Is it a Virus?
✔ NO - Safe
Should be installed under a standard path like C:\Program Files\Whois\whois.exe
Warning
Multiple instances possible with scripted lookups
If you did not initiate the lookups, investigate startup tasks or scheduled jobs
Can I Disable?
✔ YES
End active lookups in Task Manager and disable startup tasks or uninstall if not needed
What is whois.exe?
whois.exe is a lightweight Windows command-line client used to query domain and IP WHOIS registries. It connects to WHOIS servers, sends queries, and returns results that include registrant details, registrars, and dates for quick verification.
The tool uses TCP port 43 to reach registries, parses plain text responses, and outputs key fields for scripting or quick checks. It supports direct domain lookups and can be integrated into batch files for automated investigations.
Quick Fact: WHOIS protocols date back decades; whois.exe provides a simple, scriptable interface to retrieve registry data from multiple servers.
Types of Whois Processes
- Command-Line Client: The primary interface used to issue WHOIS queries from the command prompt or scripts
- Network Query Handler: Handles the TCP connection to WHOIS servers and receives responses
- Output Parser: Parses server responses into readable fields
- Update/Config Loader: Loads configuration, server preferences, and cache settings
- Logging Helper: Optional logging of queries and results for auditing
- Background Task: Scheduled queries or integrations in automation pipelines
Is whois.exe Safe?
Yes, whois.exe Safe when it comes from a legitimate source and is located in the expected path (e.g., C:\Program Files\Whois\whois.exe) with a valid signature.
Is whois.exe a Virus or Malware?
The genuine whois.exe is NOT a virus. Malware may mimic names; always verify the file path and digital signature.
How to Tell if whois.exe is Legitimate or Malware
- File Location: Must be in
C:\Program Files\Whois\whois.exe or C:\Windows\System32\whois.exe. Any other location is suspicious.
- Digital Signature: Right-click the file in Explorer → Properties → Digital Signatures. Should show a trusted signer such as "Microsoft Corporation" or the legitimate Whois vendor.
- Resource Usage: Idle CPU near 0-2% and memory in the single-digit MBs. Large spikes or constant use can indicate a problem.
- Behavior: Should run in response to a query or script. Continuous background operation without a scheduled task is suspicious.
Red Flags: If whois.exe is located in Temp, AppData, or System32 unexpectedly, runs without a manual query, lacks a signature, or shows abnormal resource usage, scan with antivirus and verify vendor.
Why Is whois.exe Running on My PC?
whois.exe runs when you or automation initiate a WHOIS lookup, or when a configured task periodically queries domain ownership data.
Reasons it's running:
- Active Lookup: A user or script has issued a WHOIS query, causing the CLI to start and connect to a registry.
- Scheduled Tasks: Automated checks or monitoring jobs invoke whois.exe at defined intervals.
- Batch/Automation Pipelines: CI or IT ops pipelines run WHOIS queries as part of domain inventory tasks.
- Background Cache/Logs: Query history or cache files may cause occasional lookups during maintenance scripts.
- Startup or System Service: Some deployments install a startup task or service that performs periodic lookups.
Can I Disable or Remove whois.exe?
Yes, you can disable whois.exe. If you do not need automated lookups, you can stop it from running and remove the component if desired.
How to Stop whois.exe
- End Active Lookups: Open Task Manager, locate whois.exe, and End Task for any running query
- Prevent Startup: Task Manager → Startup tab → Disable any entry for Whois/WHOIS tooling
- Disable Scheduled Tasks: Open Task Scheduler and disable any jobs invoking whois.exe
- Uninstall: Windows Settings → Apps → Apps & Features → Microsoft Whois (or the specific tool) → Uninstall
- Remove Residual Files: Delete the installation directory (e.g., C:\Program Files\Whois) if you no longer need the tool
How to Uninstall Whois
- ✔ Windows Settings -> Apps -> Apps & Features -> Select Whois tool -> Uninstall
- ✔ Control Panel -> Programs -> Uninstall a program -> Select Whois tool -> Uninstall
- ✔ Restart your computer after uninstall to ensure no background tasks remain
Common Problems: High CPU or Memory Usage
If whois.exe is consuming unusual resources during operations:
Common Causes & Solutions
- Too Many Concurrent Lookups: Limit parallel queries in your scripts or add delays between requests
- Malformatted Queries: Ensure proper syntax and server end, specify -h or -s options if supported
- Network Latency or Timeouts: Check network connectivity, try different WHOIS servers, and increase timeout if configurable
- Background Tasks: Disable or adjust scheduled tasks that run lookups too frequently
- Outdated Tool: Update to the latest Whois tool version to fix bugs and improve efficiency
- Malware/Corruption: Run antivirus/malware tools and verify the executable's signature and location
Quick Fixes:
1. Review active queries in Task Manager and end unnecessary lookups
2. Verify the tool’s installation path: C:\Program Files\Whois\whois.exe
3. Check for scheduled tasks invoking whois.exe and disable them
4. Update to the latest whois.exe version
5. Run antivirus and verify the digital signature of the executable
Frequently Asked Questions
Is whois.exe safe?
Yes, the legitimate whois.exe from a trusted vendor is safe when located at C:\Program Files\Whois\whois.exe or C:\Windows\System32\whois.exe and signed by a recognized publisher.
How do I use whois.exe to look up a domain?
Open a Command Prompt and type: whois.exe example.com. You can also specify a server: whois.exe -h whois.verisign-grs.com example.com.
Can I script whois.exe lookups?
Yes. Output is plain text, so you can pipe it to files or parse it in scripts for automation.
Where is whois.exe installed by default?
Typical installations place it in C:\Program Files\Whois\whois.exe or in C:\Windows\System32\whois.exe depending on the package.
What ports does whois.exe use?
WHOIS generally uses TCP port 43 to connect to registries; TLS-based variants may use 853 in newer setups.
Why is whois.exe running at startup?
If configured by your deployment, a startup task or monitoring script may invoke whois.exe automatically; disable startup items if not needed.