Windows: these processes can hide viruses!

Processes are an inevitable part of Windows, and it’s not uncommon to see dozens or hundreds of them in Task Manager. Each process is a program or part of a program that is running. Unfortunately, malware writers know this and often hide malicious software in legitimate processes. So we are going to tell you about the most used for this purpose, so that if something goes wrong with your computer, you will know where to look. Attention because these Windows processes can even hide viruses.

Windows: these processes can hide viruses!


Service Host, or svchost.exe, is a shared service. It allows multiple Windows services to share processes. This helps reduce resource usage, making the system more efficient. You will almost certainly see more than one instance of Svchost.exe in Task Manager, but this is normal. If one or more of these files are compromised by malware, you may notice a major reduction in performance.

Legit Svchost files should be found in C:\Windows\System32. If you suspect it has changed, go to C:Windows\Temp. If you see svchost.exe in this directory, it may be a malicious file. Check the file with your antivirus software and quarantine it if necessary.


Explorer.exe is responsible for the GUI. Without it, there would be no taskbar, start menu, file manager, or even the desktop. Therefore, it is an essential part of Windows and cannot be disabled.

Several viruses can use the Explorer.exe file name to hide themselves, including trojan.w32.ZAPCHAST. So the legal file will be in C:\Windows. If you find it in System32, you should definitely check it with your antivirus software.


The Winlogon.exe process is an essential part of the Windows operating system. This takes care of things like loading the user profile at login and locking the computer when the screen saver is running. However, since this process deals with security elements, Windows Logon and the winlogon.exe process are common targets for threats.

Windows process virus

A good indication that the process has been warned is unusually high memory usage.


The client/server runtime subsystem, or Csrss.exe, is an essential Windows process. Although not used as much in modern versions of Windows, it is still required by the system and cannot be turned off.

The Nimda.E virus is known to mimic the Csrss.exe process, although it is not the only threat. So the legitimate file must be located in the System32 or SysWOW64 folders. Right-click the Csrss.exe process in the task manager and select Open File Location. If it’s located anywhere else, it’s probably a malicious file.


lsass.exe is an essential process responsible for security policies in Windows. So it checks the login name and password, among other security procedures. The process is unlikely to be hijacked. However, if it doesn’t work properly, usually disconnect it from your computer. But viruses are known to use the file name to hide themselves.

Locate the Lsass.exe file in C:\Windows\System32. So this is the only place you should get it. If you see it elsewhere, such as C:Windows\System or C:\Program Files, check the file with your antivirus.


The Services.exe process is responsible for starting and stopping various essential Windows services. Like the other Windows processes on this list, viruses and malware target it because it allows them to hide in plain sight.

In the case of a dangerous file, you may have problems starting and shutting down your computer. Locate the correct Services.exe file in the System32 folder. If it is located anywhere else, such as C:\Windows\ConnectionStatus, the file may be a virus.


The Windows Print Spooler Service, or Spoolsv.exe, is an important part of the printing interface. So it runs in the background and waits to manage things like the print queue when needed. However, the process doesn’t depend on a printer being connected, so you shouldn’t be surprised to see it in Task Manager.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top