A
Low RiskWindowsaudiodg.exeEXECUTABLEaudiodg.exe - Windows Audio Device Graph Isolation [2026]
audiodg.exe (Windows Audio Device Graph Isolation) processes audio in an isolated process. Low abuse potential but may be impersonated by malware seeking to hide as a system process.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Low | | Prevalence | Universal | | Risk Score | 25/100 | audiodg.exe is a Windows audio processing component with low abuse potential but may be impersonated.
Overview
What is audiodg.exe?
audiodg.exe (Windows Audio Device Graph Isolation) is a Windows system process that hosts the audio engine in an isolated process for stability and security.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | audiodg.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| OS Component | Windows Audio |
| Type | Audio Processing Host |
Technical Details
| Property | Description |
|---|---|
| Process Type | Service Host |
| Parent Process | svchost.exe (Audiosrv) |
| Purpose | Audio processing isolation |
| Isolation | Separate from audio service |
audiodg.exe provides isolation so audio driver crashes don't affect the entire audio subsystem.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Process: audiodg.exe
Parent: svchost.exe -k LocalServiceNetworkRestricted -p
Location: C:\Windows\System32\audiodg.exe
User: NT AUTHORITY\LOCAL SERVICE
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | svchost.exe (AudioService) |
| Location | C:\Windows\System32\ |
| User Context | LOCAL SERVICE |
| Instances | Usually single |
| Network | None |
Audio Functions
| Function | Purpose |
|---|---|
| Signal processing | Audio effects |
| Device management | Speaker/mic handling |
| Enhancement | Audio improvements |
| Isolation | Crash protection |
Common Locations
C:\Windows\System32\audiodg.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Wrong location | Critical | Not in System32 |
| Wrong parent | High | Not from svchost |
| Network activity | Critical | Should have none |
| Multiple instances | Medium | Usually single |
| Wrong user | High | Not LOCAL SERVICE |
Impersonation Signs
Impersonation Indicators:
- audiodg.exe outside System32
- Missing Microsoft signature
- Running as different user
- Making network connections
- Spawning child processes
Limited Abuse Potential
| Limitation | Reason |
|---|---|
| No execution features | Audio only |
| No network access | Isolated |
| Low privileges | LOCAL SERVICE |
| Well-monitored | EDR coverage |
Abuse Techniques
Abuse Techniques
Impersonation
Impersonation Attack:
1. Create malicious audiodg.exe
2. Place in user-writable location
3. Execute with trusted name
4. Hide among system processes
Why Rarely Abused
audiodg is rarely abused because:
- No useful capabilities for attackers
- No network functionality
- No command execution
- Low privilege level
- Easy to detect fakes
Potential Uses
| Scenario | Method |
|---|---|
| Name hiding | Use trusted name |
| Process list blend | Appear as system |
| Detection evasion | Mimic known process |
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="audiodg Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">audiodg.exe</Image>
</ProcessCreate>
<NetworkConnect onmatch="include">
<Image condition="end with">audiodg.exe</Image>
</NetworkConnect>
</RuleGroup>
Sigma Rule
title: Suspicious audiodg.exe Location
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\audiodg.exe'
filter:
Image: 'C:\Windows\System32\audiodg.exe'
condition: selection and not filter
falsepositives:
- None expected
level: critical
KQL Query
// audiodg from wrong location
DeviceProcessEvents
| where FileName =~ "audiodg.exe"
| where FolderPath != "C:\\Windows\\System32\\"
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName
// audiodg network activity (should be none)
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "audiodg.exe"
| project Timestamp, DeviceName, RemoteIP, RemotePort
Remediation Steps
Remediation Steps
Verification
# Verify audiodg process
Get-Process audiodg -ErrorAction SilentlyContinue | ForEach-Object {
[PSCustomObject]@{
PID = $_.Id
Path = $_.Path
User = (Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)").GetOwner().User
}
}
# Check signature
Get-AuthenticodeSignature "C:\Windows\System32\audiodg.exe"
# Find impersonators
Get-ChildItem -Path C:\ -Recurse -Filter "audiodg.exe" -ErrorAction SilentlyContinue |
Where-Object { $_.DirectoryName -ne "C:\Windows\System32" }
Process Validation
| Check | Expected |
|---|---|
| Path | C:\Windows\System32\ |
| Parent | svchost.exe |
| Signature | Microsoft Windows |
| User | LOCAL SERVICE |
Investigation Checklist
Investigation Checklist
Process Verification
- Is audiodg in System32?
- Is parent svchost?
- Running as LOCAL SERVICE?
- Properly signed?
Anomaly Detection
- Any network connections?
- Multiple instances?
- Child processes?
- High CPU usage?
Impersonation Check
- Any copies outside System32?
- Hash matches known good?
- Similar named files?
Audio System
- Is audio functioning?
- Any audio device issues?
- Recently installed audio drivers?