dwm.exe

dwm.exe runs the Desktop Window Manager, the compositor that has drawn the Windows desktop since Windows Vista. Instead of letting each application paint directly to the screen, the DWM has every window render to its own off-screen buffer and then composes them together with the graphics card. One dwm.exe runs for each interactive session, started by that session's winlogon.exe. The genuine binary lives at C:\Windows\System32\dwm.exe.

Each instance runs under a dedicated per-session virtual account named Window Manager\DWM-1, DWM-2, and so on, rather than the logged-on user or SYSTEM. So on a machine with the console plus a couple of remote desktop sessions, several dwm.exe processes under different DWM-n accounts are normal.

The Desktop Window Manager keeps to itself. It composites the screen and does not start other programs or, in normal operation, reach the network. It is present on every graphical Windows system and runs for the life of each session.

dwm.exe is rarely abused directly. Its main value to an analyst is as a baseline: a fixed identity, a known parent, a dedicated account, and no network or child processes, so deviations stand out. The simplest abuse is impersonation (T1036.005), where malware borrows the trusted name from the wrong path or runs under the wrong account.

It has been an elevation-of-privilege target. The Desktop Window Manager and its core library (dwmcore.dll) have carried several EoP vulnerabilities, where local code abuses the graphics pipeline to gain higher privileges (T1068). During that kind of exploitation the dwm.exe process itself usually looks normal, so patching, not process inspection, is the defense.

As a persistent per-session process, dwm can also be injected into to host code that blends with the desktop (T1055). A dwm.exe that loads unusual modules, opens network connections, or spawns anything is behaving outside its normal role.