csrss.exe and conhost.exe

Keyes

Honorable
Aug 22, 2013
218
0
10,680
I currently have 2 csrss.exe running under system, using 1700kb - 2156kb memory each.
Related to them there seems to be 2 conhost.exes, one using roughly 1000kb ram and 1400kb. One is SYSTEM and one is NETWORK.
I found 2 csrss.exes in my system, one In system32, one in winsxs/amd64_microsoft (with a large amount of numbers)
I found 1 conhost in system32, and 8 conhosts in winsxs/amd64_microsoft followed by numbers Like csrss.
Is this normal? I also may have seen a third conhost running, but I dont think it was attached to csrss
 


How did you conclude this? The processes running were all running the system32 version. The amd64 files seem like install files

Ive ran scans with MSE and mbam and its clean.

And a trojan virus? You know they're opposite things?
 
using event viewer logs and process explorer I found the 2 conhost files under csrss, were launched (in my test) at 15:33:52. At the same time, in event viewer under system, the MBAMservice entered a running state. Also, the server service entered a running state.

Other services that started around a second or two after:
Network list service
Diagnostic service host
Human interface device access
Micrsoft network inspection
Diagnostic system host
Portable device enumerator
Computer browser service

There was no entry in the application part of event viewer.

Under security, at 15:33:52 there was an entry for:

Audit sucess:

An account has succesfully logged on.
Subject ID: null sid

(Further down on the same entryl

New logon:
Security id: anonymous logon
Account name: anonymous logon
Account domain: nt authority

And theres several more sections of that entry.

Is this bad? I have found several of those anonymous logon entries back as far as the day I got my pc a year ago, so I don't think its bad.


 
Read this and pay particular attention to the part that says to be extremely suspicious if there are two instances of crss running. Then go do what it tells you to do in the link that I sent you. If there is nothing wrong with your computer, it won't harm anything to run those applications and if there is, it's will likely fix it before it gets to the point where it's not fixable.


Windows errors related to csrss.exe?


csrss.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steal passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. We strongly recommend that you run a FREE registry scan to identify csrss.exe related errors.


Other instances of CSRSS.EXE:

1) csrss.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steal passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. Click here to run a free registry scan now.

2) The Client/Server Runtime Subsystem in the Microsoft ® Windows operating system utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayed. . csrss.exe controls threading and Win32 ® console window features. Threading is where the application splits itself into multiple simultaneous running tasks.

Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 ® console is the plain text window in the Windows API system (programs can use the console without the need for image display). In mobile devices such as notebooks and laptops, the process csrss.exe is closely dependent on power management schemes implemented by the system as defined under the Control Panel option.

This process should be treated as suspicious if there are two instances running. Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe Click here to run a free registry scan now.
 
This link looks too familiar, if you ever watch ampdan on youtube, the indian phone scammers used the "csrss" is a trojan page to fool people.

Anyways, I dont understand where you'ew getting this whole trojan thing, when ita obviously not a trojan if its running from the system 32 directory. I feel uncomfortable running those programs you listed from (I guess liutilies or some thing?). They dont seem like they'd since your source is telling me explicity its a registered trojan. If I had no csrss.exe but only a trojan called csrss my system wouldn't even function.

The toms hardware link seems fine (I dont think blindly running combofix is a good idea), but where are you getting your sources?
 
The page I listed is a generally accepted tutorial on cleaning your computer. Its referenced time and time again by members of Tom's. If you don't want to use programs that are used by hundreds of thousands of people to keep their computers safe, that's your choice. It might not even be your problem, in fact, you might not even have a problem. But running any of those programs can only help, it cannot hurt. It's up to you though. Good luck.

Also, if you think malicious software cares where it runs from or never targets critical directories, you're mistaken.
 
I understand the tomshardware tutorial.

The webpage you copy and pasted saying csrss was a trojan is a page used by cold call scammers.

