csrss.exe running 2x under Win 7 64-bit

Status
Not open for further replies.

Savage1701

Posts: 154   +1
Is it normal to have two instances of this process running? Both point to C:\Windows\System32, identify Microsoft as their "creator" and are dated July of 2009 as creation date. And both point to a large number of services. I run PC Tools Spyware Doctor as my AV/anti-Malware.

Is there a way to know if one of these is malware?

Is it ok that two instances are running? Both are small letters, but details, although saying MSFT is publisher, said they used to be called "CSRSS.exe" and that kind of worries me.

I know not to kill them since I will BSOD my system as it is a legitimate, required process.

I've also heard 2 instances can be a corruption issue of the OS itself, somewhere in a .dll. That's beyond my ability to snoop around with.

I'm getting occassional spikes and freezes and it shows one of the instances going to 100% CPU usage.

Thanks for any help.
 
csrss.exe (Client/Server Runtime Subsystem) is legitimate windows file; and yes it is located in c:\windows\system32; however; if you try to run the original file csrss.exe (in win7 x64) file on a dos prompt it wont run telling you it can not run in win32 mode.

You can double check how many copies of file you have on your system by going to Command prompt, and typeing Dir csrss.exe /s

You should get two instances of file being reported in results:

1. \windows\system32
1. \windows\winsxs\amd....

Size of this file is 7,680 bytes on my system and it is taking about 1,788 kb of mem.

Also you may choose to go through 8-steps guide about checking your pc for malware/viruses etc. However, once you are done; don't forget to post the logs here for review. Regards
 
We'll get more info, if you....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :filefind
    csrss.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:11 on 12/02/2010 by Steve Savage (Administrator - Elevation successful)

========== filefind ==========

Searching for "csrss.exe"
C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe --a--- 7680 bytes [23:19 13/07/2009] [01:39 14/07/2009] 60C2862B4BF0FD9F582EF344C2B1EC72

-=End Of File=-
 
I ran Malwarebytes and it found the same spyware PC Tools AV & AS found and quarantined several months ago. Not sure if it is finding the quarantined items or not, but re-quarantined them anyway.

Still have 2 csrss.exe instances. I've also read this can be because the admin account runs one and my user account is running one, so 2 instances does not automatically equal spyware, but frequently it does.
 
The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayed Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. (Source: MS)

If the two instances are running, you may turn on the session id column in task manager, and check whether they are running under different sessions.

Also session 0 is for services, other sessions are for interactive logons.

There can be more than 2 sessions when you use fast user switching or remote desktop.

Lastly if you select Show Processes from All Users it will give you details about the each running process of csrss.exe; and if you kill it it ..... you will sort of kill part of OS and get BSOD.

You may use Microsoft (sysinternals) ProcessExplorer to get more detailed informations (with description) on the running csrss.exe process.
 
Archean:

I have a session ID 0 and Session ID 1 instance. Both have a ton of services running under them, so am I correct in assuming they are both legit? Both have user name SYSTEM.

I know better than to kill the process, believe me. Yes, I do have fast user switching to switch between my account and the admin account if I need to. I don't have remote desktop allowed for this computer, but I do use Access Remote PC.

Thanks for your help and any further thoughts you might have.
 
That seems perfectly well within reason to me; I was expecting that if every thing is normal you'll get Session ID 0 and 1 :)

Infact depending on the setup/running processes of computer; one can run many instances of legitimate csrss.exe.
 
Status
Not open for further replies.
Back