Published by CyberDudeBivash • Date: Nov 3, 2025 (IST)

The $100,000 Helpdesk Nightmare: How the Windows 11 Task Manager Bug Is Flooding Your IT Department (And the PowerShell Fix)

A mysterious bug in the Windows 11 optional update KB5067036 is causing users to open and close Task Manager only for it to leave behind hidden processes — leading to performance degradation, thousands of help-desk tickets and IT hours lost. Here’s how to detect it, fix it via PowerShell, and protect your cost centre.CyberDudeBivash Ecosystem:Apps & Services · CyberBivash (Threat Intel) · CryptoBivash · News Portal · Subscribe ThreatWire

TL;DR

• The Windows 11 update **KB5067036** is introducing a bug where closing Task Manager leaves hidden processes and spawning new ones. 
• Users repeatedly opening/closes Task Manager can generate dozens of ghost instances, each ~20-25 MB RAM and ~0-1.5% CPU — costing IT support time, degraded devices and help-desk overload. 
• Immediate fix: run a PowerShell kill-script or block the offending update until Microsoft issues patch. Full script below.

Contents

1. 1) Context & Affected Versions
2. 2) Lab / Environment Setup
3. 3) Reproduction – Behavior Walk-through
4. 4) PowerShell Fix & Script
5. 5) Root Cause & Help-Desk Cost Impact
6. 6) Detections & Metrics for IT/SOC
7. 7) Mitigations & Temporary Controls
8. 8) IOCs & Artifacts (Ghost Processes, KB IDs)
9. 9) 30-60-90 Day Program for IT Ops
10. FAQ
11. References

1) Context & Affected Versions

Product: Windows 11 (builds 24H2 / 25H2) • Update: KB5067036 (Build 26200.7019 or 26100.7019) • Component: Task Manager (taskmgr.exe) process-close logic. 

Many end-user devices subject to enterprise deployment have had this optional update installed either manually or via flight rings. If Task Manager is opened and then closed via “X” repeatedly, each close leaves a hidden instance. Over time this spawns dozens/hundreds of instances consuming memory/CPU — resulting in impacted performance and elevated help-desk calls. 

2) Lab / Environment Setup

• Target environment: Windows 11 24H2/25H2 VM (32 GB RAM) with update KB5067036 installed.
• Attacker/Trigger: Standard user triggers Task Manager via Ctrl+Shift+Esc or right-click Taskbar → Task Manager; repeatedly open & close via “X”.
• Network/Svc/Scope: Endpoint only; no network exploitation – purely local client performance issue.

# Example lab command to simulate open-close loop
for ($i=1; $i -le 50; $i++) {
  Start-Process "taskmgr.exe"
  Start-Sleep –Milliseconds 200
  Get-Process taskmgr | Where-Object {$_.MainWindowHandle –ne 0} | ForEach-Object { $_.CloseMainWindow() }
  Start-Sleep –Milliseconds 200
}
Get-Process taskmgr | Measure-Object

3) Reproduction – Behavior Walk-through

1. Open Task Manager normally. 2. Click the “X” (Close) button. 3. Re-open Task Manager. Due to the bug, the original taskmgr.exe process remains hidden, a new one is launched. Step 2-3 repeated creates many ghost processes. 

# In Task Manager > Details tab you’ll see:
taskmgr.exe   (1st instance)
taskmgr.exe   (2nd instance)
taskmgr.exe   (3rd instance)
… eventually: dozens/hundreds of instances => >2 GB RAM used in test. 

Help-desk symptoms: slow desktop, high memory usage signs, user complains about “PC running slow after opening Task Manager” or “help-desk screen shows dozens of taskmgr.exe processes”.

4) PowerShell Fix & Script

4.1 Immediate PowerShell Kill Script

# Run as Administrator
Get-Process taskmgr -ErrorAction SilentlyContinue | Stop-Process –Force
Write-Host "All Task Manager instances terminated"

4.2 Scheduled Task to Auto-Clean Every 5 Minutes

$action = New-ScheduledTaskAction –Execute "PowerShell.exe" –Argument "-WindowStyle Hidden –Command `"Get-Process taskmgr –ErrorAction SilentlyContinue | Stop-Process –Force`""
$trigger = New-ScheduledTaskTrigger –RepetitionInterval (New-TimeSpan -Minutes 5) –AtStartup
Register-ScheduledTask –Action $action –Trigger $trigger –TaskName "CleanupTaskMgrBug" –Description "Kill residual TaskMgr instances"
\

Note: This is a temporary mitigation until Microsoft issues a formal patch.

