Discover our Resources →Learn how to protect your Windows PC from malware and other threats.
Application ControlControl your PC apps and their behaviors.
What’s that .exe?Is that executable safe, or a threat?
SpyShelter PC ProtectionLearn how to protect your PC from bad apps.
Registry ProtectionProtect your Windows Registry from harm.
Executable DirectoryOur ultimate directory of Windows PC executables.
Our team at SpyShelter focuses on checking PC executables (processes) for threats, and we’ve been doing so for over 15 years. You can use the same techniques our team uses to quickly check executables for threats.
So, how can you quickly check if a process running on your PC is safe or a threat? We recommend starting with the four steps below.
Did you know that Microsoft lets you scan any executable on your PC with its built-in Windows Security for free? Right click the file, then choose "show more options" in the menu, and then choose "scan".Quickly find the hash of any process on your PC with SpyShelter.
Microsoft reported in 2023 that they manage over 135 million devices for security and threats, and that they block over 4,000 threats per secondHow can you tell if an .exe is malware or not? VirusTotal can often tell you the answer.
Why not take advantage of Microsoft’s free and extremely powerful threat detection technology?
If your scan came back with no problems, then the file is most likely safe, and if it wasn’t safe then Windows most likely quarantined the file to protect you.
Still not sure if the process is safe even after Microsoft’s scan? No problem. Let's analyze your .exe even more closely...
Is your executable signed? A signed executable tells you who made it. The publisher signature can confirm if it's the real deal, or a virus masquerading as the real thing.
Right click the executable and choose “properties”. Now look for the "Digital Signatures" tab. It should say who the publisher is. Is it signed, and is the publisher who you expected it to be? In that case, the executable is probably safe.
For example, is it signed by Microsoft itself, or another well-known publisher like Mozilla?
Is the executable unsigned? It can still be safe in some cases... and there's a third step below that you can take to keep investigating further…
Did you know every process on your computer has a unique hash ID? You can search that unique hash on a popular file analysis website called VirusTotal to see if it's safe. VirusTotal is a free security file analysis service (owned by Google) that can check the executable on your PC against many different antivirus engines simultaneously. This is useful because if multiple antivirus engines say the file is safe, it's probably safe.
There are many different antivirus companies out there, and many of them use unique threat detection engines. VirusTotal analyzes your executable file with all of these different antivirus engines simultaneously to see if it could be a threat.
VirusTotal lets you upload an entire file to VirusTotal.com if you prefer, but some people don't like to do this for privacy reasons, so instead they prefer to just search the file’s hash (unique ID).
Getting the hash is easy if you're using SpyShelter (download SpyShelter if you don't have it yet). Just click on the app icon in SpyShelter, then scroll down to "hash" then right click to copy the hash. You can then go to VirusTotal and click "search" then paste in the hash.
No results for the hash, or having trouble getting it? No problem. You can then go to the executable's location and upload the entire file to VirusTotal and check it, if it’s something you feel safe sharing.
After uploading the file, if VirusTotal shows the executable is safe then it probably is. But what if VirusTotal shows the executable might be a threat?
If VirusTotal shows that the executable could be a threat, you can quarantine it with SpyShelter, or with your antivirus. To quarantine an executable with SpyShelter click "Quarantine" at the top left of the window above where you found the file’s path and hash.
Could it be a false positive?
Unfortunately, some antivirus engines listed in VirusTotal can give you a result called a "false positive" which means it's not really a threat. Therefore, you should consider that it might be a false positive if only one or two antivirus engines see your executable as a threat.
I’ll give an example…
When our company releases new versions of our own SpyShelter antispyware app we often check the new SpyShelter installer .exe on VirusTotal to make sure we aren’t getting many false positives. Almost every time we first upload the setup.exe file, we’ll find at least one VirusTotal engine shows our app as a threat.
But, as time goes by this false positive usually goes away. Therefore, if only one or two engines show your executable is a threat it’s most likely just a false positive.
After checking with VirusTotal, are you still unsure if the .exe is safe? Fortunately, there’s a fourth step you can take…
Is the executable currently running on your PC (as a process) and how much CPU or memory is it using? When did this executable appear? How many instances of the executable are running?
The Windows Task Manager can reveal the executable’s behavior, and these behaviors can help you determine if the app is safe or a threat.
To get started, first right click your Windows Taskbar at the bottom of the screen and launch the Windows Task Manager. You’ll then see a list of Windows “processes” (also known as executables, or apps).
Now, find the executable (also known as a process) in the list and right click its name, then choose “properties”. Now look for the “Created” date. This is the date the .exe should have appeared on your PC.
Did the process/.exe you’re analyzing appear recently after you viewed a mysterious PDF file that was emailed to you, or does this seem to be a very old file that came with your PC? If it’s a very old app, perhaps it’s just part of the normal system your PC needs to operate.
How much CPU or memory is the executable using? Is it using a reasonable percentage of your PC’s resources, or has it gone out of control sucking away your memory?
Malware often uses an unusually high amount of resources on your PC. If you right click and try to “End Task” does Windows allow you to, or is killing the executable denied? If you kill the .exe, do you notice any issues?
Now, go to the “startup” tab in the Task Manager on the left side. Is this executable listed there? This would mean that the executable has set itself up to start when you start your PC. To stop this, you can right click the executable and choose “disable”. Malware often makes itself start on startup.
Another useful feature in the Task Manager is the “App History” tab. You can instantly see the CPU time for the different apps on your PC. Does the .exe you are investigating show up here? How much time has it been running? Spyware or malware can often have an extremely long run time.
If you’re using our SpyShelter antispyware app, you can search the executable name, then click its icon, and then click “quarantine” to instantly disable the app. You can download SpyShelter for free here.
After trying all the steps above are you still unsure about the executable? If so, please join our free SpyShelter PC Security Forum. Our team loves discussing suspicious executables (apps and processes)!
Ask whatever you’d like, and our USA-based team will usually respond quickly if they have the answer. Discuss suspicious executables or anything related to PC security with the SpyShelter team now!
Our team at SpyShelter has been studying Windows PC executables for over 15 years, to help fight against spyware, malware, and other threats. SpyShelter has been featured in publications like The Register, PC Magazine, and many others. Now we’re working to share free, actionable, and easy to understand information about Windows executables (processes) with the world, to help as many people as possible keep their devices safe. Learn more about us on our "About SpyShelter” page.
A process is an executable that is actively executed and running on your PC’s memory.
An executable and an app can be the same thing, but an executable usually refers only to the main .exe part of the application. The application may have other shared parts (like dynamic linked libraries) that run in-conjunction with the main executable, and these things together could be called the full “app”.
Spyware is a type of malware that is more focused on monitoring you and your PCs behavior. For example, one common type of spyware called a keylogger will record everything you type and send it back to a hacker. The hacker will then analyze everything you typed for banking passwords and other sensitive data. Sometimes spyware will even take screenshots of your PC without you knowing.