Process
textinputhost.exe
TextInputHost.exe renders the modern Windows input surfaces, the touch keyboard, emoji and symbol panel, handwriting, and related input UI. It runs per user as part of the desktop and is a routine background process, especially on touch-capable devices.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
Indicators
Not observed.
Analysis
TextInputHost.exe is a packaged (UWP) system app that presents the touch keyboard and the other modern text-input panels. It runs as the logged-on user, launched as part of the session, from a Windows SystemApps package folder rather than System32, and is signed by Microsoft. It works alongside ctfmon.exe, which handles the underlying text services.
Legitimately, TextInputHost is present on interactive desktops and suspended when not needed. It draws input UI rather than launching programs, so it does not normally start other processes or reach the network.
TextInputHost.exe is a baseline process. Its fixed identity, the logged-on user's account, a packaged Microsoft signature, no children, and no network, makes deviations easy to spot. The realistic abuse is impersonation (T1036.005), where malware borrows the name from a path outside the genuine packaged location.
As a persistent per-user process it could also be injected into (T1055). A TextInputHost that loads unusual modules, reaches the network, or spawns programs is acting outside its UI role.
- Image path outside the Windows
SystemAppspackage locationhigh - Unsigned image or a signer other than Microsofthigh
- Running as
NT AUTHORITY\SYSTEMrather than the logged-on userhigh - Spawning command shells or making outbound network connectionshigh
- More instances than interactive usersmed
Telemetry
Not observed.
Not observed.