Jump to content

DataExchangeHost.exe running on my pc but I don’t have a Virtual Machine

Go to solution Solved by AdvancedSetup,

Recommended Posts



About a month ago I noticed that I had a service called DataExchangeHost.exe running on my task manager. I did some searching and found out that some virtual machines use the program. I decided to restart my pc to see if that would fix things and it certainly did. After the restart I didn’t see DataExchangeHost. I also did some antivirus scans using Malwarebytes, McAfe and Windows Defender to see if anything was wrong and all scans came out good. 

Skip forward to today and I noticed that the service was up and running again. I decided to stop the process and come here to see if it could be malware or if it’s just part of windows. 

I’m running Windows 10 home, the latest version and I have a HP Pavillion 15 eg0073cl. 

Any help would be appreciated.

Note: I don’t use virtual machines not have any installed 

Link to post
Share on other sites

  • Root Admin

Hello @TheLobster123


Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.






When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download







  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.


Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.



Link to post
Share on other sites

  • Root Admin

I don't see that process running in the logs. DataExchangeHost.exe


I do see that the computer appears to possibly be a business machine? It's trying to connect and authorize with a Microsoft Azure Cloud service.


Application errors:
Error: (01/20/2021 07:57:06 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-NHHH2TI2$ via https://INTC-KeyId-xxxxxx.microsoftaik.azure.net/templates/Aik/scep failed:


Is this a work computer you've taken home?



Link to post
Share on other sites

  • Root Admin

None of those rely on Azure

We could change the workgroup and see if that resets anything that may have been associated.

Review the following and change the Workgroup to something else. The name doesn't really matter all that much.



Then restart the computer a couple of times and then get me new FRST logs


Link to post
Share on other sites

  • Root Admin

As you can see, these are the only accounts on the system.

==================== Accounts: =============================

Administrator (S-1-5-21-3251781293-701323939-3677769584-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3251781293-701323939-3677769584-503 - Limited - Disabled)
Guest (S-1-5-21-3251781293-701323939-3677769584-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3251781293-701323939-3677769584-504 - Limited - Disabled)
znath (S-1-5-21-3251781293-701323939-3677769584-1001 - Administrator - Enabled) => C:\Users\znath


So, only your own znath account is enabled and available and does have Administrator rights. There are no other accounts logging into the computer without your password.


Please click on Start and type in Reliability and run that and check on any issues the computer has been having



Link to post
Share on other sites

  • Root Admin

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.


Link to post
Share on other sites

  • Root Admin

No new, unknown accounts on Windows
No new, unknown networks on the route for networking

Let me have you run a Microsoft Safety Scanner



The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft


Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is


Please attach that log with your next reply.



Link to post
Share on other sites

Hello, thanks for the help. I have three questions before we end.  Any that you can answer will be appreciated 

1. Did my computer have malware? 

2. You mentioned that my computer was trying to reach Azure servers. Where we able to fix that? 

3. What could’ve caused DataExchangeHost to show up? 

Again thanks for all the help. 

Link to post
Share on other sites

  • Root Admin

1. I did not see anything obvious and using various scanners they did not either
2. We would have to double check by restarting the computer and seeing if a new entry in the Event Logs shows up for it. Basically open Event Viewer and look for a new entry. You can filter for EventID: 86
3. Difficult to say for sure as it was not there in the logs to try to track down. It appears you were able to remove it already so it was not there for me to track down.


Link to post
Share on other sites

Hello @AdvancedSetup,

Ill do what you mentioned in step 2 as soon as I get home. I did a quick google search and it said that event EventID: 86 was an error that occurred when pinging a server. My concern is that I’m not trying to ping a server. I mainly use the computer for gaming and for college work. So I don’t know why my computer would be pinging an Azure server.

I’m not good with network stuff so forgive me if this sounds dumb, I’m just concerned about my computer sharing data with an unknown Server. 

Link to post
Share on other sites

  • Root Admin
  • Solution

Okay, so.. finding nothing on this for malware I decided to review the "dataexchangehost.exe" file a bit more.

This is a digitally signed file from Microsoft and is included with Windows core operating system files.

The following key

Leads to this next key

Which has an appID of

Which leads to
(default) %SystemRoot%\system32\dataexchange.dll

So: {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8} leads to Drag and Drop for work on WinPE work here

AppID {C2E9756F-8155-4EAC-9ED5-0B690169D412}
(default) C:\Windows\System32\DataExchangeHost.exe

Then DatExchangeHost leads to

Which then leads to
(DllPath) %SystemRoot%\system32\DataExchange.dll

Then you can also see that OLE here also has the same key name that points back to %SystemRoot%\system32\dataexchange.dll
DragDropExtension: {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}

Then DragDropHost entry has: {228826af-02e1-4226-a9e0-99a855e455a6}
(default) ImmersiveShellBroker
(AppID) {2fd08a73-d1f1-43eb-b888-24c2496f95fd}


Also, here are some ASCII strings from within the file that also backs up this is used for Drag and Drop

Ubad locale name
unknown error
iostream stream error
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
invalid string position
string too long
bad cast
vector<T> too long
Bmap/set<T> too long
bad allocation


So, in a nutshell that file (dataexchangehost.exe) is for Drag and Drop operations and exchanging the data between apps





Edited by AdvancedSetup
updated information
  • Thanks 1
Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.