01-13-2026 04:01 AM
Hi,
recently i receive a lot alerts, related with StoreDesktopExtension.exe , this is usually a legitimate Microsoft Store component.
Anyone with same issue?
01-23-2026 12:09 PM
Hello tlmarques,
Thank you for the response.
This solution seems better suited for organizations with only a few endpoints and no users in remote locations. However, when you have more than 100 endpoints—some of them in remote areas—this approach isn’t feasible, and we end up having to open the CDM in Admin mode.
I assume we could use the live terminal to handle this instead.
For now, we’ve simply ignored the alert, and we haven’t seen any new ones since January 20.
Thanks
01-26-2026 02:01 AM
Hi @Juliortega ,
In our company, we have approximately 6,000 machines. What I did was restart the agent via the tenant, and it worked.
For restart agent via tenant you can use this: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Restart-agent
01-28-2026 01:52 AM
Hello,
I've been bothered with this problem too and I tried your method.
However my "cytool runtime stop" command takes too long (minutes/hours).
We have "anti-tampering" on our Agent settings so before running this command I run the command to disable protection: "cytool protect disable"
It seems like something is blocking and so our agent services cannot stop for some reasons.
If someone got the answer it will be great.
We have a ton of users and machines that suffers this False polsitive alert and I need to stop it.
Thanks for your help
01-28-2026 11:49 AM
Hello,
have you attempted to restart the agent—or all agents—within your tenant?
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Restart-agent
01-29-2026 12:51 AM
Hello,
Thanks for your answer, the restart worked.
01-29-2026 04:29 PM
Nosotros agregamos a lista blanca algunso hashes y hoy el hash cambio a los siguiente: este es un log de la alerta en un equipo y el hash ya es diferente a los anteriores...
Información de la aplicación:
ID de proceso: 14412
Ubicación de aplicaciones: C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
Línea de comando: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe" /InvokerPRAID: App /registerStoreTelemetry
Origen del archivo: Unidad de disco duro de este ordenador
Información de la prevención:
Fecha de prevención: jueves, 29 de enero de 2026
Tiempo de prevención: 18:01:15
Versión de SO: 10.0.22631.2.0.0.256.1
Componente: Análisis Local
Código de Cortex XDR: c0400055
Descripción de la prevención: Detectado ejecutable sospechoso
Información adicional 1: C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
Información adicional 2: A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25
Información adicional 3: A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25
Información adicional 4: 1
Información adicional 5: 3B9A1753A8189B5EC1650000060200000E000006000600220060D124006A1401
Información adicional 6: {"trigger":1,"component":311,"cystatus":3225419861,"filePath":"C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\\StoreDesktopExtension.exe","fileHash":{"sha256":"A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25","sha1":"08D7F9AAF18A3B59F63105D2B99F8F884CD78CEE","md5":"4ACE968441819B2361C213FA9C3AA94C"},"streamHash":{"sha256":"A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25","sha1":"08D7F9AAF18A3B59F63105D2B99F8F884CD78CEE","md5":"4ACE968441819B2361C213FA9C3AA94C"},"verdict":1,"fvHash":"3B9A1753A8189B5EC1650000060200000E000006000600220060D124006A1401","fileType":1,"fileSize":"103936","streamFileType":1,"streamSize":"103936"}
Podrian decirme que hacer? tengo desconfianza aunque no tiene reportes de actividad maliciosa... esto es raro!
01-29-2026 04:34 PM
Hola,
¿Pudo reiniciar el agente desde el tenant?
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Restart-agent
01-30-2026 09:32 AM
Good Day Team,
As of Friday, January 30, 2026, my company is still seeing these types of alerts on various machines - See sample below. Is there something being done on a global scale?
Application information:
Process ID: 11100
Application location: C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
Command line: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe" /InvokerPRAID: App /registerStoreTelemetry
File origin: Hard drive on this computer
Prevention information:
Prevention date: Friday, January 30, 2026
Prevention time: 11:46:45
OS version: 10.0.26100.2.0.0.256.1
Component: Local Analysis
Status code: c0400055
Prevention description: Suspicious executable detected
Additional information 1: C:\Program Files\WindowsApps\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
Additional information 2: A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25
Additional information 3: aA3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25
Additional information 4: 1
Additional information 5: 3B9A1753A8189B5EC1650000060200000E000006000600220060D124006A1401
Additional information 6: {"trigger":1,"component":311,"cystatus":3225419861,"filePath":"C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_22512.1401.6.0_x64__8wekyb3d8bbwe\\StoreDesktopExtension.exe","fileHash":{"sha256":"A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25","sha1":"08D7F9AAF18A3B59F63105D2B99F8F884CD78CEE","md5":"4ACE968441819B2361C213FA9C3AA94C"},"streamHash":{"sha256":"A3E37CD38E51383F9DDE04B12D424522D0C30C6896CA803FB47CF54238CDDA25","sha1":"08D7F9AAF18A3B59F63105D2B99F8F884CD78CEE","md5":"4ACE968441819B2361C213FA9C3AA94C"},"verdict":1,"fvHash":"3B9A1753A8189B5EC1650000060200000E000006000600220060D124006A1401","fileType":1,"fileSize":"103936","streamFileType":1,"streamSize":"103936"}
01-30-2026 09:35 AM
I'm currently having the same problem; I see that your hash matches the one that triggered an alert at my company. Regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
