> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe/userinit.exe/explorer.exe.md).
# Explorer.exe
### What is explorer.exe?
`explorer.exe` is the **Windows Shell**, providing the primary graphical user interface you interact with daily. It encompasses:
* **Desktop:** Background, icons, widgets.
* **Taskbar:** Start button, running apps, system tray, notifications.
* **File Explorer:** Tool for managing files and folders.
Beyond visuals, it also handles:
* **Process Management:** Manages other graphical processes.
* **Shell Namespace:** Provides a hierarchical view of system resources.
* **Application Launching:** Initiates the opening of applications.
* **Shell Extensions:** Loads and manages third-party integrations.
**In short, `explorer.exe` is the core interface for interacting with Windows graphically.**
### explorer.exe: Normal vs. Abnormal Behavior
| | | |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Feature | Normal Behavior | Abnormal Behavior |
| **Image Path** | `%SystemRoot%\explorer.exe` (typically `C:\Windows\explorer.exe`) | Image file path other than `C:\Windows` |
| **Parent Process** | `userinit.exe` (upon user logon) | An unexpected parent process |
| **Number of Instances** | Typically one instance per logged-in user session. | Multiple unexpected instances for a single user session. |
| **User Account** | Runs under the logged-in user's account. | Running under a different or unexpected user account (e.g., SYSTEM for a regular user session's explorer). |
| **Resource Usage** | Can use a moderate amount of CPU and memory, especially when many windows are open or during file operations. Generally stable. | Persistent and unusually high CPU or memory consumption even when idle. Sudden spikes in resource usage without apparent reason. |
| **Network Activity** | Minimal network activity under normal circumstances, primarily related to accessing network shares or cloud-integrated features initiated by the user. | Unexpected or excessive network connections, especially to unfamiliar or suspicious remote hosts. |
| **Stability** | Generally stable and reliable. | Frequent crashes, hangs, or restarts without user interaction. |
| **Functionality** | Provides the desktop, taskbar, File Explorer, and handles shell interactions as expected. | Missing UI elements (e.g., no taskbar or desktop icons), inability to browse files, or malfunctioning shell extensions. Unexpected pop-ups or error messages related to `explorer.exe`. |
| **File Integrity** | The `explorer.exe` file in `C:\Windows` should have a valid Microsoft digital signature. | Missing or invalid digital signature. Different file size or version than expected for the installed Windows version. |
### MITRE ATT\&CK
`explorer.exe`, the core Windows GUI, is a key target for attackers to achieve **Execution**, **Persistence**, and **Defense Evasion**. They do this by:
* **Injecting code (T1055)** into the legitimate `explorer.exe` process.
* **Modifying startup mechanisms (T1547, T1060)** to run malicious code when `explorer.exe` starts.
* **Hijacking its execution flow (T1574)** through DLL manipulation or replacement.
* **Leveraging user interaction (T1204)** with malicious files opened by `explorer.exe`.
* **Using management tools (T1047 WMI)** that might interact with or be initiated through `explorer.exe`.
Its central role makes monitoring `explorer.exe` behavior and related settings critical for threat detection.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe/userinit.exe/explorer.exe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.