none
how many csrss.exe process should be running in vista?

    Question

  •  

    Hi,

     

    Recentely, I found there are two csrss.exe process running on my computer occassionaly. Both are running under SYSTEM, and the size of one is 1128k (or 1120k) and the other one is 5004K. To add oddness, I cannot right click the processes to view their properties, while I can do this to all other processes.

     

    I searched all my files on the computer and only found two csrss.exe files, one is under windows\system32 idrectory and the other one under x86_microsoft-windows-csrss_.....manifest.

     

    I am wondering whether two running csrss.exe is normal in Vista, and if not so, whether there is some virus on my computer.

     

    Thanks.

    Tom

    Thursday, July 19, 2007 8:26 PM

Answers

  • 2 is actually the minimal number that's expected at anytime.

    2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).

    There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.

    There are more than 2 sessions when you use fast user switching or remote desktop.

     

    Regards

    Eric

    Thursday, July 19, 2007 10:23 PM

All replies

  • 2 is actually the minimal number that's expected at anytime.

    2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).

    There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.

    There are more than 2 sessions when you use fast user switching or remote desktop.

     

    Regards

    Eric

    Thursday, July 19, 2007 10:23 PM
  • ok so i saw csrss.exe in my control panel and thoguth it was a virus... i have windows vista... in the control panel next to csrss.exe it doesn't say anything... what should i think of this/

    Thanks
    Jordan
    Monday, November 12, 2007 7:15 AM
  • In the Control Panel?

    Assuming you're referring to the "Task Manager" instead, it's also expected, as long as you haven't clicked the "show processes from all users" button. Until that point, taskmgr.exe ("Task Manager") is running as a standard user and doesn't have enough rights to query information about csrss.exe...

    Note that the same applies to winlogon.exe.

     

    Monday, November 12, 2007 10:04 PM
  • I have a similar view. I have enough rights to query information about csrss.exe, and have the same problem, is the only process, that doesn't shows any information about itself, not even it's location. The thing is, I've never seen csrss before on the Task Manager at least not without applying "Show Processes from all users" button. Now I see two of them, (applying the button of course). But none of the two, lets me see their properties. I've tried to see the properties of every other process on the list, and have succeded (even winlogon.exe). It's very strange.

     

     

     

    I tried to finish the process (the one that appears to be on standard list), and a blue screen went off (long time no see one of these), which is more confusing, because it shouldn't crash like this (at least not in the list of standard processes).

     

     

    Thanks,

     

     

     

     

     

    Oscar E.

    Wednesday, November 14, 2007 8:58 AM
  • Hello

    I have the same "problem" using Windows Vista Home Premium...

    - While Task Manager is running in user mode I can see two processes with an empty User Name column: csrss.exe and winlogon.exe.
    I never seen these two processes in a user mode Task Manager before...
    I'm more used to only see the processes of my user name.

    - When I switch the Task Manager with adminitrative rights, then I can see that csrss.exe and winlogon.exe are SYSTEM processes.
    Right, but I still cannot have other information on these two processes... nevertheless I can on all other SYSTEM processes like lsass.exe, smss.exe, wininit.exe,...
    So what ? If I try to kill one of those two then I also get a BSoD !
    Why the system do not prevent me of doing this ?
    I should have something like: "No my friend you're not authorised to kill that process", instead of that BSoD.

    Then I had a look at my LISTENING ports with a netstat -oan and here what I noticed:
    When I'm not connected to Internet, I cannot see something unusual,
    As soon as I'm connected to Internet, then some ports are opened by sometime the System PID (number 4), sometime by some servicehost.exe processes and they are LISTENING on 137, 138, 139, (NetBIOS),1900 (SSDP) and some other ports, and for a short period of time on port 68 (BOOTPC).
    Moreover those ports are not opened on the 0.0.0.0 (ALL) interface, but on the IP address which is connected to Internet.
    And, if I disconnect from Internet after a few seconds, then all these ports are closed again.

    I've never seen these beheviours (which seem erratics) on Windows XP, I don't use Windows Vista since a long time but all this seems really weird...
    If one with a very fresh Vista installation could confirm that these behaviours are the ones of Windows Vista, then I would be less stressed and suspicious and could sleep better... If not, I would think I'm infected by a virus or worm or trojan or spyware or a combination of those... Yeeuuk !

    Thanks guys !

    PS: I'm sorry for the english errors, but it is not my native language.
    Sunday, December 02, 2007 5:16 PM
  • >If I try to kill one of those two then I also get a BSoD !
    You killed a part of the OS itself. csrss.exe is the usermode part of WIN32. It's friendly of windows to only show you the Blue Screen of Death.

    You could use The Microsoft (sysinternals) ProcessExplorer to get more detailed informations (with description) on the csrss.exe process.

    An additional job of csrss.exe is to manage the console windows (cmd.exe).

    You will see a high CPU spike in csrss.exe if you create a batchfile.bat with the following content, and start in cmd.exe with "batchfile.bat". To end the Job, close the window [x]. This do not describe a virus.

    endless.bat content:
    :LOOP
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @ECHO  looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
       @GOTO LOOP


    Friday, January 25, 2008 5:36 PM
  •  Eric Perlin - MSFT wrote:

    In the Control Panel?

    Assuming you're referring to the "Task Manager" instead, it's also expected, as long as you haven't clicked the "show processes from all users" button. Until that point, taskmgr.exe ("Task Manager") is running as a standard user and doesn't have enough rights to query information about csrss.exe...

    Note that the same applies to winlogon.exe.

     




    This is such good info. THANKS
    Wednesday, May 07, 2008 4:35 AM
  • I know this is not the right place to post this, but I was unsure where else to..


