If you often work with Windows Task Manager, they could not not pay attention that the CSRSS.exe object is always present in the process list. Let's find out what is this item, how important it is for the system and does not run the danger to the computer.
Information about CSRSS.EXE
CSRSS.exe is executed by a system file with the name of the same name. It is present in all OS WINDOVS lineup, starting with the version of Windows 2000. You can see it by running the task manager (Ctrl + SHIFT + ESC combination) in the Processes tab. It is easiest to find it, entertaining the data in the "Image Name" column in alphabetical order.
For each session there is a separate CSRSS process. Therefore, on conventional PCs, two such processes are simultaneously launched, and there can be tens on the server PC. However, despite the fact that it was found that the processes could be two, and in some cases even more, it only corresponds to only the only CSRSS.exe file.
In order to see all CSRSS.exe objects activated in the system via the task manager, click on the "Display all user processes".
After that, if you work in the usual, not server instance of Windows, then two csrss.exe elements appear in the task manager list.
Functions
First of all, we find out why this item is required by the system.The name "CSRSS.EXE" is an abbreviation from "Client-Server Runtime Subsystem", which is in translated from English means "client-server execution time subsystem". That is, the process serves as a kind of binding link client and server regions of the Windows system.
This process is needed to display the graphic component, that is, what we see on the screen. It is primarily involved when the system is shutdown, as well as when deleting or installing the topic. Without CSRSS.exe will also be impossible to launch consoles (CMD et al.). The process is necessary for the operation of terminal services and for remotely connected to the desktop. The file we studied also processes a variety of OS flows in the Win32 subsystem.
Moreover, if CSRSS.exe is completed (no matter how: emergency or forcedly user), then the system is waiting for the collapse, which will lead to the appearance of BSOD. Thus, it can be said that the operation of Windows without an active process CSRSS.EXE is impossible. Therefore, to stop it is forced solely if you are confident that it has been replaced by a viral object.
File location
Now find out where the CSRSS.exe is placed physically on the hard drive. You can get information about this with the same task manager.
- After the task manager sets the display mode of all user processes, make the right mouse button on any of the objects under the name "csrss.exe". In the context list, select "Open file storage".
- The conductor will open the location directory of the desired file. Her address can be found by selecting the address bar of the window. It displays the path to the location folder of the object. The address believes:
C: \ Windows \ System32
Now, knowing the address, you can go to the directory of the object location without the use of the task dispatcher.
- Open the Explorer, enter or insert in advance the above-mentioned address in its address bar. Click Enter or click on the icon as an arrow to the right of the address string.
- The conductor will open the CSRSS.EXE location directory.
File identification
At the same time, the situation is not uncommon when various viral applications (rootkits) are masked under csrss.exe. In this case, it is important to identify which file displays a specific CSRSS.exe in the task manager. So, we find out under what conditions the designated process should attract your attention.
- First of all, questions should appear if in the task manager in the display mode of the processes of all users in the usual, not server system, you will see more than two CSRSS objects. One of them is most likely a virus. Comparing objects, pay attention to the efficiency consumption. Under normal conditions for CSRSS, a limit of 3000 KB is installed. Pay attention to the task manager to the corresponding indicator in the "Memory" column. Exceeding the above limit means that something is wrong with the file.
In addition, it should be noted that usually this process does not ship by the central processor (CPU). Sometimes it is allowed to increase the consumption of CPU resources to a few percent. But, when the load is calculated with tens of percent, this suggests that either the file itself is viral or the system as a whole something is not in order.
- In the Task Manager in the User Column ("User Name"), in front of the object being studied, it must be the "System" value ("SYSTEM"). If another inscription is displayed there, including the name of the current user profile, then with a great deal of confidence, we can say that we are dealing with a virus.
- In addition, you can check the authenticity of the file by trying to force it to stop working it. To do this, a suspicious object select the name "CSRSS.EXE" and click on the "Complete Process" in the Task Manager.
After that, the dialog box should be opened, which states that stopping the specified process will result in the completion of the system. Naturally, it is not necessary to stop it, so click on the "Cancel" button. But the appearance of such a message is already an indirect confirmation of the fact that the file is genuine. If the message will be absent, this accurately means the fact that the file is fake.
- Also, some file authentication data can be learned from its properties. Click on the name of a suspicious object in the Task Manager right-click. In the context list, select "Properties".
The properties window opens. Move into the General tab. Pay attention to the "Location" parameter. The path to the file location directory must comply with the address that we have already spoken above:
C: \ Windows \ System32
If any other address is specified there, this means that the process is fake.
In the same tab near the "File Size" parameter, the value of 6 KB should stand. If another size is indicated, then the object is fake.
Move into the tab "Details". Near the "Copyright" parameter should be the value "Microsoft" Corporation ("Microsoft Corporation").
But, unfortunately, even with all the above requirements, the CSRSS.exe file may be viral. The fact is that the virus can not only be masked under the object, but also infect a real file.
In addition, the problem of unnecessary consumption of resources of the csrss.exe system can be caused not only by the virus, but also damage to the user profile. In this case, you can try to "roll back" an OS to an earlier recovery point or form a new user profile and work already in it.
Elimination of the threat
What if you find out that CSRSS.EXE is called not an original OS file, and the virus? We will proceed from the fact that your regular antivirus could not identify malicious code (otherwise you would not even notice the problem). Therefore, to eliminate the process, we will take other steps.
Method 1: Antivirus Scanning
First of all, scan the system with a reliable anti-virus scanner, such as Dr.Web Cureit.
It is worth noting that the scanning of the system for viruses is recommended to perform through the safe mode of Windows, when operating in which only those processes that provide the basic functioning of the computer will work, that is, the virus will "sleep", and find it in this way will be much easier.
Read more: We enter "Safe Mode" via BIOS
Method 2: manual removal
If the scanning does not give results, but you clearly see that the CSRSS.exe file is not in the directories in which it is supposed to be, then in this case you have to apply the manual removal procedure.
- In the Task Manager, select the name corresponding to the fake object, and click on the "Complete Process" button.
- After that, using the conductor, go to the object location directory. It can be any directory other than the "System32" folder. Click on the Right Mouse object and select "Delete".
If you can't stop the process in the Task Manager or delete a file, turn off the computer and go to the system in safe mode (F8 key or a combination of SHIFT + F8 when loading, depending on the OS version). Then make the procedure for deleting an object from the directory of its location.
Method 3: System Restore
And, finally, if neither the first nor the second methods caused a proper result, and you could not get rid of the viral process disguised under csrss.exe, you can help the system restore function provided for in Windows.
The essence of this feature is that you choose one of the existing rollback points, which will allow you to return the system to the selected period of time: if the virus has been missing on the computer, this tool will eliminate it.
This feature also has a reverse side of the medal: if after creating a particular point, programs were installed, settings were entered into them, and the like this will touch it in the same way. The system recovery does not affect only user files to which documents, photos, videos and music are.
Read more: How to restore Windows OS
As you can see, in most cases CSRSS.exe is one of the most important process for the operation of the operating system. But sometimes it can be initiated by a virus. In this case, it is necessary to carry out the procedure for its removal according to the recommendations provided in this article.