Contacts      About the site
home Mozilla Firefox

What is the conhost exe process? Could conhost be a virus?

If you are reading this article, then you are wondering what the conhost.exe process is and what it does in
task manager and why it works in Windows 7.

Conhost.exe process is a solution to the fundamental problem of handling console windows in
previous versions of Windows, it worked with errors in Vista, but in Windows XP it didn’t work at all
did not have.

It is completely safe if launched and running from the folder C:\Windows\system32\conhost.exe.
But scanning your computer for viruses never hurts.
If it is located in a different location, then most likely it is a virus or malware.

Windows 7 has been improved so that the console handles visual windows itself
operating system. In previous versions windows process the console was running
process csrss.exe (Client Server Runtime Process). It ran as system privileged
account.

If you look at the command line window in Windows XP, you will notice that it always has
classic look, no matter what Windows theme you use on your
computer. This is due to the fact that the console window is not formed by windows explorer.exe, but
the above mentioned service csrss.exe.

Console window in Windows Vista, uses the same theme as all other windows, but if
If you look closely you can see that the scroll bars are still using the old style. This
due to the fact that DWM (Desktop Window Manager) controls the process of drawing the appearance
windows, but the process works the same as in Windows XP, and the scroll bars are part of
the window itself.

conhost.exe sits in the middle CSRSS And cmd.exe and fixes it in Windows 7
problems with previous versions of Windows, not only makes the scroll bars work correctly, but also
allows you to drag a file from Explorer directly into command line:

There is probably not a single operating room user in the world. Windows systems, who would not ever launch the “Task Manager” to end some frozen application or to view the performance of the computer. But sometimes in the tree of currently active processes, many users pay attention to the presence in the list of a certain service in the form of the executable file conhost.exe. No one really understands what kind of process is “hanging” in the system, considering it a virus (especially if it is launched many times). Indeed, he can be a threat, but not always.

Conhost.exe: what process is observed in the “Task Manager”?

First of all, you need to understand what it is this process and the executable file responsible for it.

The process itself belongs to Windows system services and appeared in Windows XP. It is responsible for opening console windows like Command Prompt or PowerShell. Its main purpose is to open a console window using the design specified for the current theme installed for all graphic elements, in particular for windows.

What is the conhost.exe service for?

To make it clearer, let's look at the same Windows XP. Probably, many people noticed that with the default theme installed, the windows of all programs have the same design, for example, in the form of a voluminous blue cap on top.

But when the same command line is called, the window looks different (in the standard design of older systems). To make the window look like the current theme, the system component conhost.exe was developed. When the executable file itself is triggered, the node console window opens exactly in the form in which all other windows are presented.

However, the main problem initially was that this service in XP was clearly underdeveloped, which is why windows opened in the wrong way, and sometimes even the entire system froze. In Vista, the service was modified, although it worked with a priority rank lower than the scrss.exe component, which in XP was initially responsible for the design of console windows. But here too there were many problems.

And only starting with the seventh modification, the service was radically redesigned. Despite the fact that its call and execution priority was preserved between the scrss and cmd levels, console windows began to look as expected when calling the corresponding programs (for example, in the Aero theme design).

Is it possible to disable the service?

This is the conhost.exe service in a nutshell. What kind of process is before us, I think, is a little clear. Now a few words about whether this process can be disabled.

In general, it is not recommended to do this, in fact, as for all other system components. However, if you are not bothered by the appearance of windows without applying the design set for the current theme, the process can be disabled (completed in the “Task Manager”). Please note that the service is only disabled, and only temporarily. It is impossible to remove it, even with full administrative rights (unless it is a virus). The system simply won’t allow you to do this, and absolutely all third-party tools will be powerless. In addition, the process starts only when console windows are launched, and if they are absent or during moments of system inactivity, it does not appear in the “Task Manager”. And this service does not particularly affect the performance of the computer.

Conhost.exe virus: checking the location of the program file

A completely different situation is when in the same “Task Manager” in the tree of active processes the appearance of several services of the same name (at least more than two) is observed. This is already a clear hint of the presence of viruses in the system, which disguise themselves as this service. And if there is also the engine.exe component, that’s it - expect trouble! This is definitely a virus. But even the presence of only one process may indicate that a threat in the form of malicious executable codes has penetrated the system. Most often this applies to Trojans.

To make sure that the process is system (or virus), in the “Task Manager”, using the processes tab, through the RMB menu, you need to select the line to open the file location. The original conhost.exe file is always located in the System32 system folder of the main directory operating system. If something other than is indicated, immediate action must be taken.

Check for threats

Now let's see how to remove conhost.exe. In principle, there is nothing particularly complicated here. However, some nuances should be taken into account. First of all, in the Task Manager itself, you need to end all processes of the same name. Even if the original service is left at this moment, it’s okay (when restarted, it will start again automatically).

