explorer.exe

At its core, explorer.exe gives users access to their files, but it fills two roles. It's the file browser opened through Windows Explorer, and it's the user interface that draws the desktop, the Start menu, the taskbar, the Control Panel, and the system tray. It's also what launches programs through file-extension associations and shortcut files, so double-clicking an icon or opening something from the Start menu runs through explorer.exe.

It's the default shell named in the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, though Windows can run with a different interface there instead, such as cmd.exe or powershell.exe. It's started at logon by userinit.exe, which then exits, so a normal explorer.exe has no living parent in the process tree, the same orphaned look as the boot processes. It runs as the signed-in user, not SYSTEM, and the legitimate copy lives directly in C:\Windows rather than System32. Multiple instances under one user are normal, for example when the folder option "Launch folder windows in a separate process" is enabled.

Because it launches whatever the user clicks, explorer.exe is the parent of a wide and legitimately unpredictable set of processes: browsers, Office apps, installers, command prompts a user opened by hand. That makes its child list the noisiest of any core process, so the useful signal is which child appeared, not that there are children at all. Unlike the boot processes, explorer.exe is not critical: it can be ended and restarted, and Windows will usually relaunch it on its own, which is why "restart Explorer" is a common fix for a frozen desktop.

Because nearly every user process descends from it, explorer.exe is a useful name for malware to hide behind (T1036.005). A legitimate copy always resides in C:\Windows (not System32) and carries a valid Microsoft digital signature. Be suspicious of a copy running from System32, a user profile, or a temp folder, and of near-miss spellings such as explorer32.exe or expIorer.exe.

explorer.exe is a favored target for process injection because it's always running, runs as the user, and makes outbound activity from it look ordinary (T1055). Code injected into it inherits the user's context and blends into normal desktop behavior, so unusual loaded modules or network connections coming from explorer.exe are worth examining.

Its place in the process tree also makes it a key pivot for spotting phishing-borne execution. explorer.exe launching a command shell or script host moments after the user opened a document or archive is a classic user-execution chain (T1204.002), since the malicious file rode in through something the user double-clicked.