> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/wininit.exe/services.exe/svhost.exe/runtimebroker.exe.md).
# runtimebroker.exe
### What is runtimebroker.exe?
`runtimebroker.exe`, or **Runtime Broker**, is a legitimate Windows process that helps manage permissions for apps from the Microsoft Store (Universal Windows Platform - UWP apps). It acts as an intermediary, ensuring that these modern apps operate within the security and privacy settings you've configured.
Think of `runtimebroker.exe` as the **permission gatekeeper** for UWP apps. Its main functions include:
* **Managing UWP App Permissions:** When a UWP app needs to access your resources (like your location, microphone, webcam, or files), Runtime Broker checks if the app has the necessary permissions granted by you in the Windows privacy settings.
* **Ensuring App Sandboxing:** It helps enforce the sandboxed environment in which UWP apps run, limiting their access to system resources and preventing them from interfering with other apps or the operating system.
* **Facilitating Communication:** It can also help manage certain types of inter-process communication between UWP apps and the system.
* **Power Efficiency:** By brokering permissions, it can help manage the lifecycle and resource usage of UWP apps, potentially contributing to better power efficiency.
You'll typically see `runtimebroker.exe` running in the background, and its resource usage (CPU and memory) should generally be low unless a UWP app is actively requesting permissions or performing intensive tasks.
### Normal vs. Abnormal Behavior
| | | |
| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Feature | Normal Behavior | Abnormal Behavior |
| **Image Path** | `%SystemRoot%\System32\runtimebroker.exe` (always `C:\Windows\System32\runtimebroker.exe`) | Image file path other than `C:\Windows\System32` |
| **Parent Process** | `svhost.exe` | An unexpected parent process |
| **Number of Instances** | Typically one instance running per user session. You might see multiple instances if multiple users are logged in. | Multiple running instances for a single user session without any UWP apps actively running or requesting permissions. |
| **User Account** | Runs under the logged-in user's account. | Running under a different or unexpected user account (e.g., SYSTEM). |
| **Resource Usage** | Generally low CPU and memory usage when no UWP apps are actively requesting permissions. Resource usage may temporarily increase when a UWP app needs to access protected resources (e.g., location, microphone). Should return to low levels afterward. | Persistent and unusually high CPU or memory consumption even when no UWP apps are actively in use or requesting permissions. Sudden and significant spikes in resource usage without any apparent trigger from UWP apps. |
| **Network Activity** | Minimal direct network activity. Network communication is primarily handled by the UWP apps themselves, not directly by Runtime Broker. | Unexpected or excessive network connections initiated directly by `runtimebroker.exe`, especially to unfamiliar or suspicious remote hosts. |
| **Stability** | Should be a stable and constantly running process during a user session. | Frequent crashes or errors related to `runtimebroker.exe`, potentially causing issues with UWP app functionality or general system stability. |
| **File Integrity** | The `runtimebroker.exe` file in `C:\Windows\System32` should have a valid Microsoft digital signature. | Missing or invalid digital signature. Different file size or version than expected for the installed Windows version. |
| **Handles and Threads** | A normal number of handles and threads consistent with managing UWP app permissions. | An unusually high or rapidly increasing number of handles or threads, which could indicate malicious injection or other anomalous activity. |
### runtimebroker.exe and MITRE ATT\&CK
`runtimebroker.exe` isn't a direct MITRE ATT\&CK technique but relates to:
* **T1134 Access Token Manipulation:** Potential target to influence UWP app permissions.
* **T1036 Masquerading:** Malware might mimic `runtimebroker.exe`.
* **T1548 Abuse Elevation Control Mechanism:** Possible vulnerabilities in permission controls.
* **T1055 Process Injection:** Could be a target for injecting malicious code.
Direct exploitation isn't prominent in ATT\&CK. Its relevance is in potentially masking malicious activity or as part of exploiting UWP app permission models. Monitoring unusual `runtimebroker.exe` behavior is important for broader security.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/wininit.exe/services.exe/svhost.exe/runtimebroker.exe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.