I have ran MSE and Mbam on both normal and safe mode and its come clean. Im only concerned about your sources (not toms, your copy pasted one) since it doesn't even know what a trojan or a virus is.

I understand malware can be present in system directories. But your source calls it a trojan. The current files exist in legitimate file locations and there are know look a likes.

Surely you have a more rational explanation?
 
conhost.exe is the one I'd dig in to .. 2 csrss.exe is fine look at the build date of it if its not a old date like for win 7 up to -7-13- 2009 and its like 2014 I'd check that out windows 7 release was 2009 then the next dates should be around the release of sp1 [this is for core windows ] the few newer dated ones are up dated with windows updates driver up dates so on but in system 32 its not many

I figure this don't help much but then you may see what I mean once you start looking it over
 
They all have creation dates of around 2009 (the ones on the amd64 have newer modified dates, I guess if they were added in an update? )

So whats the verdict? How can I find what is using conhost? Is it possible any nvidia services use them since when I open geforce experience a conhost briefly appears?.
 
don't know don't run NVidia and like I said I never see it unless I open the command prompt .. I read all this stuff on it but it don't explain why its running when the command prompt is not ???

I guess the screen shots are form prosses explorer?? if so is it showing in task manager also ??
 
Info I got on it



Any time you see ConHost.exe it means that a non-GUI program is being executed. This happens when you open the Command Prompt or when an application installer needs to run a standard "DOS" command as part of the installation routine. It's very normal to have the ConHost.exe process come and go, and should only be cause for concern if you have many (20-30+) instances for more than a few moments. Further, it's quite proper that you would observe program and service start/stop activity in connection with ConHost.exe processes starting and stopping, as it is at these times in a program's lifecycle that they'll often need to interact with a non-GUI application.

If you wish to dig in more deeply, the article http://blogs.technet.com/b/askperf/archive/2009/10/05/windows-7-windows-server-2008-r2-console-host.aspx explains the new addition (as of Windows 7) that is ConHost.exe and the problem it is meant to solve::

In previous versions of Windows [that is, prior to Windows 7], all GUI activity on behalf of non-GUI applications that ran on the desktop (console applications) was brokered by the system process CSRSS.exe.

If you know much about how Windows handles separation of privilege between users, you might correctly see a potential weakness, confirm as the article continues:

The problem with this was that even if an application ran in the context of a regular user’s account, CSRSS.EXE runs under the Local System account. So it was possible under certain circumstances for malware to exploit weaknesses in an application in order to execute code under the more privileged Local System account in CSRSS.EXE.

Windows 7 permanently changed that model by introducing the ConHost.exe process:

This exposure was addressed in Windows 7 and Windows Server 2008 R2 by running the console messaging code in the context of a new process, ConHost.exe. ConHost (Console Host) runs in the same security context as its associated console application. Instead of issuing an LPC request to CSRSS for message-handling, the request goes to ConHost.

Hope that helps!
 
lots of things use it but full time?? this is what I see is if the command prompt is not being used as in at desktop there is no command prompt on the screen so is there some program some how using it hidden?? if so why?? as I said if its funning its on the screen not invisible .. all I checked on this on thic computer only shows the conhost when I open command prompt when I close command prompt it closes right with it and gone from the task list

I been googleing it around and not found a good solid answer to it running full time as you say on yours unless I missed something here [and I been looking hard at it ]

I guess keep looking at links on it and hope you come across one that helps

 




it could be a nvidia thing... i don't see conhost, or COMsurrogate since switching to AMD.

EDIT: conhost appeared in the process tab of taskman, just as my AV popped-up a "scan finished" notification, and then it went.



 
Isnt that thing just MSE? Im using MSE and it says nothing.
In safemode, no conhosts were running.
Im not sure how to find what services are running conhost. It doesnt have a PID according to process explorer. Ill try turning off some nvidia services and see if anything happens.

Any other methods to investigate?