    I am running win2k server, and using terminal services for about 8 computers. I noticed that there are something like 52+ of the same process running csrss.exe. Can anyone tell me if that is normal? It just doesn't seem right to me.



    Nicholas
    Wednesday, May 14, 2008 8:54 PM
  • A few things could explain this:

    * You indeed have that many open sessions. Either task manager or some TS administration tool should let you check that out. If you have multiple sessions for a single user, you may have enabled a non default setting that allows this.

    * I've seen TS sessions not completely dying after user logoff... Couple processes per session hang around, sometimes as "zombie processes" (no threads, no handles, ...). This happens if another processes has a opened handle to the zombie that can't totally disappear until the handle count is 0. The way you check this out is to find how many processes exists in each session. If you have only winlogon.exe & csrss.exe, the session is either in its initial state, or towards its end of life. If either of them don't exist, that session is end of life as well. If the processes are zombies, you may not be able to get them to disappear until you find which process holds the handles to them, which is tricky (some sysinternals tools can probably help though). If the process in question is not critical (smss.exe, lsass.exe, services.exe for starters), you could try to get it to stop (it's likely to be a service).

     

    Friday, May 23, 2008 9:16 PM
  • Hey! sorry wasn't entirely sure where to post this so thought i'd try this thread as its the closest to what i'm looking for..... am using windows xp sp2 NOT vista but hope someone will know what I should do....
    for a while now my computer keeps coming up with an error message when i log in (its a communal computer + other people have admin access so think this could have been triggered by someone trying to update windows or something...)  but the error message says Windows-No Disk and then Exception Processing Message c0000013 Parameters (and then a whole load of letters and numbers) The computer seems significantly slower in carrying out simple tasks and clicking the cancel button repeatedly doesn't get rid of the message...having looked at the task manager the process running this is the csrss.exe. Searching for this process in my windows folder comes up with 3 instances in system32,servicepackfiles and softwaredistribution and they are all 6 kb which makes me think this isn't a virus... any suggestions on how to get rid of this? Am bit of a noobie when comes to systems stuff in windows so all simple clear explanations would be welcome! thanks!
    Monday, June 30, 2008 4:29 PM
  • You wont be able to remove CSRSS.EXE from your system. Windows needs CSRSS to function normally. Note that the file from system32 is the one that is used in a running system. 

    Nagendra
    Thursday, July 03, 2008 8:51 AM
  • Someone who used the computer installed something that depends on a disk (CD-ROM or USB drive) that isn't present in the system anymore.

    What you're seeing is called a "Hard Error" message that is always displayed from CSRSS. Removing that system binary is obviously not the solution.

    What you need to find/remove is the code that has this dependency on the now gone disk... Good luck.

     

    Friday, July 04, 2008 12:34 AM
  • Hi,

     

    I have the same problem as n0n3m stated. Any body could give as a help on explaining the situation? Thanks.

    Thursday, July 10, 2008 3:27 AM
  • 2 is actually the minimal number that's expected at anytime.

    2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).

    There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.

    There are more than 2 sessions when you use fast user switching or remote desktop.

     

    Regards

    Eric


    I did a tasklist -v  using cmd prompt and it verifies what Eric had stated. OK, I just discovered there are two running csrss.exe processes today (after installing Windows 7). PIDs 504 and 564 below:

    Image Name                     PID Session Name        Session#    Mem Usage Status          User Name
                          CPU Time Window Title
    System Idle Process              0 Services                  0         24 K Unknown         NT AUTHORITY\SYSTEM
                           1:05:49 N/A
    System                               4 Services                   0        960 K Unknown        N/A
                           0:00:21 N/A
    smss.exe                         384 Services                   0      1,016 K Unknown       NT AUTHORITY\SYSTEM
                           0:00:00 N/A
    csrss.exe                         504 Services                   0      4,824 K Unknown       NT AUTHORITY\SYSTEM
                           0:00:02 N/A
    csrss.exe                         564 Console                   1      6,364 K Running         NT AUTHORITY\SYSTEM
    Friday, October 30, 2009 3:31 PM
  • Hi,

    Crash note: Do NOT kill csrss.exe!
    This will cause: If we kill csrss.exe we will end up with a blue screen!

    How does this actually work?
    When we boot up the Windows Operating System (OS), two exe files, 
    do the last boot part, and these two are: csrss.exe and Winlogon.exe. 
    The Winlogon triggers the Services.exe to start, and Services.exe will then
    execute all the other sub-services and some more..  

    Whats left is smss.exe which waits for forever for csrss.exe or
    Winlogon.exe to exit, if any of these exits smss.exe will crash
    the computer, and cause a Windows crash blue sreen.

    Best regards,
    Fisnik
    Coder24.com
    Friday, October 30, 2009 4:21 PM
  • Did you notice how no one answered your question in 2 years time?  It is not spyware or a worm or trojan... it is Vista.  And it is evil.
    • Proposed as answer by jonnygs1 Sunday, May 08, 2011 7:36 AM
    Tuesday, December 01, 2009 7:39 AM
  • Suffering from the csrss.exe error is a very common computer problem but it doesn't really have to be that difficult to understand. Csrss.exe error.
    Thursday, March 24, 2011 12:01 AM
  • Did you notice how no one answered your question in 2 years time?  It is not spyware or a worm or trojan... it is Vista.  And it is evil.
    Did you notice how no one answered your question in 4 years time? I don't know if it's spyware or a worm or trojan... but I know it's Vista/7/NT. And yes, evil is using it. And it's unbelievable how no one has the answers, or a clue - but they'll talk about how easy it is to solve (without bothering to - actually - solve it).
    Sunday, May 08, 2011 7:35 AM
  • Thanks to all for their valuable information. really enjoyed.
    pooja
    Sunday, May 08, 2011 8:58 AM