sihost.exe

sihost.exe (Shell Infrastructure Host) provides shell services for the interactive desktop, the graphical plumbing the modern Windows shell needs beyond what explorer.exe itself handles. Start menu rendering, taskbar and window transparency, the action center, and the desktop background slideshow are among the features it supports. The genuine binary lives at C:\Windows\System32\sihost.exe and is signed by Microsoft.

One sihost.exe runs per interactive user session, under the logged-on user's account, and it starts as part of bringing up that user's shell. It is launched by the service infrastructure, so its parent is normally an svchost.exe. It stays running for the life of the session.

sihost.exe runs quietly in the background of every signed-in desktop. It supports the shell rather than launching applications, so it does not normally start other programs, and brief CPU spikes as the interface updates are ordinary.

sihost.exe is rarely abused directly, so its value is as a baseline. It has a steady identity, the logged-on user's account, an svchost.exe parent, a Microsoft signature, and no child processes, which makes a deviation easy to spot. The straightforward abuse is impersonation (T1036.005): a plausible, slightly obscure name that malware borrows by running from the wrong path, under the wrong account, or without a valid signature. A sihost.exe that spawns a shell or reaches an external host is out of character.

As a persistent per-user process tied to the desktop, sihost is also a candidate for code injection (T1055), letting an attacker run in the user's context and blend into ordinary shell activity. Unusual loaded modules or network connections from an otherwise idle sihost.exe are what would point to it.