how many csrss.exe process should be running in vista?
Hi,
Recentely, I found there are two csrss.exe process running on my computer occassionaly. Both are running under SYSTEM, and the size of one is 1128k (or 1120k) and the other one is 5004K. To add oddness, I cannot right click the processes to view their properties, while I can do this to all other processes.
I searched all my files on the computer and only found two csrss.exe files, one is under windows\system32 idrectory and the other one under x86_microsoft-windows-csrss_.....manifest.
I am wondering whether two running csrss.exe is normal in Vista, and if not so, whether there is some virus on my computer.
Thanks.
Tom
Answers
2 is actually the minimal number that's expected at anytime.
2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).
There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.
There are more than 2 sessions when you use fast user switching or remote desktop.
Regards
Eric
All Replies
2 is actually the minimal number that's expected at anytime.
2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).
There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.
There are more than 2 sessions when you use fast user switching or remote desktop.
Regards
Eric
- ok so i saw csrss.exe in my control panel and thoguth it was a virus... i have windows vista... in the control panel next to csrss.exe it doesn't say anything... what should i think of this/
Thanks
Jordan In the Control Panel?
Assuming you're referring to the "Task Manager" instead, it's also expected, as long as you haven't clicked the "show processes from all users" button. Until that point, taskmgr.exe ("Task Manager") is running as a standard user and doesn't have enough rights to query information about csrss.exe...
Note that the same applies to winlogon.exe.
I have a similar view. I have enough rights to query information about csrss.exe, and have the same problem, is the only process, that doesn't shows any information about itself, not even it's location. The thing is, I've never seen csrss before on the Task Manager at least not without applying "Show Processes from all users" button. Now I see two of them, (applying the button of course). But none of the two, lets me see their properties. I've tried to see the properties of every other process on the list, and have succeded (even winlogon.exe). It's very strange.
I tried to finish the process (the one that appears to be on standard list), and a blue screen went off (long time no see one of these), which is more confusing, because it shouldn't crash like this (at least not in the list of standard processes).
Thanks,
Oscar E.
- Hello
I have the same "problem" using Windows Vista Home Premium...
- While Task Manager is running in user mode I can see two processes with an empty User Name column: csrss.exe and winlogon.exe.
I never seen these two processes in a user mode Task Manager before...
I'm more used to only see the processes of my user name.
- When I switch the Task Manager with adminitrative rights, then I can see that csrss.exe and winlogon.exe are SYSTEM processes.
Right, but I still cannot have other information on these two processes... nevertheless I can on all other SYSTEM processes like lsass.exe, smss.exe, wininit.exe,...
So what ? If I try to kill one of those two then I also get a BSoD !
Why the system do not prevent me of doing this ?
I should have something like: "No my friend you're not authorised to kill that process", instead of that BSoD.
Then I had a look at my LISTENING ports with a netstat -oan and here what I noticed:
When I'm not connected to Internet, I cannot see something unusual,
As soon as I'm connected to Internet, then some ports are opened by sometime the System PID (number 4), sometime by some servicehost.exe processes and they are LISTENING on 137, 138, 139, (NetBIOS),1900 (SSDP) and some other ports, and for a short period of time on port 68 (BOOTPC).
Moreover those ports are not opened on the 0.0.0.0 (ALL) interface, but on the IP address which is connected to Internet.
And, if I disconnect from Internet after a few seconds, then all these ports are closed again.
I've never seen these beheviours (which seem erratics) on Windows XP, I don't use Windows Vista since a long time but all this seems really weird...
If one with a very fresh Vista installation could confirm that these behaviours are the ones of Windows Vista, then I would be less stressed and suspicious and could sleep better... If not, I would think I'm infected by a virus or worm or trojan or spyware or a combination of those... Yeeuuk !
Thanks guys !
PS: I'm sorry for the english errors, but it is not my native language. - >If I try to kill one of those two then I also get a BSoD !
You killed a part of the OS itself. csrss.exe is the usermode part of WIN32. It's friendly of windows to only show you the Blue Screen of Death.
You could use The Microsoft (sysinternals) ProcessExplorer to get more detailed informations (with description) on the csrss.exe process.
An additional job of csrss.exe is to manage the console windows (cmd.exe).
You will see a high CPU spike in csrss.exe if you create a batchfile.bat with the following content, and start in cmd.exe with "batchfile.bat". To end the Job, close the window [x]. This do not describe a virus.
endless.bat content:
:LOOP
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@GOTO LOOP Eric Perlin - MSFT wrote: In the Control Panel?
