topic Re: StoreDesktopExtension.exe - As Malicious in Cortex XDR Discussions

StoreDesktopExtension.exe - As Malicious

tlmarques — Tue, 13 Jan 2026 12:01:08 GMT

Hi,

recently i receive a lot alerts, related with StoreDesktopExtension.exe , this is usually a legitimate Microsoft Store component.

Anyone with same issue?

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Tue, 13 Jan 2026 13:08:48 GMT

Support information:

Probable Root Cause :
I would like to inform you that I checked the HASH in our Wildfire portal, and would like to inform you that, Initially the file had a local verdict of malware, due to which a local analysis alert got triggered.

Currently, the file is classified as benign, and therefore its a legitimate application, and we can consider the alerts to be false positives.

As the verdict is globally flagged as a benign file, once the verdict is updated on your endpoints, the alerts will be stopped.

If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start

Re: StoreDesktopExtension.exe - As Malicious

A.Govoni — Tue, 13 Jan 2026 13:45:10 GMT

We are having the same issue this morning within the last hour. Thank you for the solution provided.

-Adam

Re: StoreDesktopExtension.exe - As Malicious

D.Moore415468 — Tue, 13 Jan 2026 13:47:19 GMT

I've had 10 hosts with this alert since yesterday. Most came overnight. It's also flagging sihost.exe on 1 host but associating it with the same alert.

StoreDesktopExtension.exe

adee0ec3096b4778f6a5951647371f3ff67b8fa0d96c37fb795bcfcfe0e1154e

sihost.exe

1e115ef87c00e685f8e7b1b184eb9fa3470a0ec75b678a70d3d2d3cbfde3dcb7

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Tue, 13 Jan 2026 14:55:23 GMT

same situation on my side...support say is a False Positive.

Re: StoreDesktopExtension.exe - As Malicious

karthik21 — Tue, 13 Jan 2026 19:38:58 GMT

i am having this problem since yesterday night and even though the process are showing benign the alerts are not stopping. do we need manually add the HASH to allow list to stop the alerts ?

Re: StoreDesktopExtension.exe - As Malicious

MYadav4 — Wed, 14 Jan 2026 08:58:41 GMT

We have more than 100 host getting the same alert, running this command on all host will be difficult, can we exclude this alert?

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Wed, 14 Jan 2026 11:54:30 GMT

When devices start updating the WF and tenant information again, the alerts will be closed automatically.

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Wed, 14 Jan 2026 11:57:21 GMT

on my case, i close all issues as false positive, and write command (information give by support).
but you can add hash to allowlist and alerts close....or force the healthcheck devices, and devices connect again to the tenant and update information and start close the issues...At least that is what support told us.

Re: StoreDesktopExtension.exe - As Malicious

PatrykGorzk — Fri, 16 Jan 2026 07:19:28 GMT

same in our company

Re: StoreDesktopExtension.exe - As Malicious

Juliortega — Tue, 20 Jan 2026 19:25:40 GMT

We are experiencing the same issue. It began two days ago over the weekend. We have 150 desktops, and only 25 of them are showing this incident.

C:\Program Files\WindowsApps\Microsoft.WindowsStore.....\StoreDesktopExtension.exe. what extension is it ?

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Thu, 22 Jan 2026 18:16:25 GMT

hi @Juliortega , StoreDesktopExtension.exe is an executable file associated with the Microsoft Store

I've open case with support and they say:
"I would like to inform you that our engineering team has confirmed that this is a legitimate file from Microsoft, and it is safe to add the "StoreDesktopExtension.exe" file to the allow list."

Re: StoreDesktopExtension.exe - As Malicious

I.AguilarGomez — Fri, 23 Jan 2026 18:26:25 GMT

nosotros tenemos el mismo problema con alrededor de 150 dispositivos. habia permitido los siguientes hash:

winstore.app.exe : adee0ec3096b4778f6a5951647371f3ff67b8fa0d96c37fb795bcfcfe0e1154e

StoreDesktopExtension.exe: 727d070460fa4764822b5286b1d9b8fbb5512b6e84ad645a99cb34dcede97647

Cuando puse los hash anteriores en whitelist se soluciono pero ahora nuevamente volvieron aparecer alertas:

StoreDesktopExtension.exe::::( 1/67 reportado en virustota como malicioso) total6b39c3583b0496f0be88a2c0ab5773f7f2bfef4f82e53f7f3126ee9ca2bf33ca

Podrian apoyarme con un analisis? saludos

Re: StoreDesktopExtension.exe - As Malicious

Juliortega — Fri, 23 Jan 2026 19:41:21 GMT

Hola, I. Aguilar Gómez:
Nosotros recibimos los incidentes únicamente por un día (20/01/26).
No realizamos ninguna acción y, actualmente, ya no vemos este tipo de alertas.
Si ustedes continúan recibiendo alertas, les recomiendo abrir un caso con Palo Alto.

Por otra parte, no hemos recibido llamadas ni alertas de nuestros usuarios acerca de algún aplicativo que no esté funcionando para ellos.

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Fri, 23 Jan 2026 19:43:50 GMT

@Juliortega and @I.AguilarGomez

this can be appear, because some devices have issue to update the local WFdb .

If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start

with this devices will try connect again to the tenant and get the last informations.
sometimes, we need clear agent db:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Clear-agent-database

Re: StoreDesktopExtension.exe - As Malicious

Juliortega — Fri, 23 Jan 2026 20:09:14 GMT

Hello tlmarques,

Thank you for the response.
This solution seems better suited for organizations with only a few endpoints and no users in remote locations. However, when you have more than 100 endpoints—some of them in remote areas—this approach isn’t feasible, and we end up having to open the CDM in Admin mode.
I assume we could use the live terminal to handle this instead.
For now, we’ve simply ignored the alert, and we haven’t seen any new ones since January 20.

Thanks

Re: StoreDesktopExtension.exe - As Malicious

tlmarques — Mon, 26 Jan 2026 10:01:27 GMT

Hi @Juliortega ,

In our company, we have approximately 6,000 machines. What I did was restart the agent via the tenant, and it worked.

For restart agent via tenant you can use this: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Restart-agent

Re: StoreDesktopExtension.exe - As Malicious

L.Filloux — Wed, 28 Jan 2026 09:52:51 GMT

Hello,

I've been bothered with this problem too and I tried your method.
However my "cytool runtime stop" command takes too long (minutes/hours).
We have "anti-tampering" on our Agent settings so before running this command I run the command to disable protection: "cytool protect disable"
It seems like something is blocking and so our agent services cannot stop for some reasons.

If someone got the answer it will be great.
We have a ton of users and machines that suffers this False polsitive alert and I need to stop it.

Thanks for your help

Re: StoreDesktopExtension.exe - As Malicious

Juliortega — Wed, 28 Jan 2026 19:49:35 GMT

Hello,

have you attempted to restart the agent—or all agents—within your tenant?

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Restart-agent

Re: StoreDesktopExtension.exe - As Malicious

L.Filloux — Thu, 29 Jan 2026 08:51:37 GMT

Hello,
Thanks for your answer, the restart worked.