topic Re: StoreDesktopExtension.exe - Again alerts are generated in Cortex XDR Discussions

StoreDesktopExtension.exe - Again alerts are generated

S.Rembhotkar — Fri, 17 Apr 2026 11:06:03 GMT

Hello Team ,

Again we got a spike for similar StoreDesktopExtension.exe alerts today , Any specific reason ?

CGO : C:\Windows\System32\sihost.exe

Initiator path : C:\Program Files\WindowsApps\Microsoft.WindowsStore_22603.1401.7.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe

Re: StoreDesktopExtension.exe - Again alerts are generated

susekar — Fri, 17 Apr 2026 18:28:31 GMT

Hello @S.Rembhotkar ,

Greetings for the day.

The spike in alerts for StoreDesktopExtension.exe is a known issue involving false positive detections by the Cortex XDR Local Analysis engine.

Reason for the Spike:

Legitimate Microsoft Updates:
StoreDesktopExtension.exe is a legitimate Microsoft Windows Store component. Microsoft frequently updates this binary, which changes its file hash.

Local Analysis Heuristics:
When a new version is released, the Local Analysis module (Component 55) may flag the binary as a "Suspicious executable" (CyveraStatus c0400055) based on its machine-learning model before a global WildFire verdict is synchronized to the endpoint.

Communication Failures:
If an endpoint cannot reach the WildFire cloud due to proxy timeouts, DNS issues, or SSL inspection (DPI), it defaults to the local analysis verdict, which may be "Malicious".

Stale Local Cache:
Even after the verdict is updated to "Benign" in WildFire, endpoints may continue to alert if they are utilizing an outdated verdict stored in the agent's local cache.

Recommended Resolutions:

1. Update Content Version
A permanent fix for these Microsoft Store binaries was included in newer Content Updates. Ensure your endpoints are running Content Version 2130-30377 or later (preferably 2150 or higher).

2. Clear Agent Database
To force the agent to refresh its local verdict cache and retrieve the updated "Benign" status from the cloud, perform a Clear Agent Database action from the XDR Console. Alternatively, restart the agent services using cytool:

cd "C:\Program Files\Palo Alto Networks\Traps"
cytool runtime stop
cytool runtime start

3. Path-Based Exclusion

You can add a wildcard path exclusion to your Malware Profile under the "Portable Executable and DLL Examination" module:

C:\Program Files\WindowsApps\Microsoft.WindowsStore_*\StoreDesktopExtension.exe

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: StoreDesktopExtension.exe - Again alerts are generated

N.Majidova — Mon, 20 Apr 2026 08:20:11 GMT

Hi,

This is a known False Positive. StoreDesktopExtension.exe is a legitimate Microsoft Store component, and sihost.exe (Shell Infrastructure Host) as the CGO is completely normal Windows behavior.

To stop the alerts, you can add a file exception in the Cortex XDR console:

Endpoint Security > Exceptions > Add Exception
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsStore_**\StoreDesktopExtension.exe
(using wildcard ** covers future Store version updates as well)

Alternatively, you can add the SHA256 hash of the file directly to your Allow List:
Incident Response > Action Center > Allow List > New Action

Hope this helps!