sppsvc.exe: Safe Windows Service, High CPU, or Malware?

Brendan Smith
Brendan Smith - Cybersecurity Analyst
15 Min Read
sppsvc.exe safety check comparing a signed System32 file with an unverified or malicious copy.
A signed System32 sppsvc.exe can be legitimate, while a wrong-path or modified copy needs investigation.

sppsvc.exe is normally the legitimate Microsoft Software Protection Platform service. Its expected file is C:\Windows\System32\sppsvc.exe, and Windows uses it to enforce digital licenses for the operating system and licensed apps. A short CPU burst during sign-in, activation, or an update can be normal if it settles quickly. Investigate the process when it runs from another folder, lacks a valid Microsoft signature, stays busy repeatedly, or appears in an antivirus alert. Do not delete or permanently disable the real System32 file just because its name looks unfamiliar.

What you find Risk and what to do
C:\Windows\System32\sppsvc.exe, valid Microsoft signature, CPU drops after a short licensing check Usually legitimate. Keep the service and monitor it.
Correct path, but CPU stays high or activation errors repeat More likely a damaged licensing or Windows component than proof of malware. Repair Windows and check activation.
sppsvc.exe in AppData, Temp, ProgramData, Downloads, or an unrelated program folder Suspicious lookalike. Do not allow it; quarantine and scan the PC.
Correct System32 path, but the signature is invalid or security software reports Expiro Do not assume it is safe because of the path. A file infector can modify a legitimate executable; follow the Expiro decision flow below.
The file or Software Protection service is missing after a KMS activator Remove the activator, repair Windows, and restore legitimate activation. Never download a replacement EXE from a file-library site.

What is sppsvc.exe?

sppsvc.exe runs the Windows service named sppsvc, displayed as Software Protection. Microsoft describes it as the component that downloads, installs, and enforces digital licenses for Windows and Windows applications. Microsoft also recommends that users do not disable the service because Windows and licensed apps may enter notification mode.[1]

The process is not supposed to run at maximum CPU continuously. It can start on demand when Windows checks activation, a licensed application opens, the PC signs in, or licensing components change. A brief spike that ends is different from a process that restarts every few minutes, remains busy for a long time, or appears together with activation errors and security warnings.

Also distinguish the service from similarly named files. Malware can use a familiar filename without being the Windows component. Gridinsoft ThreatInfo, for example, records a separate malicious sample named sppsvc.exe outside the normal System32 context. A filename is an identifier, not a safety certificate.

How to check whether sppsvc.exe is safe

  1. Open the running file location. In Task Manager, open the Details tab, right-click sppsvc.exe, and select Open file location. The normal file should open from C:\Windows\System32.
  2. Check the digital signature. Right-click the file, choose Properties, open Digital Signatures, and verify that Windows reports a valid Microsoft signature. A missing or invalid signature is a warning, although an invalid signature can also indicate file corruption.
  3. Check the service configuration. Open Terminal or Command Prompt as administrator and run:
sc.exe qc sppsvc

Look at BINARY_PATH_NAME. It should point to the Windows System32 copy, not a user-writable folder or an unrelated application directory.

  1. Compare the timing. Restart Windows and watch the process for several minutes. A short activation check that ends is less concerning than repeated high CPU, unexpected network activity, or a process that returns after quarantine.
  2. Check the source of any alert. In Windows Security, open Protection History and record the exact detection name, affected path, status, and time. Do not judge the alert by the filename alone. Our Microsoft Defender detection-name guide explains how the label, path, signature, and recurrence work together.

For an unfamiliar executable, use the broader EXE safety checklist before restoring, allowing, or running it.

Fix sppsvc.exe high CPU without disabling Windows licensing

High CPU is not automatically a virus. First separate a short licensing event from a persistent problem:

  • Wait two or three minutes after sign-in and see whether usage falls.
  • Install pending Windows updates and restart once.
  • Open Settings → System → Activation and confirm that Windows reports an active license.
  • Note whether the spike begins when Office or another licensed Microsoft application opens.
  • Check Reliability Monitor for repeated Software Protection, licensing, or application crashes.

If CPU remains high, do not solve it by taking ownership of licensing registry keys, deleting token files at random, or setting Software Protection to Disabled. Those workarounds can hide the symptom while creating activation and update failures.

Repair Windows components instead. Open Terminal as administrator, run DISM first, wait for it to finish, and then run System File Checker:

DISM.exe /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Microsoft documents this order for restoring missing or damaged Windows components.[2] Restart after both commands finish, check Activation again, and recheck CPU behavior. If SFC cannot repair files, preserve its result rather than downloading sppsvc.exe from an unofficial site.

When sppsvc.exe may be malware

Treat the process as suspicious when one or more of these conditions apply:

  • it runs outside C:\Windows\System32;
  • the signer is missing, invalid, or not Microsoft;
  • the spelling is a lookalike such as sppsvс.exe with a substituted character;
  • it starts from an unrelated scheduled task, Run key, browser profile, or recently installed bundle;
  • it returns after the visible file is deleted or quarantined;
  • it appeared after a crack, KMS activator, repack, fake update, or unknown installer;
  • high CPU comes with browser changes, disabled security settings, new exclusions, or unexplained outbound traffic.

