Some users have been wondering if shellexperiencehost.exe is a legitimate system process after discovering in Task Manager that the process is constantly using system resources (especially CPU resources). While the process is likely the genuine Windows Shell Experience Host, you can also be dealing with a malicious executable from a family of trojans that are using the victim’s CPU to mine for Monero or other digital currencies.
This article is meant as an explanatory guide to help users understand the purpose of shellexperiencehost.exe as well as help them distinguish between a genuine executable and a trojan infection.
What is ShellExperienceHost.exe?
Windows Shell Experience Host is a genuine Windows process that provides the functionality to display universal apps in a windowed interface. Essentially, what this process does is handle several graphical elements of the application’s interface: taskbar and start menu transparency, calendar, clock, background behavior, notifications visuals etc.
When the Windows Shell Experience Host was first introduced with Windows 10, the very first versions were buggy and consumed a lot of CPU and RAM. However, with the latest updates, the functionality of this process has drastically improved.
The normal behavior of shellexperiencehost.exe is to consume little to no CPU resources. However, if you monitor it closely you should be able to see occasional CPU spikes when new graphical elements are changed, but then consumption should revert back to zero. The memory consumption should not exceed 300 MB even if you have a lot of applications that are using Windows Shell Experience Host.
Potential security threat?
If you suspect that shellexperiencehost.exe isn’t genuine, you can do some investigations to confirm or infirm your suspicions. You can start by monitoring the resources consumption of shellexperiencehost.exe. If you observe that the process is regularly consuming over 20% of your CPU and several hundreds of RAM, you might actually be dealing with a rogue executable.
After investigating this issue, we discovered two trojan miners (ShellExperienceHost.exe & MicrosoftShellHost.exe) that are using the victim’s CPU to mine for cryptocurrencies. As it turns out, the Trojan family that is known to camouflage as the shellexperiencehost.exe process is used to mine for the Monero digital currency.
If you suspect that you might be dealing with a trojan, it’s location will be a major giveaway. Open Task Manager (Ctrl + Shift + Esc) and locate the shellexperiencehost.exe (Windows Shell Experience Host) in the Processes tab. Then, right-click on Windows Shell Experience Host and choose Open File Location.
Note: Keep in mind that you might need to expand the drop-down menu in order to access the location of ShellExperienceHost.exe.
If the revealed location is in C:\ Windows \ SystemApps \ ShellExperienceHost_cw5n1h2txyewy, you can rest assured as the executable is not malicious.
If the executable is in a different location and you noticed constant high resources consumption, there’s a high chance that you’re dealing with a trojan that is mining cryptocurrencies. One quick way to confirm this suspicion is to upload the executable to VirusTotal for analysis. If the analysis reveals that the executable is indeed malicious, you’ll need to take the necessary steps in order to remove it.
If you don’t have a security scanner at the ready, we recommend using Malwarebytes to remove the infection.
Should I delete ShellExperienceHost.exe?
If you previously discovered that the ShellExperienceHost.exe process is legitimate, you have very few reasons why you’d want to disable or remove the executable. Disabling the ShellExperienceHost.exe will severely prohibit your operating system’s ability to deliver visuals. Even if you where to delete ShellExperienceHost executable, Windows will end up recreating it the next time you reboot your computer.
Most Windows 10 glitches where the Shell Experience Host has stopped message appears has been resolved by the latest updates.