Process

unknown

dashost.exe

dasHost.exe is the Device Association Framework host, the process that manages pairing and connecting wired and wireless devices like Bluetooth peripherals and network-discovered devices. It is a normal background service host. Its odd-looking name makes it a convenient thing for malware to imitate.

CategorySystemTagsdevicesmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

dasHost.exe runs the Device Association Framework, which handles discovering, pairing, and connecting devices to the machine. It is started by the Device Association service through svchost.exe, runs under a service account (LOCAL SERVICE or NETWORK SERVICE), and lives at C:\Windows\System32\dasHost.exe.

Legitimately, dasHost runs in the background whenever device association is active. It manages devices rather than launching programs, so it does not normally start other processes, and its name is sometimes mistaken for something suspicious precisely because it is unfamiliar.

Security notes

dasHost.exe is a baseline process whose main relevance is impersonation (T1036.005). Its unusual name, and the fact that few people recognize it, make it a tempting cover for malware: a process named dasHost.exe outside System32, unsigned, under the wrong account, or without a svchost.exe parent is the deviation to investigate.

As a persistent service-context process it could also be injected into (T1055). dasHost spawning programs or reaching the network beyond device functions is outside its normal role.

Anomaly signals5
  • Image path other than C:\Windows\System32\dasHost.exehigh
  • Unsigned image or a signer other than Microsofthigh
  • Parent other than svchost.exehigh
  • dasHost spawning child processes or making unexpected outbound connectionshigh
  • Running as NT AUTHORITY\SYSTEM or a normal user accountmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof dashost.exe?
Edit this page on GitHub