Process

unknown

audiodg.exe

audiodg.exe is the Windows Audio Device Graph Isolation process, which runs audio processing, including third-party audio effects, in a separate process from the audio service. It is a normal part of playing sound, and occasional high CPU from it usually traces to an audio effect rather than to malware.

CategorySystemTagsmediamicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

audiodg.exe hosts the audio engine and the digital signal processing for playback and capture, kept in its own process so that a faulty audio effect crashes the isolation host instead of the shared audio service. It is started by the audio service inside svchost.exe, runs under the LOCAL SERVICE account, and lives at C:\Windows\System32\audiodg.exe.

Legitimately, audiodg runs whenever audio is active, and CPU spikes during playback with enhancements enabled are normal. It processes audio rather than launching programs, so it does not start other processes or reach the network.

Security notes

audiodg.exe is a baseline process. Because it loads third-party audio effect DLLs, it has a plausible path for loading external code, which makes unusual loaded modules worth a glance, but in practice its main security relevance is impersonation (T1036.005): a process named audiodg.exe outside System32, under the wrong account, or with no audio service parent is the deviation to notice.

As a persistent service-context process it could also be injected into (T1055). audiodg making network connections or spawning programs is outside its normal behavior.

Anomaly signals5
  • Image path other than C:\Windows\System32\audiodg.exehigh
  • Unsigned image or a signer other than Microsofthigh
  • Parent other than svchost.exe (the audio service)high
  • audiodg spawning child processes or making outbound connectionshigh
  • Running as an account other than LOCAL SERVICEmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof audiodg.exe?
Edit this page on GitHub