wsmprovhost.exe

wsmprovhost.exe (WinRM Provider Host) is spawned on a machine to host a remote management session that arrives over WinRM, the transport behind PowerShell Remoting (Enter-PSSession, Invoke-Command). The remote user's commands run as children of, or inside, wsmprovhost.exe on the target. It is started by the WinRM service, runs as the connecting user, and lives at C:\Windows\System32\wsmprovhost.exe.

Legitimately, wsmprovhost appears whenever an administrator manages the machine through PowerShell Remoting, common in server and configuration-management environments. Its presence means a remote session is active, and what runs under it is what gives an instance meaning.

wsmprovhost.exe is where remote PowerShell execution lands (T1021.006). An attacker who has credentials and reaches WinRM runs commands on the target through PowerShell Remoting, and those commands execute under wsmprovhost.exe rather than under whatever connected over the network, so the process is a reliable marker of inbound remote execution. The session runs full PowerShell (T1059.001), so encoded commands, download cradles, and spawned LOLBINs under wsmprovhost carry the same weight as they would under powershell.exe.

Because PowerShell Remoting is also a legitimate management method, context decides: wsmprovhost on a machine that is not normally remote-managed, or one whose session spawns shells, reaches the network, or runs obfuscated commands, is what to investigate.