Runtime Broker (*) is a legitimate Windows system process responsible for managing permissions for Universal Windows Platform (UWP) apps. While safe, malware can disguise itself as Runtime Broker. Here's how to verify its legitimacy:
Normal Runtime Broker Behavior
- Located in C:WindowsSystem32
- Digital signature from Microsoft Windows Publisher
- Brief CPU/Memory spikes when UWP apps open or update permissions
- Multiple instances may run if multiple UWP apps are active
How to Check for Malware
1. Verify File Location:
Open Task Manager (Ctrl+Shift+Esc):
- Right-click Runtime Broker process > "Open file location"
- Legitimate path: C:WindowsSystem32*
- Suspicious path: Any other location (Temp folders, AppData, etc.)
2. Check Digital Signature:
In File Explorer:
- Right-click * > Properties > Digital Signatures
- Valid signer: Microsoft Windows Publisher
- Absence or invalid signature indicates malware
3. Analyze Resource Usage:
- Use Task Manager or Resource Monitor
- Normal: Temporary low-moderate CPU/RAM use
- Suspicious: Persistent high CPU (>40%), unusual disk activity, or network usage without UWP apps running
When to Suspect Malware
- Runtime Broker running when no UWP apps are active
- Multiple identical processes with high resource consumption
- Located outside System32 folder
- Missing or corrupt digital signature
- Antivirus alerts specifically about *
Action Plan
If suspicious:
- Perform full system scan with updated antivirus/anti-malware software
- Verify file location and signature as above
- Scan with specialized tools like Malwarebytes
- If confirmed malware: Quarantine/remove threats via security software
- Use System File Checker: Run sfc /scannow in Command Prompt (Admin) to replace system files
