How to deal with Windows Shell Experience Host

by Jake Doevan - -

Windows Shell Experience Host ‘shellexperiencehost.exe’ is discovered in Task Manager. The process is constantly using Operating system resources, especially CPU resources. Even though there is a genuine and legitimate Windows Shell Experience Host, some users can be infected with a malware. The malicious executable could be using the infected PC’s CPU in order to mine cryptocurrencies.[1]

windows shell experience host

So how can users find out of they are dealing with the malicious Shell Experience Host executable?

What is Windows Shell Experience Host?

Originally, the executable shellexperiencehost.exe is a genuine Windows operating system process. Its main purpose is to display universal applications in a Windowed interface and handles graphical components of the application’s interface. These apps include taskbar and start menu transparency, clock, calendar, notifications and others.

Although just after the first versions of the executable was introduced with Windows 10, they were vulnerable and used a huge amount of CPU and RAM resources,[2] the Windows Shell Experience Host was updated and improved. 

In normal circumstances, the executable shellexperiencehost.exe uses a very little amount of or even none CPU resources. however, when the graphical components are adjusted, you should notice a bigger consumption but after that, it should come back to normal again. When it comes to memory usage, it should not be higher than 300 MB. 

If you have noticed unusual behavior or higher CPU usage, you should investigate some more to confirm if you are actually dealing with malware. 

Security threats

In order to confirm your suspicions, firstly, you should start monitoring the operating system resources consumption of shellexperiencehost.exe. If the process is using more than 20% of the CPU and more than several hundreds of RAM, there is a possibility that your system is infected.[3]

There are two types of Trojan miners, shellexpenicehost.exe and Microsoftshellhost.exe that are consuming the infected PC’s resources in order to mine Monero or other digital currencies. 

If you think that you are actually infected by a trojan, check it’s location. In order to do that, open Task Manager, and find the shellexperiencehost.exe. It should appear in the Process tab. By right-clicking on the executable, select Open File Location. The legitimate executable should reveal the location in C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy

If the Windows Shell Experience Host executable is in a different location and the CPU and RAM consumption are high, you are probably dealing with a trojan which is used to mine cryptocurrencies. You can check this out with a security scanner. 

Should you remove the Windows Shell Experience Host executable?

If you discovered that the mentioned executable is legitimate, you do not have any reasons to remove or disable it, because disabling the shellexperiencehost.exe executable will prohibit the system to display visuals. 

If you noticed a huge system resources consumption caused by the shellexperiencehost.exe process, make sure to update your Windows operating system and run the latest updates. 

About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook