Skip to main content
Participant
July 7, 2026
Question

Is CCXProcess (node.exe) querying the Adobe system policy registry via cmd.exe normal behavior?

  • July 7, 2026
  • 1 reply
  • 14 views

Hello,

We are currently experiencing a high volume of alerts in our SIEM (Elastic Security) related to a specific process behavior associated with Adobe Creative Cloud Experience.

The observed process chain is as follows:

Parent Process:

C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe

Parent Command Line:

"...\node.exe" "...\js\main.js"

Child Process:

C:\WINDOWS\system32\cmd.exe

Command Executed:

C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\system32\reg.exe QUERY "HKLM\SOFTWARE\Policies\Adobe\CCXProcess""

We would like to confirm whether this behavior is expected.

Specifically, could you please confirm whether Adobe Creative Cloud Experience is designed to invoke cmd.exe and reg.exe to query the following registry key as part of its normal operation?

HKLM\SOFTWARE\Policies\Adobe\CCXProcess

If so, could you also confirm that this behavior is expected by design?

Your confirmation will help us accurately classify this activity and appropriately tune our SIEM detection rules.

Thank you in advance for your support.

Best regards,

    1 reply

    Community Manager
    July 7, 2026

    Hello ​@Jnk global

    Thank you for sharing the full process chain and command line details.

    The following points are confirmed in Adobe's official documentation and align with the behavior described:

    • Creative Cloud Content Manager, the component associated with CCXProcess, is built on the node.js framework. This is why node.exe appears as the parent process for this component.

    • On Windows, Creative Cloud Content Manager runs via a scheduled task named "Launch Adobe CCXProcess," which triggers CCXProcess.exe at defined intervals to keep application resources current.

    • This process operates at user-level privileges.

    • Adobe recommends adding the "Launch Adobe CCXProcess" task to security software allow lists to prevent it from being mistakenly blocked.

    Reference documentation:
    https://helpx.adobe.com/x-productkb/global/ccxprocess-os-scheduler.html 

    https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html 

    The specific command executed, cmd.exe invoking reg.exe to query HKLM\SOFTWARE\Policies\Adobe\CCXProcess, is not addressed in the documentation above. This point is being reviewed internally to confirm whether it reflects expected, by-design behavior. An update will be provided here once confirmed.

    The node.exe parent process and the CCXProcess.exe component itself are confirmed to be legitimate per the referenced documentation. 


    ~Tariq