TomZh

Hi,

Recentely, I found there are two csrss.exe process running on my computer occassionaly. Both are running under SYSTEM, and the size of one is 1128k (or 1120k) and the other one is 5004K. To add oddness, I cannot right click the processes to view their properties, while I can do this to all other processes.

I searched all my files on the computer and only found two csrss.exe files, one is under windows\system32 idrectory and the other one under x86_microsoft-windows-csrss_.....manifest.

I am wondering whether two running csrss.exe is normal in Vista, and if not so, whether there is some virus on my computer.

Thanks.

Tom



Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

Eric Perlin - MSFT

2 is actually the minimal number that's expected at anytime.

2 SYSTEM processes live per session for pretty much as long as each (TS) session exists (csrss.exe & winlogon.exe).

There are at least 2 sessions at any time, session 0 for services, other sessions for interactive logons.

There are more than 2 sessions when you use fast user switching or remote desktop.

Regards

Eric






Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

kintzle

ok so i saw csrss.exe in my control panel and thoguth it was a virus... i have windows vista... in the control panel next to csrss.exe it doesn't say anything... what should i think of this/

Thanks
Jordan




Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

Eric Perlin - MSFT

In the Control Panel

Assuming you're referring to the "Task Manager" instead, it's also expected, as long as you haven't clicked the "show processes from all users" button. Until that point, taskmgr.exe ("Task Manager") is running as a standard user and doesn't have enough rights to query information about csrss.exe...

Note that the same applies to winlogon.exe.






Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

Oscar_E

I have a similar view. I have enough rights to query information about csrss.exe, and have the same problem, is the only process, that doesn't shows any information about itself, not even it's location. The thing is, I've never seen csrss before on the Task Manager at least not without applying "Show Processes from all users" button. Now I see two of them, (applying the button of course). But none of the two, lets me see their properties. I've tried to see the properties of every other process on the list, and have succeded (even winlogon.exe). It's very strange.

I tried to finish the process (the one that appears to be on standard list), and a blue screen went off (long time no see one of these), which is more confusing, because it shouldn't crash like this (at least not in the list of standard processes).

Thanks,

Oscar E.






Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

n0n3m

Hello

I have the same "problem" using Windows Vista Home Premium...

- While Task Manager is running in user mode I can see two processes with an empty User Name column: csrss.exe and winlogon.exe.
I never seen these two processes in a user mode Task Manager before...
I'm more used to only see the processes of my user name.

- When I switch the Task Manager with adminitrative rights, then I can see that csrss.exe and winlogon.exe are SYSTEM processes.
Right, but I still cannot have other information on these two processes... nevertheless I can on all other SYSTEM processes like lsass.exe, smss.exe, wininit.exe,...
So what If I try to kill one of those two then I also get a BSoD !
Why the system do not prevent me of doing this
I should have something like: "No my friend you're not authorised to kill that process", instead of that BSoD.

Then I had a look at my LISTENING ports with a netstat -oan and here what I noticed:
When I'm not connected to Internet, I cannot see something unusual,
As soon as I'm connected to Internet, then some ports are opened by sometime the System PID (number 4), sometime by some servicehost.exe processes and they are LISTENING on 137, 138, 139, (NetBIOS),1900 (SSDP) and some other ports, and for a short period of time on port 68 (BOOTPC).
Moreover those ports are not opened on the 0.0.0.0 (ALL) interface, but on the IP address which is connected to Internet.
And, if I disconnect from Internet after a few seconds, then all these ports are closed again.

I've never seen these beheviours (which seem erratics) on Windows XP, I don't use Windows Vista since a long time but all this seems really weird...
If one with a very fresh Vista installation could confirm that these behaviours are the ones of Windows Vista, then I would be less stressed and suspicious and could sleep better... If not, I would think I'm infected by a virus or worm or trojan or spyware or a combination of those... Yeeuuk !

Thanks guys !

PS: I'm sorry for the english errors, but it is not my native language.




Re: Security for Applications in Windows Vista how many csrss.exe process should be running in vista?

Bernd Boot

>If I try to kill one of those two then I also get a BSoD !
You killed a part of the OS itself. csrss.exe is the usermode part of WIN32. It's friendly of windows to only show you the Blue Screen of Death.

You could use The Microsoft (sysinternals) ProcessExplorer to get more detailed informations (with description) on the csrss.exe process.

An additional job of csrss.exe is to manage the console windows (cmd.exe).

You will see a high CPU spike in csrss.exe if you create a batchfile.bat with the following content, and start in cmd.exe with "batchfile.bat". To end the Job, close the window [x]. This do not describe a virus.

endless.bat content:
:LOOP
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@ECHO looping - causes high CPU utilization in csrss.exe!CsrValidateMessageString and probably in cmd.exe
@GOTO LOOP