T
Medium RiskWindowstaskhostw.exeEXECUTABLEtaskhostw.exe - Windows Task Host Process Analysis [2026]
taskhostw.exe is the Windows Task Host that executes DLL-based scheduled tasks. Can be abused through malicious scheduled tasks or impersonation.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Medium | | Abuse Potential | High | | Prevalence | Universal | | Risk Score | 55/100 | taskhostw.exe executes scheduled tasks and can run malicious DLLs planted by attackers.
Overview
What is taskhostw.exe?
taskhostw.exe (Task Host Window) is a Windows system process that hosts Windows tasks that are implemented as DLLs rather than executables.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | taskhostw.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| OS Component | Task Scheduler |
| Type | Task Host |
Technical Details
| Property | Description |
|---|---|
| Process Type | Task Execution Host |
| Parent Process | svchost.exe (Schedule) |
| Purpose | Execute DLL-based tasks |
| Instances | One or more |
taskhostw.exe is the host for scheduled tasks that use DLL triggers instead of direct executables.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Process: taskhostw.exe
Parent: svchost.exe -k netsvcs -p (Schedule service)
Location: C:\Windows\System32\taskhostw.exe
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | svchost.exe (Schedule) |
| Location | C:\Windows\System32\ |
| User Context | SYSTEM or logged-in user |
| Instances | Variable based on tasks |
| Timing | Aligned with scheduled tasks |
Common Legitimate Tasks
| Task | Purpose |
|---|---|
| Windows Update | Update operations |
| Defender scans | Antimalware |
| Telemetry | Microsoft diagnostics |
| Maintenance | System cleanup |
Common Locations
C:\Windows\System32\taskhostw.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Wrong location | Critical | Not in System32 |
| Wrong parent | High | Not from svchost Schedule |
| Unknown DLLs | High | Loading suspicious DLLs |
| Unusual timing | Medium | Not matching task schedule |
| Network activity | Medium | Tasks with network calls |
Malicious Task Indicators
Suspicious Scheduled Tasks:
- Tasks with random names
- Tasks running from temp directories
- Tasks loading unsigned DLLs
- Recently created tasks
- Tasks with encoded commands
Attack Indicators
| Pattern | Concern |
|---|---|
| Unknown task DLLs | Malicious scheduled task |
| Network connections | C2 or exfiltration |
| Child processes | Proxy execution |
| High CPU | Cryptominer task |
Abuse Techniques
Abuse Techniques
Malicious Scheduled Task
Persistence via Task:
1. Attacker creates scheduled task
2. Task triggers DLL execution
3. taskhostw.exe loads malicious DLL
4. Malware runs with task permissions
5. Persistent execution achieved
Task Scheduler Abuse
# Attacker creates malicious task
schtasks /create /tn "SystemMaintenance" /tr "rundll32.exe C:\malware\evil.dll,Entry" /sc daily
# Results in taskhostw.exe running evil code
DLL Sideloading
| Technique | Implementation |
|---|---|
| Malicious task | Create task with DLL trigger |
| DLL hijacking | Replace legitimate task DLLs |
| COM task abuse | Use COM handlers |
Living-off-the-Land
<!-- Malicious scheduled task XML -->
<Task>
<Actions>
<ComHandler>
<ClassId>{malicious-CLSID}</ClassId>
</ComHandler>
</Actions>
</Task>
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="taskhostw Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">taskhostw.exe</Image>
</ProcessCreate>
<ImageLoad onmatch="include">
<Image condition="end with">taskhostw.exe</Image>
</ImageLoad>
</RuleGroup>
Sigma Rule
title: Suspicious taskhostw.exe Behavior
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\taskhostw.exe'
filter:
Image: 'C:\Windows\System32\taskhostw.exe'
ParentImage|endswith: '\svchost.exe'
condition: selection and not filter
falsepositives:
- None expected
level: high
KQL Query
// taskhostw from suspicious location
DeviceProcessEvents
| where FileName =~ "taskhostw.exe"
| where FolderPath != "C:\\Windows\\System32\\"
| project Timestamp, DeviceName, FolderPath, InitiatingProcessFileName
// DLLs loaded by taskhostw
DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "taskhostw.exe"
| where not(FolderPath startswith "C:\\Windows\\")
| project Timestamp, DeviceName, FileName, FolderPath
// Scheduled tasks audit
DeviceEvents
| where ActionType == "ScheduledTaskCreated"
| project Timestamp, DeviceName, AdditionalFields
Remediation Steps
Remediation Steps
Task Audit
# List all scheduled tasks
Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } |
Select-Object TaskName, TaskPath, State, @{N="Actions";E={$_.Actions.Execute}}
# Find recently created tasks
Get-ScheduledTask | ForEach-Object {
$info = Get-ScheduledTaskInfo $_
if ($info.LastRunTime -gt (Get-Date).AddDays(-7)) {
$_
}
}
# Check task with DLL actions
Get-ScheduledTask | ForEach-Object {
if ($_.Actions.Execute -like "*.dll*" -or $_.Actions.Arguments -like "*.dll*") {
$_
}
}
Process Validation
| Check | Expected |
|---|---|
| Path | C:\Windows\System32\ |
| Parent | svchost.exe (Schedule) |
| DLLs | Microsoft-signed |
| Tasks | Known legitimate tasks |
Investigation Checklist
Investigation Checklist
Process Verification
- Is taskhostw in System32?
- Is parent svchost Schedule service?
- Properly signed by Microsoft?
- What DLLs is it loading?
Task Analysis
- What scheduled task triggered this?
- Is the task legitimate?
- When was the task created?
- What does the task action do?
DLL Investigation
- What DLLs are loaded?
- Are DLLs properly signed?
- Any DLLs from unusual paths?
- Recently modified DLLs?
Timeline
- When did taskhostw start?
- Does timing match scheduled task?
- Correlation with other events?