After this, you need to use some powerful scanner, preferably a portable type (for example, Dr. Web CureIt! or KVRT). Run an in-depth scan using already installed antivirus seems inappropriate, if only because he has already missed the threat.

However, as practice shows, the most effective method for removing such a scourge is to use special disk programs like Kaspersky Rescue Disk or analogues from other developers specializing in anti-virus protection. The advantage of such utilities is that they have their own bootloader, and when recording to removable media, you can boot from it even before the main OS starts. The application can use a graphical interface or DOS mode. Next, you just need to check the entire system by setting the in-depth scan option and wait for the process to complete. In this case, even those viruses that are very deeply integrated into the system or even permanently reside in RAM can be identified.

Instead of total

This is the conhost.exe service. It is already clear what kind of process occurs in the system when consoles are opened, as well as the fact that the service may turn out to be a malicious element when started multiple times. Actually, getting rid of such a virus will not be difficult. You just need to choose the optimal utility to scan and remove the threat.

Each user of a modern Windows system, one way or another, while working, calls the Task Manager, where all running applications, services and processes. Many people pay attention to a system component called conhost.exe. What it is, and why this service is needed at all, will now be discussed.

What is conhost.exe in Task Manager?

For uninitiated users, we note right away that this system service is required to be enabled. It first appeared in Windows Vista, complementing the csrss.exe process, which was originally present in the exp.

In layman's terms, the conhost.exe process is responsible for fixing a long-standing problem with the drawing of console windows (for example, the command line window, similar to what used to be in DOS systems ).

Analogue in Windows XP

First, let's look at the beloved Windows XP. Perhaps some users have noticed that when using a certain theme, different from the one installed by default, the console window always looks in the classic “expanded” form.

The fact is that drawing the window was the responsibility of the system itself (the above-mentioned csrss.exe process was responsible for this). Thus, it was not possible to change the appearance of the window to match the current design.

Problems in Windows Vista

To change this situation in Vista, a new service was used, the launch of which was the responsibility of system file conhost.exe. Although the process worked with a lower priority than csrss.exe, it nevertheless corrected in most cases appearance window.

However, as mentioned above, the service itself turned out to be unfinished, as a result of which the windows had old view. In addition, in Vista, although this was originally intended, there was no possibility of dragging a file into the console window from standard Explorer, since it did not have high privileges compared to the parent process.

Changes in Windows 7 and higher

Since version seven windows service conhost.exe has undergone drastic changes. Although it is still located between csrss.exe and cmd.exe in the process priority tree, it nevertheless allows you to display the console window in a form that corresponds to the installed theme.

The main change concerned the fact that it was now possible to paste files from Explorer, for example, directly into the command line window, which would display the full path to the specified file, eliminating the need for the user to enter it manually.

In most cases, the conhost.exe service itself works exclusively with the command line con. Although today you can find many applications that, to a certain extent, may require access to console windows, they take only a few seconds to fire, and the appearance of the called window occurs automatically without user intervention. That is, for example, at a certain stage of installing a program, a window appears on the tap in which some actions are performed, and at the end of the process the window disappears on its own, which saves the user from the need to close it manually.

The conhost.exe service starts repeatedly: how to fix it?

Now let's consider possible problems which may arise in case battery life this system module. The executable file is located in the System32 folder in the main Windows directory. It is not difficult to guess that if the service is launched using this file, there is nothing potentially dangerous in it, and it is not recommended to terminate it forcibly under any circumstances.

But it also happens that several processes of the same name appear at once. What does this mean? Yes, only that a virus has penetrated the system, which in such a simple way disguises itself as a system service. But many users simply do not know which process needs to be terminated if they suddenly experience problems with an increased load on system resources precisely because of this component. In addition, if all these processes are disabled sequentially, nothing will work - the viruses are activated again.

Among the most famous and most potentially dangerous threats masquerading as the conhost.exe process, today there are two: Trojan:Win32/Alureon.FM, or Backdoor:Win32/Cycbot.B and RiskTool.Win32.BitCoinMiner.amv, or Packed.Win32. Krap.hy. As can be seen from the classification, these are ordinary Trojans that are aimed at opening access to the system in order to intercept user information and transfer it to third parties or use it for their own purposes. In some cases, it is possible that the system may malfunction, precisely due to the increased load on CPU and RAM.

I don’t think there’s much need to explain how to get rid of this. You will have to use, but not the one installed on the system by default (it has already missed the virus), but some portable utility like Kaspersky Lab’s KVRT, Dr. WebCurIt! etc. If they don’t help, then you should use heavy artillery in the form of special utilities with the general name Rescue Disk. As you can already guess, the most powerful products in this regard are Kaspersky and Dr. Web. This is recognized by both experts and ordinary users.

You are no doubt reading this article because you came across the Console Window Host (conhost.exe) process in Task Manager and are wondering what it is. I have an answer for you.

