What is G.exe?

Some Windows users may encounter an issue where an item called G is preventing their system from shutting down. Many then try to find this mysterious G.exe file assuming that it is a malware threat due to its unexplained and sudden appearance.

False Positive

Fortunately, in the vast majority of cases, there shouldn't be anything to worry about, even if you are unable to locate the file on your computer. This is because it is most likely a legitimate hidden window associated with the normal operation of a specific application such as Skype, Outlook, File Explorer, OneDrive, etc. It also may be related to NVidia's Geforce video driver, another legitimate program. The message that G is preventing the shut down of the system may be caused by an improperly closed application, one that has crashed or been forced to shut down.

Real Threat

However, on some Windows systems, the presence of G.exe could be a sign of a malware infection. Infosec researchers have found a similar process associated with a backdoor threat named Backdoor.Graybird.Q. This particular malware also can function as a rootkit. The threat can perform numerous invasive actions on the compromised machine with its exact behavior being determined by the specific goals of the attackers.

Backdoor.Graybird.Q hides itself, adds 'g.exe' to the Windows Registry as a persistence mechanism, creates a 'GrayPigeonServer' service and then deletes its initial payload. Afterward, the rootkit functionality is established. It seems more than likely that the cybercriminals use Backdoor.Graybird.Q as a delivery vehicle for their next-stage malware payloads, such as ransomware, Trojans, crypto-miners, etc. In this case, it is paramount to remove the threat as soon as possible.