Windows Defender reports osk.exe as malware

[German]A curious story that German blog reader Paul B. just told me about. Windows Defender triggers a false alarm on a Windows native file reporting a Trojan Win32.AccessibilityEscalation.


Paul wrote within a private e-mail that he observed a strange behavior of Windows Defender since the last signature update. I've translated the text below:

After today's update of the virus signatures for the Defender KB2267602 it detects the "osk.exe" from Microsoft, found in the \system32 directory, as Trojan infected.

This is the "On Screen Keyboard" the Windows own on-screen keyboard.

Fun with Microsoft!


The above screenshot is proof, it shows the Windows Defender notification. Searching the internet doesn't revealed other people affected. Microsoft included the detection for the malware Win32/AccessibilityEscalation.A in Defender:

This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it.

My German blog readers could not confirm that – but shortly after publishing the German edition of this article, another reader left this comment. He observed a similar behavior of his Defender.

Addendum: It's by design

It's not a false alarm. Microsoft's malware scan engine will trigger an  Win32/AccessibilityEscalation.A-Alert, if a system file (like utilman.exe has been manipulated). Such attempts are used within the utilman.exe hack to receive admin rights on a blocked Windows (see my blog post Activate Build-in Administrator account in Windows – II and this article for instance). Since August/September 2018 those hacks won't work anymore, if Microsoft's Defender or Microsoft Security Essentials are running.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

3 Responses to Windows Defender reports osk.exe as malware

  1. Rob van Tiel says:

    I have exactly the same problem : AccessibilityEscalation.A seen as virus.
    This happened after I assisted a friend , who lost his Windows local logon password.
    To overcome that problem . I have replaced utilman.exe in cmd.exe
    ( then at poweron , when you select onscreen keyboard , you will get a cmd screen , so that you can create a new logon etc….
    When I replace utilman.exe with the original one ( instead of cmd ) the virus is not found

  2. Anonymous says:

    I was able to have Windows Defender to allow the file to run. I don't have windows Defender blocking that ever since

  3. andrew says:

    I have exactly the same problem, after I replaced osk.exe with cmd.exe to solve a broken touch screen on an all-in-one PC, using the same method as Rob van Tiel above.
    It's a very scary warning from Windows, you would think it would be able to detect if osk.exe is genuine or not..
    fixed by allowing this file in security.

Leave a Reply

Your email address will not be published. Required fields are marked *