Process

ubiquitoussigned

shellexperiencehost.exe

ShellExperienceHost.exe renders parts of the modern Windows shell, such as the action center, notifications, and other system UI surfaces drawn with the Universal Windows Platform. It runs per user as part of the desktop and is a routine, low-profile process.

Microsoft CorporationFirst seen 2026-06-08
CategorySystemTagsshellmicrosoftcore-windows

File identity

File details
File type
PE32+ executable
Magic
PE32+ executable (GUI)
Original name
ShellExperienceHost.exe
Internal name
ShellExperienceHost
Product
Microsoft® Windows® Operating System
Signing information
Status
Signed
Publisher
Microsoft Corporation
Signer
Microsoft Windows
Issuer
Microsoft Windows Production PCA 2011
Signature rate
100%
File version1
  • 10.0.26100.8457 (WinBuild.160101.0800)100%
File size1
  • 521.00 KB100%

Execution context

File paths1
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe100%
User context0

Not observed.

Integrity level0

Not observed.

Instances1
  • 1100%
Session1
  • Session 1100%
Token privileges1
  • SeChangeNotifyPrivilege100%

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

ShellExperienceHost.exe is a packaged (UWP) system app that draws shell surfaces beyond the classic taskbar and desktop, working alongside explorer.exe and the other modern shell hosts. It runs as the logged-on user and is launched as part of the session. As a packaged system app it runs from a Windows SystemApps package folder rather than System32, and is signed by Microsoft.

Legitimately, ShellExperienceHost is present on every interactive desktop, drawing UI rather than launching programs. It is suspended when idle on modern Windows, which is normal.

Security notes

ShellExperienceHost.exe is a baseline process. Its value is a steady identity, the logged-on user's account, a packaged Microsoft signature, no children, and no network, so deviations stand out. The realistic abuse is impersonation (T1036.005), where malware borrows the name from a path outside the genuine packaged location.

As a persistent per-user process it could also be injected into (T1055). A ShellExperienceHost that loads unusual modules, reaches the network, or spawns programs is acting outside its UI role.

Anomaly signals5
  • Image path outside the Windows SystemApps package locationhigh
  • Unsigned image or a signer other than Microsofthigh
  • Running as NT AUTHORITY\SYSTEM rather than the logged-on userhigh
  • Spawning command shells or making outbound network connectionshigh
  • More instances than interactive usersmed

Telemetry

OS prevalence1
  • Microsoft Windows 11 Enterprise Evaluation100%
Observation timeline
First seen
2026-06-08
Last seen
2026-06-08
Machines
1
References

Subsearch

Hasbeen seen inof shellexperiencehost.exe?
Edit this page on GitHub