Have you ever opened your Task Manager and noticed a process called RuntimeBroker.exe consuming CPU or memory? If you’re wondering what it is and whether it’s safe, you’re not alone.
In this guide, we’ll explain what Runtime Broker does, when its behavior is considered normal, and when its behavior might indicate a more serious issue and possible malware infection. Let’s not forget that malware often exploits legitimate files and processes.

RuntimeBroker.exe Details
Name | RuntimeBroker.exe |
Type | A legitimate Windows system process that may be exploited for malicious activity. |
Removal Time | Approximately 15 minutes to scan the whole system |
Removal Tool |
See If Your System Has Been Affected by malware
Download
Spy Hunter
|
What Is RuntimeBroker.exe?
RuntimeBroker.exe is a legitimate Windows system process that plays a crucial role in managing permissions for apps from the Microsoft Store (also known as UWP or Universal Windows Platform apps).
Its job is to act as a middleman between UWP apps and your system resources. Whenever a store app requests access to something sensitive—like your microphone, webcam, files, or location, Runtime Broker ensures it follows proper permission rules.
Where Is It Located?
The genuine Runtime Broker file should be found at:
C:\Windows\System32\RuntimeBroker.exe
If it’s located elsewhere, it could be a red flag.
Why Is RuntimeBroker.exe Using CPU or RAM?
Normally, Runtime Broker runs in the background and uses minimal resources, typically under 20 MB of RAM and almost no CPU. However, it may briefly spike in usage when:
- You open a Microsoft Store app for the first time
- An app requests a new permission (e.g., microphone access)
- A background UWP process is triggered by the system
These brief spikes are expected and typically resolve quickly.
When to Worry: Signs of Irregular Behavior
If you notice that RuntimeBroker.exe is using:
- High CPU (10–40%) for an extended time
- Memory usage above 100 MB continuously
- Multiple instances running at once
Then it may not be functioning normally or even worse, it might not be legitimate at all.
Check the File Location
To verify the process:
- Open Task Manager (Ctrl + Shift + Esc)
- Locate Runtime Broker under the Processes tab
- Right-click, then Open File Location
If the file path is anything other than:
C:\Windows\System32\RuntimeBroker.exe
it’s likely a malicious impersonator.
What to Do If RuntimeBroker.exe Acts Suspicious
To be certain that the process is safe, you can perform several simple checks:
- Check the file location, as we already explained.
- Check the file’s digital signature by right-clicking on the file in its location.
- Run a malware scan with a reputable anti-malware program, such as SpyHunter, to make sure that the file hasn’t been altered by malware, or even replaced.