunOnlyIfNetworkAvailable>false<\/RunOnlyIfNetworkAvailable>\r\n\u00a0\u00a0\u00a0 <IdleSettings>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <Duration>PT10M<\/Duration>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <WaitTimeout>PT1H<\/WaitTimeout>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <StopOnIdleEnd>true<\/StopOnIdleEnd>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <RestartOnIdle>false<\/RestartOnIdle>\r\n\u00a0\u00a0\u00a0 <\/IdleSettings>\r\n\u00a0\u00a0\u00a0 <AllowStartOnDemand>true<\/AllowStartOnDemand>\r\n\u00a0\u00a0\u00a0 <Enabled>true<\/Enabled>\r\n\u00a0\u00a0\u00a0 <Hidden>false<\/Hidden>\r\n\u00a0\u00a0\u00a0 <RunOnlyIfIdle>false<\/RunOnlyIfIdle>\r\n\u00a0\u00a0\u00a0 <DisallowStartOnRemoteAppSession>false<\/DisallowStartOnRemoteAppSession>\r\n\u00a0\u00a0\u00a0 <UseUnifiedSchedulingEngine>true<\/UseUnifiedSchedulingEngine>\r\n\u00a0\u00a0\u00a0 <WakeToRun>false<\/WakeToRun>\r\n\u00a0\u00a0\u00a0 <ExecutionTimeLimit>PT72H<\/ExecutionTimeLimit>\r\n\u00a0\u00a0\u00a0 <Priority>6<\/Priority>\r\n\u00a0 <\/Settings>\r\n\u00a0 <Actions Context=\"Author\">\r\n\u00a0\u00a0\u00a0 <Exec>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <Command>C:\\Windows\\explorer.exe<\/Command>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <Arguments>\/NOUACCHECK<\/Arguments>\r\n\u00a0\u00a0\u00a0 <\/Exec>\r\n\u00a0 <\/Actions>\r\n\u00a0 <Principals>\r\n\u00a0\u00a0\u00a0 <Principal id=\"Author\">\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <UserId>xxxxxxxxxx\\user<\/UserId>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <LogonType>InteractiveToken<\/LogonType>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <RunLevel>LeastPrivilege<\/RunLevel>\r\n\u00a0\u00a0\u00a0 <\/Principal>\r\n\u00a0 <\/Principals>\r\n<\/Task><\/pre>\n","protected":false},"excerpt":{"rendered":"
When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task C:\\Windows\\Tasks\\CreateExplorerShellUnelevatedTask.job – see below; so, if you see explorer.exe under svchost.exe … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4473"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4473"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4473\/revisions"}],"predecessor-version":[{"id":4478,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4473\/revisions\/4478"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}