01-13-2026 04:01 AM
Hi,
recently i receive a lot alerts, related with StoreDesktopExtension.exe , this is usually a legitimate Microsoft Store component.
Anyone with same issue?
01-13-2026 05:08 AM
Support information:
Probable Root Cause :
I would like to inform you that I checked the HASH in our Wildfire portal, and would like to inform you that, Initially the file had a local verdict of malware, due to which a local analysis alert got triggered.
Currently, the file is classified as benign, and therefore its a legitimate application, and we can consider the alerts to be false positives.
As the verdict is globally flagged as a benign file, once the verdict is updated on your endpoints, the alerts will be stopped.
If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start
01-13-2026 05:08 AM
Support information:
Probable Root Cause :
I would like to inform you that I checked the HASH in our Wildfire portal, and would like to inform you that, Initially the file had a local verdict of malware, due to which a local analysis alert got triggered.
Currently, the file is classified as benign, and therefore its a legitimate application, and we can consider the alerts to be false positives.
As the verdict is globally flagged as a benign file, once the verdict is updated on your endpoints, the alerts will be stopped.
If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start
01-13-2026 05:45 AM
We are having the same issue this morning within the last hour. Thank you for the solution provided.
-Adam
01-13-2026 05:47 AM
I've had 10 hosts with this alert since yesterday. Most came overnight. It's also flagging sihost.exe on 1 host but associating it with the same alert.
StoreDesktopExtension.exe
adee0ec3096b4778f6a5951647371f3ff67b8fa0d96c37fb795bcfcfe0e1154e
sihost.exe
1e115ef87c00e685f8e7b1b184eb9fa3470a0ec75b678a70d3d2d3cbfde3dcb7
01-13-2026 06:55 AM
same situation on my side...support say is a False Positive.
01-13-2026 11:38 AM
i am having this problem since yesterday night and even though the process are showing benign the alerts are not stopping. do we need manually add the HASH to allow list to stop the alerts ?
01-14-2026 12:58 AM
We have more than 100 host getting the same alert, running this command on all host will be difficult, can we exclude this alert?
01-14-2026 03:54 AM
When devices start updating the WF and tenant information again, the alerts will be closed automatically.
01-14-2026 03:57 AM
on my case, i close all issues as false positive, and write command (information give by support).
but you can add hash to allowlist and alerts close....or force the healthcheck devices, and devices connect again to the tenant and update information and start close the issues...At least that is what support told us.
01-20-2026 11:25 AM
We are experiencing the same issue. It began two days ago over the weekend. We have 150 desktops, and only 25 of them are showing this incident.
C:\Program Files\WindowsApps\Microsoft.WindowsStore.....\StoreDesktopExtension.exe. what extension is it ?
01-22-2026 10:16 AM
hi @Juliortega , StoreDesktopExtension.exe is an executable file associated with the Microsoft Store
I've open case with support and they say:
"I would like to inform you that our engineering team has confirmed that this is a legitimate file from Microsoft, and it is safe to add the "StoreDesktopExtension.exe" file to the allow list."
01-23-2026 10:26 AM
nosotros tenemos el mismo problema con alrededor de 150 dispositivos. habia permitido los siguientes hash:
winstore.app.exe : adee0ec3096b4778f6a5951647371f3ff67b8fa0d96c37fb795bcfcfe0e1154e
StoreDesktopExtension.exe: 727d070460fa4764822b5286b1d9b8fbb5512b6e84ad645a99cb34dcede97647
Cuando puse los hash anteriores en whitelist se soluciono pero ahora nuevamente volvieron aparecer alertas:
StoreDesktopExtension.exe::::( 1/67 reportado en virustota como malicioso) total6b39c3583b0496f0be88a2c0ab5773f7f2bfef4f82e53f7f3126ee9ca2bf33ca
Podrian apoyarme con un analisis? saludos
01-23-2026 11:34 AM - edited 01-23-2026 11:41 AM
Hola, I. Aguilar Gómez:
Nosotros recibimos los incidentes únicamente por un día (20/01/26).
No realizamos ninguna acción y, actualmente, ya no vemos este tipo de alertas.
Si ustedes continúan recibiendo alertas, les recomiendo abrir un caso con Palo Alto.
Por otra parte, no hemos recibido llamadas ni alertas de nuestros usuarios acerca de algún aplicativo que no esté funcionando para ellos.
01-23-2026 11:43 AM
@Juliortega and @I.AguilarGomez
this can be appear, because some devices have issue to update the local WFdb .
If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start
with this devices will try connect again to the tenant and get the last informations.
sometimes, we need clear agent db:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Clear-agent-datab...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
