S
Low RiskWindowsSecurityHealthService.exeEXECUTABLEWindows Security Health Service - System Security Monitor [2026]
SecurityHealthService.exe is a Windows component that monitors system security health and provides the Windows Security Center functionality. Attackers may attempt to impersonate or disable this service.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Medium | | Abuse Potential | Medium | | Prevalence | Universal | | Risk Score | 40/100 | SecurityHealthService is a legitimate Windows security component that may be targeted for impersonation or disabling.
Overview
What is SecurityHealthService.exe?
SecurityHealthService.exe is a Windows system process that provides security health monitoring and integrates with the Windows Security Center (formerly Action Center).
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | SecurityHealthService.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| OS Component | Windows 10/11 |
| Service Name | SecurityHealthService |
Technical Details
| Property | Description |
|---|---|
| Process Type | Windows Service |
| Parent Process | services.exe |
| Start Type | Automatic |
| Dependencies | RPC, Windows Defender |
This service monitors the health of Windows security components including antivirus, firewall, and update status.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Service Name: SecurityHealthService
Display Name: Windows Security Service
Executable: C:\Windows\System32\SecurityHealthService.exe
Startup Type: Automatic
Account: Local System
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | services.exe |
| User Context | NT AUTHORITY\SYSTEM |
| Location | C:\Windows\System32\ only |
| Network | May connect for updates |
| Instances | Single instance |
Related Components
| Component | Purpose |
|---|---|
| SecurityHealthSystray.exe | System tray icon |
| Windows Security app | UI component |
| WdNisSvc | Network Inspection Service |
Common Locations
C:\Windows\System32\SecurityHealthService.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Wrong location | Critical | Not in System32 |
| Wrong parent | Critical | Not launched by services.exe |
| Missing signature | Critical | Unsigned or wrong signature |
| Service stopped | High | Service unexpectedly stopped |
| Modified binary | Critical | Hash mismatch with known good |
Impersonation Attempts
Malware Impersonation Patterns:
- SecurityHealthService.exe in wrong folder
- Similar names: SecurityHealth.exe, SecHealthSvc.exe
- Missing Microsoft signature
- Different parent process
Service Tampering
| Attack | Indicator |
|---|---|
| Service disabled | sc query shows stopped |
| Binary replaced | Different hash |
| DLL hijacking | Unusual DLLs loaded |
| Registry modification | Service config changed |
Abuse Techniques
Abuse Techniques
Impersonation
Attack Scenario:
1. Attacker creates malicious SecurityHealthService.exe
2. Places in user-writable location
3. Tricks user or system into running it
4. Malware runs with trusted-appearing name
5. May disable real security service
Service Tampering
# Attacker commands to disable
sc stop SecurityHealthService
sc config SecurityHealthService start= disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
Binary Replacement
Sophisticated Attack:
1. Gain SYSTEM privileges
2. Take ownership of legitimate binary
3. Replace with malicious version
4. Maintains signature appearance
5. Runs malicious code as SYSTEM
Defense Evasion
| Technique | Method |
|---|---|
| Process Name Spoofing | Use same name as legitimate |
| Service Disable | Stop health monitoring |
| Binary Masquerade | Replace legitimate binary |
| Registry Manipulation | Modify service configuration |
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="SecurityHealthService Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="contains">SecurityHealthService</Image>
</ProcessCreate>
<FileCreate onmatch="include">
<TargetFilename condition="contains">SecurityHealthService</TargetFilename>
</FileCreate>
</RuleGroup>
Sigma Rule
title: Suspicious SecurityHealthService Location
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\SecurityHealthService.exe'
filter:
Image: 'C:\Windows\System32\SecurityHealthService.exe'
condition: selection and not filter
falsepositives:
- None expected
level: critical
KQL Detection
// SecurityHealthService from wrong location
DeviceProcessEvents
| where FileName =~ "SecurityHealthService.exe"
| where FolderPath != "C:\\Windows\\System32\\"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, InitiatingProcessFileName
// Service stopped unexpectedly
DeviceEvents
| where ActionType == "ServiceInstalled" or ActionType == "ServiceStateChanged"
| where AdditionalFields contains "SecurityHealthService"
| project Timestamp, DeviceName, ActionType, AdditionalFields
Remediation Steps
Remediation Steps
Verification
# Verify service status
Get-Service SecurityHealthService
# Verify binary location and signature
$path = "C:\Windows\System32\SecurityHealthService.exe"
if (Test-Path $path) {
Get-AuthenticodeSignature $path
Get-FileHash $path -Algorithm SHA256
}
# Check for impersonators
Get-ChildItem -Path C:\ -Recurse -Filter "SecurityHealthService.exe" -ErrorAction SilentlyContinue |
Where-Object { $_.DirectoryName -ne "C:\Windows\System32" }
Restoration
# Re-enable service
sc config SecurityHealthService start= auto
sc start SecurityHealthService
# Repair Windows Security (if needed)
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
Prevention
| Control | Implementation |
|---|---|
| Integrity Monitoring | Monitor System32 changes |
| Service Monitoring | Alert on service state changes |
| Application Control | Block unauthorized binaries |
Investigation Checklist
Investigation Checklist
Binary Verification
- Is SecurityHealthService.exe in the correct location?
- Is it properly signed by Microsoft?
- Does the hash match known good version?
- What is the parent process?
Service Status
- Is the SecurityHealthService running?
- Was it recently stopped or modified?
- Are there registry changes to service config?
- Is startup type set correctly?
Impersonation Check
- Are there any other SecurityHealthService binaries?
- Are there similarly named files?
- Have any been recently created?
- What permissions do they have?
Impact Assessment
- Was Windows Security functionality impacted?
- Were other security components affected?
- What other malicious activity is present?