Share via

Weird OneDrive Behavior

LMan17-3728 145 Reputation points
2026-04-20T03:30:59.03+00:00

Accidentally stumbled onto a website that had a trojan ( a comic book website of all things)

my Antivirus blocked it and I ran an in-depth scan with administrator privileges through ESET which came back clean.

As one last final check I did a netstat -ano command on the command line and noticed that everything seemed to be correct except that the OneDrive Sync Service was running which I haven't seen before. I do have OneDrive installed, although never setup, just as a left over from when my machine was initially setup.

I promptly ended the task through task manager and rebooted the system to see that the service didn't start running again. My question is: is this something I should be concerned about or is this normal OneDrive behavior and I'm letting my paranoia get the better of me?

Clear headed advice is appreciated.

Windows for home | Windows 11 | Security and privacy
0 comments

Answer accepted by question author

AI answer

2026-04-20T03:31:15.86+00:00

OneDrive starting a sync-related process by itself on Windows 11 is normal behavior and not, by itself, a sign of infection.

Key points for this scenario:

  1. Visiting a malicious site
    • If the antivirus blocked the trojan and a full in-depth scan came back clean, that strongly indicates no active infection was left behind.
    • For additional safety, keep Windows and security software fully updated and continue to run periodic scans. Guidance on staying protected is in Stay protected with the Windows Security App Defender.
  2. OneDrive Sync Service appearing in netstat / Task Manager
    • OneDrive is built into Windows 11 and may start background processes even if the account has not been fully configured, especially after updates, sign-in changes, or certain app activity.
    • Seeing OneDrive network connections or a sync-related process is consistent with normal operation when the service wakes up to check status or update itself.
    • The fact that, after ending the task and rebooting, it did not immediately start again is also consistent with normal, on‑demand behavior rather than malware persistence.
  3. When to be concerned
    • Signs that would justify deeper investigation include: repeated security alerts, unknown programs installed, browser redirects/pop‑ups that keep returning, or unexplained system changes. In such cases, follow the steps for identifying and removing deceptive software described in “Unexplained Windows or software behavior may be caused by deceptive software,” which includes checking and uninstalling suspicious programs via Control Panel → Programs and Features.
  4. Reasonable next steps
    • Ensure Windows Update and security software are current.
    • Run another scan after a day or two if extra reassurance is needed.
    • Monitor for unusual behavior (new toolbars, pop‑ups, programs you did not install). If any appear, review installed programs and remove those that are clearly unwanted, following the documented precautions about not removing components that might be required by other software.

Based on the described behavior alone, this looks more like normal OneDrive activity plus understandable caution, not clear evidence of compromise.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. DaveM121 891K Reputation points Independent Advisor
    2026-04-20T05:11:35.5466667+00:00

    Right click the OneDrive cloud icon on your Taskbar and select Settings, do you see your Microsoft account listed there as automatically logged into the OneDrive app.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.