This article is part of a series that explains various processes found in Task Manager such as , svchost.exe, dwm.exe, ctfmon.exe, mDNSResponder.exe, rundll32.exe, Adobe_Updater.exe and many more. Don't know what it is? !

So what is the conhost.exe process?

Understanding the Console Window Host process requires a bit of history. In the days of Windows XP, the command line was handled by a process called ClientServer Runtime System Service (CSRSS). As the name suggests, CSRSS was a system-level service. This created a couple of problems. First, a failure in CSRSS could lead to a failure of the entire system, which exposed not only security problems, but also possible security vulnerabilities. The second problem was that CSRSS couldn't be themed because the developers didn't want to risk running code in system process. Thus, the command line always had a classic look and did not use new interface elements.

pay attention to Windows screenshot XP below, the command line does not get the same style as applications like Notepad.

Windows Vista introduced Desktop Window Manager, a service that "draws" multiple views of windows on your desktop, rather than allowing each separate application use them yourself. Command Prompt got some superficial themes (like the glass frame present in other windows), but this came at the expense of the ability to drag and drop files, text, etc. into the Command Prompt window.

However, this topic did not go that far. If you look at the console in Windows Vista, it looks like it's using the same theme as everyone else, but you'll notice that the scroll bars still use the old style. This is because the desktop window manager is processing the drawings and title frames, but the old CSRSS window is still inside.

Login to Windows 7 and Console Window Host process. As the name suggests, it is the host process for the console window. The process grade sits halfway between CSRSS and Command Prompt (cmd.exe), allowing Windows to fix both previous problems - interface elements like scrollbars are drawn correctly, and you can drag them back to the Command Prompt. And it's a method that's still used in Windows 8 and 10, allowing you to take advantage of all the new interface elements and styles that came with Windows 7.

Even though Task Manager presents the Console Window Host as a separate object, it is still closely coupled with CSRSS. If you check the conhost.exe process in , you will see that it is indeed running under the csrss.ese process.

Ultimately, Console Window Host is something of a wrapper that supports the ability to run a system-level service like CSRSS, but still provides the ability to integrate modern UI elements.

Why are there multiple instances of a process?

You will often see multiple instances of the Console Window Host process running in Task Manager. Each command line instance starts its own Console Window process. Additionally, other applications that use the command line will create their own Console Window process even if you don't see an active window for them. A good example of this is the Plex app Media Server, which runs as a background application and uses the command line to make it available to other devices on your network.

Many background apps work this way, so it is not unusual to have multiple instances of the Console Window process running at any given time. This is normal behavior. For the most part, each process should take up very little memory (usually less than 10 MB) and almost zero CPU if the process is not active.

However, if you notice that a particular instance of Console Window Host or its associated service is causing problems, such as persistent excessive CPU or RAM usage, you may want to check the specific applications that are involved. This may at least give you an idea of ​​where to start troubleshooting. Unfortunately, the task manager itself doesn't provide good information about this. The good news is that Microsoft provides an excellent advanced process management tool as part of the Sysinternals line. Just download Process Explorer and run it - it's portable, so there's no need to install it. Process Explorer provides all sorts of advanced features - and I highly recommend reading the guide to understanding Process Explorer to learn more.

The easiest way to track these processes in Process Explorer is to first press Ctrl+F to start searching. Search for "conhost" and then click on the results. When you do this, you will see the main window change, which will show you the application (or service) associated with that particular instance of Console Window Host.

If excessive CPU or RAM usage is a concern for you, at least narrow your search to a specific application.

Could this process be a virus?

The process itself is an official Windows component. Although the possibility that the virus replaced the real Console Window Host with its own executable file is unlikely. If you want to be sure, you can check the base location of the process file. In Task Manager, right-click on the process and select the "Open file location" option.

If the file is stored in your Windows\System32 folder, you can be sure that you are not dealing with a virus.

There is actually a Trojan called Conhost Miner that masquerades as the Console Window Host process. In Task Manager it looks the same as the real process, but the location will show that it is stored in %userprofile%\AppData\Roaming\Microsoft and not in the Windows\System32 folder. The Trojan is actually used to hijack your computer, so unusual behavior you may notice is memory usage higher than you might expect, and CPU usage kept at very high levels (often above 80%).

Of course, using a good virus scanner is The best way prevent (and remove) malware like Conhost Miner and that's what you should do anyway. God saves man, who save himself!

Share with friends or save for yourself:

Loading...
Recommended related articles
How to find out the type of license on Windows XP installed
How to find out the type of license on Windows XP installed
How to turn off the ringtone on mts
How to turn off the ringtone on mts
Standby modes, Active standby mode, Standby mode – Nokia E61i operating instructions What is standby mode on your phone
Standby modes, Active standby mode, Standby mode – Nokia E61i operating instructions What is standby mode on your phone