5) Root Cause & Help-Desk Cost Impact

• The “X” button close event fails to terminate taskmgr.exe properly, likely due to bug in process-grouping fix in KB5067036. 
• Each open-close cycle spawns a new instance without terminating the previous → ghost accumulation. 
• In enterprise scenario: A user opens & closes Task Manager, IT sees hundreds of instances, performance slowdown, dozens of tickets → if average IT hour cost = $150, 20 tickets/day = $3k/day → monthly cost easily exceeds $100k across an org. (“$100,000 Helpdesk Nightmare”)

6) Detections & Metrics for IT/SOC

Endpoint/Inventory Check

Query all endpoints:
Get-Process -Name taskmgr | Where-Object {$_.Count –gt 3}

SIEM/Procinsight Table

DeviceProcesses
| where ProcessName == "taskmgr.exe"
| summarize instances = count() by DeviceName, bin(TimeGenerated,1h)
| where instances > 5
| project DeviceName, instances, TimeGenerated

Helpdesk KPI Alert

• Tickets with “Task Manager” in description & reopened >3 times in last hour.
• Desktop performance metrics: free RAM 80% due to taskmgr.exe count & replication.

7) Mitigations & Temporary Controls

1. Block update: Defer/rollback KB5067036 via WSUS or update management until full patch available.
2. Deploy fix script: Run the PowerShell kill-script across impacted endpoints and schedule the cleanup task.
3. User guidance: Advise users not to repeatedly open/close Task Manager via “X” — use right-click → End Task instead.
4. Monitor/help-desk: Prioritize tickets referencing Task Manager duplicates and run batch remediation via endpoint manager.
5. Patch timeline: When Microsoft issues the fix, roll it out immediately and verify ghost taskmgr.exe count drops to

8) IOCs & Artifacts

Type	Indicator / Pattern	Notes
Update ID	KB5067036	Optional Windows 11 build causing bug.
Process Name	taskmgr.exe	Multiple instances observed.
Symptom	instances >1 & increasing over time	Key indicator for detection query.

9) 30-60-90 Day Program for IT Ops

Day 0–30 — Contain

• Identify all Windows 11 devices with KB5067036 installed via inventory scan.
• Deploy PowerShell kill-script to terminate ghost taskmgr.exe instances and schedule automated cleanup.
• Update help-desk knowledge base with guidance: “If Task Manager slow, run script” and escalate tickets accordingly.

Day 31–60 — Harden

• Block or roll back KB5067036 across all impacted devices until patched version validated.
• Deploy telemetry/dashboard tracking taskmgr.exe instance count per device; alert when >3 in an hour.
• Work with patch-management team to fast-track Microsoft fix once released and verify regression test.

Day 61–90 — Assure

• Review help-desk cost impact: average time per Task Manager-bug ticket, estimate cost savings after fix.
• Perform post-patch audit: confirm ghost taskmgr.exe count drops to baseline (
• Include this incident in quarterly IT risk review: highlight patch-or-defer strategy, endpoint telemetry, and help-desk KPI improvements.

FAQ

Will uninstalling KB5067036 fix the issue?

Yes — removing or deferring the update stops the bug from triggering new instances, but you still need to clear existing ghost processes. Deploy the clean-up script and then monitor.

Is this a security vulnerability or just a performance bug?

Primarily a performance/operational issue, but in high-volume enterprise environments this translates into real IT cost, degraded SLA and elevated ticket volumes — hence the “Help-desk Nightmare”.

When will Microsoft issue a permanent patch?

Microsoft has acknowledged the issue and is working on a fix. For now, treat this as high-priority operational risk and deploy controls until the patched build is widely available. 

References

• Tom’s Guide: “This weird Windows 11 bug makes Task Manager clone itself — and you can’t close it.” — https://www.tomsguide.com/computing/windows-operating-systems/this-weird-windows-11-bug-makes-the-app-s-close-button-do-the-exact-opposite/ ([turn0news9])
• Windows Latest: “Windows 11 KB5067036 issue, Task Manager won’t close and duplicates, may hurt performance.” — https://www.windowslatest.com/2025/10/30/windows-11-kb5067036-issue-task-manager-won’t-close-and-duplicates-may-hurt-performance/ ([turn0search2])
• PCGamer: “A bizarre Windows 11 bug in the latest update allows endless copies of Task Manager to run…” — https://www.pcgamer.com/software/windows-bizarre-bug-in-latest-windows-11-update-allows-endless-copies-of-task-manager-to-run-in-the-background-and-can-even-impact-system-performance/ ([turn0news10])
• Hackers Online Club: “Latest Windows 11 Update Hit by Task Manager Bug – It Won’t Close!” — https://hackersonlineclub.com/latest-windows-11-update-hit-by-task-manager-bug-it-wont-close/ ([turn0search1])
• Microsoft Community: “Task manager and Win 11 general issues” — https://learn.microsoft.com/en-us/answers/questions/4052909/task-manager-and-win-11-general-issues/ ([turn0search0])

CyberDudeBivash — Services, Apps & Ecosystem

• Endpoint & OS Risk Assessment — detect update-induced behaviours, performance drift, patch roll-back controls
• Help-Desk Operational Risk Review — correlate IT ticket volumes with patch deployments, SLA hits, root-cause cost analysis
• Patch & Telemetry Assurance Program — validate update behaviour, endpoint sentiment, policy gating

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Edureka: AppSec & Update-Risk CoursesKaspersky: Endpoint/EDRAliExpress WWAlibaba WW

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

 #CyberDudeBivash #Windows11 #TaskManagerBug #KB5067036 #HelpdeskRisk #UpdateManagement #ThreatWire