Antivirus detecting WinExeSvc but Huntress isn't reporting anything

Antivirus applications may flag the executable WinExeSvc.exe as a potentially unwanted application (PUA). Winexe creates this file from a Linux host. 

Although this service is not malicious, please reveiw the following article on how Huntress' malware detection works: Why didn't Huntress detect/block a malicious file/activity/ransomware?

Winexe is a Microsoft-provided interface, similar to PsExec, to run commands against a Windows host from Linux and other Unix-based OSes. Winexesvc.exe creates the first time the command runs.

The first time the command is run, WinExeSvc.exe is created (may be located in the %systemroot% folder).

SIEM tools such as FortiSIEM utilize a Linux-based backend and pull information from servers using winexe. 

Tools that use WinExeSvc:

  • Unitrends
  • FortiSIEM
  • AlienVaut
  • OpenVAS
  • Reevert

Snip-it from FortiSIEM documentation: 

If you need more assistance, please reach out to Huntress support at, and we would be happy to help.  

Still need help? Contact Us Contact Us