Process

unknown

smartscreen.exe

smartscreen.exe runs Windows Defender SmartScreen, the reputation check that warns before running downloaded files and visiting risky sites. It appears when the shell needs a reputation decision. It is a defensive process, so an attacker disabling or killing it is the security-relevant event.

CategorySystemTagssecuritymicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

smartscreen.exe evaluates the reputation of downloaded applications and content using Microsoft's SmartScreen service, producing the "Windows protected your PC" prompts for unrecognized programs. It is invoked by the shell when a reputation decision is needed, runs as the user, and lives at C:\Windows\System32\smartscreen.exe.

Legitimately, smartscreen appears around downloads and first-run of new programs and is otherwise idle. It performs checks rather than launching programs, so it does not normally spawn other processes.

Security notes

smartscreen.exe is a defensive component, so its main relevance is being switched off (T1685). Attackers disable SmartScreen through policy or registry so that downloaded malware runs without a reputation warning, the same playbook as disabling other protections. SmartScreen turning off, or the process being absent where it should run, means a safety check has been removed.

Its trusted name also invites impersonation (T1036.005): a smartscreen.exe outside System32, unsigned, or spawning processes is not the real reputation checker.

Anomaly signals5
  • Image path other than C:\Windows\System32\smartscreen.exehigh
  • Unsigned image or a signer other than Microsofthigh
  • smartscreen spawning child processeshigh
  • SmartScreen disabled by policy or registry on a machine where it should be onmed
  • Connections to hosts unrelated to Microsoft's reputation servicemed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof smartscreen.exe?
Edit this page on GitHub