A wrong-path copy should not be moved into System32 or renamed to make it look legitimate. Keep it quarantined, remove the program that installed it, inspect persistence points, and run a full system scan.

What if Defender reports Expiro on System32\sppsvc.exe?

An alert such as Virus:Win64/Expiro.DA!MTB or Virus:Win32/Expiro.HNW!MTB changes the decision. Expiro is a file-infector family: Microsoft reports that it searches drives and modifies executable files.[3] Therefore, a detection on the correct C:\Windows\System32\sppsvc.exe path can mean that a real Windows file was modified. The correct folder alone does not clear it.

Use these signals:

  • Several unrelated EXE files are detected: a real file-infector incident is more likely. Disconnect external drives, avoid opening programs, and follow the full Expiro removal and safe-backup guide.
  • The alert returns after reboot or spreads to USB/external drives: do not restore quarantined executables. Scan connected media and prepare for a clean reinstall if detections are widespread.
  • Only one signed core file is flagged after a clean installation: update security definitions, run an offline scan, verify the signature again, and submit the file to Microsoft for analysis before restoring it. This pattern can justify a false-positive review, but it does not prove a false positive.
  • Other software begins triggering Expiro alerts: stop installing or restoring applications. A previously connected drive, old installer, synced executable, driver package, or infected backup can reintroduce files even after Windows itself was reinstalled.

Do not jump from a post-install alert to an unsupported BIOS or firmware-infection claim. First verify the installation media, attached drives, restored files, OEM packages, exact hashes, signatures, and whether multiple executables are actually changing.

How to repair or remove a suspicious sppsvc.exe safely

  1. Disconnect risky media. Unplug external drives when several executable files are being detected. Do not browse those drives from another Windows PC before scanning them.
  2. Keep the alert contained. Do not restore or allow a wrong-path, unsigned, or Expiro-detected copy while investigating.
  3. Run Microsoft Defender Offline. Save your work first; the PC restarts and scans before normal Windows activity can hide an infection.
  4. Repair protected system files. Run DISM and SFC in the order shown above. Let Windows restore its own component instead of downloading a replacement executable.
  5. Check persistence and leftovers. If the warning returns, the file already ran, or the path was user-writable, inspect scheduled tasks, services, startup entries, Defender exclusions, recent installed apps, and browser changes.
  6. Recheck activation. Once Windows is clean and repaired, open Settings → System → Activation. Use a legitimate product key or your organization’s real activation service.
  7. Choose reinstall when infection is widespread. If Expiro keeps appearing in many executables, create installation media on a trusted computer and follow the clean Windows USB workflow. Restore documents and media selectively; do not restore old program folders or installers.

A security tool can quarantine the visible file while a loader, scheduled task, service, exclusion, or bundled module remains and recreates the warning. When the path is wrong or the alert returns, run a full Gridinsoft Anti-Malware scan, remove detected persistence and bundled components, reboot, and scan again before restoring any file.

Check suspicious process lookalikes and startup sources.

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan a suspicious sppsvc.exe copy

What if a KMS activator changed sppsvc?

KMSPico, AutoKMS, AutoPico, and similar tools are not repairs for Software Protection. They can add scheduled tasks and services, alter licensing behavior, create exclusions, or arrive inside bundled installers. If sppsvc.exe became missing, disabled, or constantly busy after an activator, remove the activator and its persistence first. The KMSPico cleanup guide covers that workflow.

After cleanup, run DISM and SFC, restart, and restore legitimate activation. Do not install a second activator, replace sppsvc.exe manually, or import registry permissions from an unknown script.

FAQ

Can I end sppsvc.exe in Task Manager?

Ending it may stop the current licensing check, but Windows can start the service again. If usage is brief, leave it alone. If it is persistent, repair Windows and activation rather than permanently disabling the service.

Why is sppsvc.exe not running?

The service can run on demand, so its absence from Task Manager is not automatically a problem. Investigate when the actual System32 file is missing, the service cannot start when needed, or Windows and Office report activation failures.

Does the System32 path prove sppsvc.exe is safe?

No. The correct path is a strong legitimacy signal, but it is not conclusive. Check the Microsoft signature and the exact antivirus result. A file-infector such as Expiro can modify a legitimate executable in its normal folder.

Should I restore sppsvc.exe from quarantine?

Do not restore it immediately. Update definitions, record the detection and path, run an offline scan, and repair system files. If it is a single signed-file alert with no other symptoms, submit it for vendor analysis before deciding whether it is a false positive.

Is high CPU from sppsvc.exe always malware?

No. A short burst during sign-in, activation, or a licensed-app check can be normal. Repeated or sustained usage, a wrong path, an invalid signature, activation errors, or other security symptoms require investigation.

References

  1. Microsoft. “Security guidelines for disabling system services in Windows Server: Software Protection.” Microsoft Learn, accessed July 15, 2026. https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
  2. Microsoft. “Use the System File Checker tool to repair missing or corrupted system files.” Microsoft Support, accessed July 15, 2026. https://support.microsoft.com/en-us/windows/experience/backup-recovery/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files
  3. Microsoft Security Intelligence. “Win32/Expiro.” Microsoft Malware Encyclopedia, accessed July 15, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FExpiro
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?