PickerHost.exe: Windows File Picker Host or Malware?

by Robert Bailey
May 14, 2026

PickerHost.exe is normally a Microsoft Windows file picker host. A copy outside Windows system paths should be checked.

PickerHost.exe should not be judged by its filename alone. Some files with this name can belong to legitimate software, while malware can also copy familiar process names to look harmless in Task Manager.

What is PickerHost.exe?

PickerHost.exe is normally a Microsoft Windows component used for file picker dialogs in modern apps.

The most important evidence is the file location, digital signature, related installed app, and whether the file starts automatically from a normal vendor or Windows path.

Safe vs suspicious signs

Looks normal Looks suspicious
Located in a Windows system folder and signed by Microsoft Runs from AppData, Temp, Downloads, Startup, or a random folder
Valid signature from the expected vendor Unsigned, recently created, or unknown publisher
Related software is installed Appeared after a crack, fake update, or unknown installer
Low idle resource use Constant high CPU/GPU/network activity while idle

Why it may be flagged

A fake copy may use the same name while running from a user folder, startup entry, or suspicious installer location.

How to verify it

  1. Open Task Manager, right-click PickerHost.exe, and choose Open file location.
  2. Check whether the path matches the expected vendor or Windows location.
  3. Open Properties and review the digital signature.
  4. Check installed apps sorted by date.
  5. Review Startup apps and Task Scheduler for entries launching the same path.
  6. If the file is in a user folder or unsigned, scan it before allowing it.

How to remove a suspicious copy

Do not delete the Microsoft-signed system copy. Quarantine only suspicious copies outside Windows system paths.

  1. Uninstall the related suspicious app if one exists.
  2. Remove startup entries and scheduled tasks pointing to the suspicious path.
  3. Run a full scan and restart Windows.
  4. After reboot, confirm the same file did not return.

FAQ

Should I delete PickerHost.exe?

No, not before checking path and signature. Delete or quarantine only suspicious copies, not legitimate system or vendor files.

Can malware use this name?

Yes. Malware can reuse almost any filename. The path and signature are stronger evidence than the name.

Why does it return after reboot?

A startup entry, scheduled task, service, or parent app may be restoring it. Remove the persistence source, not only the file.

Spanish Turkish

About the author

Robert Bailey

Security engineer focused on malware behavior, removal workflows, and Windows hardening. Robert reviews threat articles for practical accuracy, checking detection names, symptoms, and cleanup steps before publication.

View all posts

1 Comment

  • Normally the Pickerhost.exe is signed by Microsoft and comes from Microsoft! It scans the PC for malware.
    It may occur sometimes in messages about found malware. But then it has only found some malware, itself is no malware!
    In your case it has found a coin miner on your PC!
    Or there may occur also a coin miner with the same name, but then not with an Microsoft signature.

    Reply

Leave a Comment