taskhostw.exe

A lot of the housekeeping that keeps Windows running, cleanup jobs, maintenance work, sync operations, is implemented as scheduled tasks whose code lives in DLLs rather than executables. taskhostw.exe gives that code a process to run in: the Task Scheduler starts an instance, the instance loads the task's DLL, and then runs a loop listening for the events that trigger its tasks. Triggers include a time schedule, user logon, system startup, idle CPU, a Windows event log entry, or workstation lock and unlock. A default Windows 11 install ships with more than 200 preconfigured tasks, though not all are enabled. It's the Windows 10 successor to taskhost.exe from Windows 7 and taskhostex.exe from Windows 8.

Instances are started by the Task Scheduler service, which lives inside svchost.exe, so the parent is always that svchost.exe. They run from C:\Windows\System32\taskhostw.exe under whatever account the task was configured with: the logged-in user for per-user tasks, or accounts like NT AUTHORITY\SYSTEM, LOCAL SERVICE, and NETWORK SERVICE for system tasks. Because each instance sits in its trigger-listening loop for as long as its tasks are registered, several long-lived instances at once are normal, one per account context that has tasks to watch.

The genuine taskhostw.exe is a trusted, signed Microsoft system file. On a typical machine an instance starts at logon and stays resident, waking to run its tasks as their triggers fire. What it's actually doing at any moment is decided by the task DLLs it has loaded, which is the place to look when an instance behaves unexpectedly.

Like other trusted system processes, taskhostw.exe is sometimes imitated by malware attempting to avoid detection (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft signature. Be suspicious of copies running from other locations. The older equivalents taskhost.exe (Windows 7) and taskhostex.exe (Windows 8) don't exist on Windows 10 or 11, so those names on a modern system indicate a file that didn't ship with the operating system.

Attackers also abuse the legitimate binary through scheduled tasks, a common persistence mechanism (T1053.005). A malicious task packaged as a DLL runs inside a genuine taskhostw.exe, so the process itself passes path and signature checks while the malicious code lives in the loaded DLL. If an instance spawns a shell or makes unexpected network connections, review which scheduled task fired and which DLL that task points to.