Can't find the other csrss.exe process help!

Status
Not open for further replies.

new003

Distinguished
Oct 3, 2010
83
0
18,630
The other day I noticed two csrss.exe processes going one went up to 10% cpu. So i did some research on how to remove the faulty one. I checked my system32 folder found a csrss there but that is the legitmate one. I guess could be bad still. I then tried to look in the Start up folder where they said to look so I went there and the folder was empty. I then read that you have to rigth click the start up folder and hit "For all users" still empty! So i went into msconfig and nowhere to be seen is the csrss.exe in the startup. So i tried looking for my C:\\user\\ app data\\startup folder that way no use.

I have some info too on both the process.
Looking in Spybot search and destroy's process list
both are there and one process has 9 threads and the other has 10 threads whatever that means I noticed that one of the csrss had 12 threads before i rebooted.
Maybe its building back up to 12. The other one has stayed at 9 always.
Also whenever I right click on the processes in Spybot S&D theres a "show process in windows explorer" when I hit that it takes me to my user folder and nothing happens. Its obviously not there.

The first csrss the one that I think is the legitmate one is 1424 K memory size
2nd is 1748 K memory: this is the one that uses the cpu


I tried using malwarebytes file assassin to find the files but to no use.
 
Solution
I have a folder named in that location: amd64_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3685fcbdfb21a5ac also. So I would say to you it is a valid folder.

Dogsnake

Distinguished
Use system restore and find a restore point prior to your deleting files. Restore to that point and start over.
The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayedCsrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display).In mobile devices such as notebooks and laptops, the process csrss.exe is closely dependent on power management schemes implemented by the system as defined under the Control Panel option.This process should be treated as suspicious if there are two instances running. Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe. Warning: Multiple instances of CSRSS may be running on your pc at one time. Some of these may or may not be the legitimate versions.
 

new003

Distinguished
Oct 3, 2010
83
0
18,630


I haven't deleted any files yet. I'm still looking for the other csrss.exe one is in the system 32 folder but can't find the other one I even enabled view all hidden files and checked the startup folder.
 

Dogsnake

Distinguished
If you start Task Manager you will see csrss as a service that is running. You can right click and select file location to see where it is. The one on my win7/64 system shows as version 6.1.7600.13685 and is 7.5Kb. 10,948K is the memory size for it. You say you have 2 of them, where are they located on the system. What makes you think you have a problem at all?
 

new003

Distinguished
Oct 3, 2010
83
0
18,630


Whenever I right click in the task manager both of the processes that i click "show" show up in the system32 folder even though there is only one csrss there and like yours it is also 7.5kb and 6.1.7600.16385 I think you maybe have typo'd the 6 and the 3 on the version.

But good news! I found a csrss.exe that is not in the the system32 folder
I found it in c:\\windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3
there is also a few csrss.exe.mui in these folders so thats just a safe multiple languange interface thing right?

Should i delete it? If its too risky I'll probably just forget about it.
 
Status
Not open for further replies.