Assuming you're referring to the "Task Manager" instead, it's also expected, as long as you haven't clicked the "show processes from all users" button. Until that point, taskmgr.exe ("Task Manager") is running as a standard user and doesn't have enough rights to query information about csrss.exe...
Note that the same applies to winlogon.exe.
This is such good info. THANKS- I know this is not the right place to post this, but I was unsure where else to..
I am running win2k server, and using terminal services for about 8 computers. I noticed that there are something like 52+ of the same process running csrss.exe. Can anyone tell me if that is normal? It just doesn't seem right to me.
Nicholas A few things could explain this:
* You indeed have that many open sessions. Either task manager or some TS administration tool should let you check that out. If you have multiple sessions for a single user, you may have enabled a non default setting that allows this.
* I've seen TS sessions not completely dying after user logoff... Couple processes per session hang around, sometimes as "zombie processes" (no threads, no handles, ...). This happens if another processes has a opened handle to the zombie that can't totally disappear until the handle count is 0. The way you check this out is to find how many processes exists in each session. If you have only winlogon.exe & csrss.exe, the session is either in its initial state, or towards its end of life. If either of them don't exist, that session is end of life as well. If the processes are zombies, you may not be able to get them to disappear until you find which process holds the handles to them, which is tricky (some sysinternals tools can probably help though). If the process in question is not critical (smss.exe, lsass.exe, services.exe for starters), you could try to get it to stop (it's likely to be a service).
- Hey! sorry wasn't entirely sure where to post this so thought i'd try this thread as its the closest to what i'm looking for..... am using windows xp sp2 NOT vista but hope someone will know what I should do....
for a while now my computer keeps coming up with an error message when i log in (its a communal computer + other people have admin access so think this could have been triggered by someone trying to update windows or something...) but the error message says Windows-No Disk and then Exception Processing Message c0000013 Parameters (and then a whole load of letters and numbers) The computer seems significantly slower in carrying out simple tasks and clicking the cancel button repeatedly doesn't get rid of the message...having looked at the task manager the process running this is the csrss.exe. Searching for this process in my windows folder comes up with 3 instances in system32,servicepackfiles and softwaredistribution and they are all 6 kb which makes me think this isn't a virus... any suggestions on how to get rid of this? Am bit of a noobie when comes to systems stuff in windows so all simple clear explanations would be welcome! thanks! - You wont be able to remove CSRSS.EXE from your system. Windows needs CSRSS to function normally. Note that the file from system32 is the one that is used in a running system.Nagendra
Someone who used the computer installed something that depends on a disk (CD-ROM or USB drive) that isn't present in the system anymore.
What you're seeing is called a "Hard Error" message that is always displayed from CSRSS. Removing that system binary is obviously not the solution.
What you need to find/remove is the code that has this dependency on the now gone disk... Good luck.
Hi,
I have the same problem as n0n3m stated. Any body could give as a help on explaining the situation? Thanks.
2 is actually the minimal number that's expected at anytime.
2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).
There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.
There are more than 2 sessions when you use fast user switching or remote desktop.
Regards
Eric
I did a tasklist -v using cmd prompt and it verifies what Eric had stated. OK, I just discovered there are two running csrss.exe processes today (after installing Windows 7). PIDs 504 and 564 below:
Image Name PID Session Name Session# Mem Usage Status User Name
CPU Time Window Title
System Idle Process 0 Services 0 24 K Unknown NT AUTHORITY\SYSTEM
1:05:49 N/A
System 4 Services 0 960 K Unknown N/A
0:00:21 N/A
smss.exe 384 Services 0 1,016 K Unknown NT AUTHORITY\SYSTEM
0:00:00 N/A
csrss.exe 504 Services 0 4,824 K Unknown NT AUTHORITY\SYSTEM
0:00:02 N/A
csrss.exe 564 Console 1 6,364 K Running NT AUTHORITY\SYSTEM- Hi,
Crash note: Do NOT kill csrss.exe!
This will cause: If we kill csrss.exe we will end up with a blue screen!
How does this actually work?
When we boot up the Windows Operating System (OS), two exe files,
do the last boot part, and these two are: csrss.exe and Winlogon.exe.
The Winlogon triggers the Services.exe to start, and Services.exe will then
execute all the other sub-services and some more..
Whats left is smss.exe which waits for forever for csrss.exe or
Winlogon.exe to exit, if any of these exits smss.exe will crash
the computer, and cause a Windows crash blue sreen.
Best regards,
Fisnik
Coder24.com- Proposed As Answer byVisualBasicProfessional Saturday, December 12, 2009 7:30 PM
- Did you notice how no one answered your question in 2 years time? It is not spyware or a worm or trojan... it is Vista. And it is evil.
