Psminitsessionexe May 2026

Yes, but it breaks all PSM session recording and monitoring. For security compliance, most organizations keep it running.

---

Sigma rule example (suspicious location): psminitsessionexe

title: PsMinISessionExe Unusual Path
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\psminitsessionexe'
  filter:
    Image|contains: '\Program Files\Palo Alto Networks\'
  condition: selection and not filter

Open Services.msc and look for a service named: Yes, but it breaks all PSM session recording and monitoring

psminitsessionexe is a core, digitally signed component of Palo Alto Networks Cortex XDR and GlobalProtect. Its role is to initialize security and VPN sessions for Windows users. While generally safe, its name and privileged execution make it a candidate for false positives and potential masquerading. Security teams should baseline its legitimate path (Program Files\Palo Alto Networks), signature, and parent process (typically userinit.exe or winlogon.exe) to quickly distinguish benign from malicious activity. Open Services

When investigating potential compromise: