Process

ubiquitoussigned

startmenuexperiencehost.exe

StartMenuExperienceHost.exe is the process that renders the Windows Start menu. Windows split it out from the rest of the shell so the Start menu stays responsive on its own. It runs per user and is a routine part of the desktop.

Microsoft CorporationFirst seen 2026-06-08
CategorySystemTagsshellmicrosoftcore-windows

File identity

File details
File type
PE32+ executable
Magic
PE32+ executable (GUI)
Original name
startmenuexperiencehost.exe
Internal name
startmenuexperiencehost
Product
Microsoft® Windows® Operating System
Signing information
Status
Signed
Publisher
Microsoft Corporation
Signer
Microsoft Windows
Issuer
Microsoft Windows Production PCA 2011
Signature rate
100%
File version1
  • 10.0.26100.8328 (WinBuild.160101.0800)100%
File size1
  • 220.50 KB100%

Execution context

File paths1
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe100%
User context0

Not observed.

Integrity level0

Not observed.

Instances1
  • 1100%
Session1
  • Session 1100%
Token privileges1
  • SeChangeNotifyPrivilege100%

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules6
Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

StartMenuExperienceHost.exe draws and runs the Start menu as a separate packaged (UWP) system app, isolated from explorer.exe and the other shell hosts so a problem in one does not freeze the others. It runs as the logged-on user, launched as part of the session, from a Windows SystemApps package folder rather than System32, and is signed by Microsoft.

Legitimately, StartMenuExperienceHost is present on every interactive desktop and is suspended when not in use. It renders UI rather than launching programs, so it does not normally start other processes or reach the network.

Security notes

StartMenuExperienceHost.exe is a baseline process with a fixed identity, the logged-on user's account, a packaged Microsoft signature, no children, and no network, so any deviation is easy to see. The realistic abuse is impersonation (T1036.005), where malware uses the name from a path outside the genuine packaged location.

As a persistent per-user process it could also be an injection target (T1055). A StartMenuExperienceHost that loads unusual modules, reaches the network, or spawns programs is acting outside its UI role.

Anomaly signals5
  • Image path outside the Windows SystemApps package locationhigh
  • Unsigned image or a signer other than Microsofthigh
  • Running as NT AUTHORITY\SYSTEM rather than the logged-on userhigh
  • Spawning command shells or making outbound network connectionshigh
  • More instances than interactive usersmed

Telemetry

OS prevalence1
  • Microsoft Windows 11 Enterprise Evaluation100%
Observation timeline
First seen
2026-06-08
Last seen
2026-06-08
Machines
1
References

Subsearch

Hasbeen seen inof startmenuexperiencehost.exe?
Edit this page on GitHub