At its core, Explorer provides users access to files. Functionally, though, it is both a file browser
via Windows Explorer (though still explorer.exe) and a user interface providing features such as the user’s
Desktop, the Start Menu, the Taskbar, the Control Panel, and application launching via file extension associations
and shortcut files. Explorer.exe is the default user interface specified in the Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, though Windows can alternatively function with
another interface such as cmd.exe or powershell.exe. Notice that the legitimate explorer.exe resides in the
%SystemRoot% directory rather than %SystemRoot%\System32. Multiple instances per user can occur, such as
when the option “Launch folder windows in a separate process” is enabled.
Executable’s image path.
%SystemRoot%\explorer.exeA process which spawned the analyzed process.
Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the parent process name.Expected number of processes running which may normally run on Windows.
One or more per interactively logged-on userWindows account with which the process was launched. This defines what privileges given process has.
Expected time of process to be launched.
First instance starts when the owner’s interactive logon begins