Client/Server Runtime Subsystem: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 20:24, 5 October 2019 edit 203.189.254.53 (talk) No edit summary ← Previous edit		Latest revision as of 03:21, 10 August 2025 edit undo 178.24.233.232 (talk) tried it on win7 Tags: Mobile edit Mobile web edit
(37 intermediate revisions by 21 users not shown)
Line 1: {{Short description\|Windows NT operating system component}} '''Client Server Runtime Subsystem''', or <tt>csrss.exe</tt>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space\|user mode]] side of the [[Windows API\|Win32 subsystem]] and is included in [[Windows NT 3.1]] and later.<ref name="GDI" /> Because most of the Win32 subsystem operations have been moved to [[kernel mode]] [[Device driver\|drivers]] in [[Windows NT 4]] and later, CSRSS is mainly responsible for [[Win32 console]] handling and GUI shutdown. It is critical to system operation; therefore, terminating this [[Process (computing)\|process]] will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the ''[[kill (command)\|taskkill]]'' command or with [[Windows Task Manager]], although it is possible in [[Windows Vista]] if the Task Manager is run in Administrator mode. On [[Windows 7]] and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. The '''Client/Server Runtime Subsystem''', or <code>csrss.exe</code>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space\|user mode]] side of the [[Windows API\|Win32 subsystem]]. In modern versions of Windows, it is primarily involved with process and thread management, [[Win32 console\|console window]] handling, [[side-by-side assembly]] loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to [[kernel mode]] starting with [[Windows NT 4.0]] to improve performance.<ref>{{cite web csrss.exe is a hidden monitoring software that tracks your personal information such as credit card, social security number, ID, email addresses, websites that you surfed or surfing habits, IP addresses etc. ~~This information can be sent to hackers or third parties to damage your computer by sending viruses, spyware, malware or use your personal information for criminal activities or fraud purchases.~~ ~~== History ==~~ The [[Windows NT 3.x]] series of releases had placed the [[Graphics Device Interface]] component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.<ref name="GDI">{{cite web \|url=https://technet.microsoft.com/en-us/library/cc750820.aspx#XSLTsection124121120120 \|title=The Windows NT 4.0 Kernel mode change \|~~accessdate~~access-date=2009-01-19 \|work=MS Windows NT Kernel-mode User and GDI White Paper \|publisher=Microsoft }}</ref>▼ ~~}}</ref> The Windows startup process from Vista onward has changed significantly. Two instances of csrss.exe are running in Windows 7 and Vista.<ref>{{cite web~~ CSRSS instances are marked as critical processes, meaning that terminating one will [[blue screen of death\|crash]] the system, if the critical status is removed and one is terminated, the system will freeze. Built-in process management tools in most Windows versions will also refuse to kill instances of CSRSS. Under normal operation, there is a CSRSS instance for each session (two in [[Windows Vista]] and newer, one in earlier versions,<ref>{{cite web \|url=https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx \|title=Inside the Windows Vista Kernel – Startup Processes \|~~accessdate~~access-date=2010-10-01 ~~\|work=Inside the Windows Vista Kernel – Startup Processes~~ \|publisher=Microsoft }}</ref> both assuming there are no active [[Remote Desktop Protocol\|RDP]] connections which spawn extra sessions). ▲}}</ref> == Technical details == Line 28 ⟶ 19: \|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx \|title=Detailed implementation of a system service in Windows NT \|~~accessdate~~access-date=2010-06-10 \|work=Undocumented Windows NT \|archive-url=https://web.archive.org/web/20110717032622/http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx \|archive-date=2011-07-17 \|url-status=dead }}</ref> Window manager and [[Graphics Device Interface\|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book\|last=Russinovich\|first=Mark\|authorlink=Mark Russinovich\|title=Windows Internals, 5th Edition\|year=2009\|publisher=Microsoft Press\|pages=54}}</ref> CSRSS is called along with <ttcode>winlogon.exe</ttcode> from [[Session Manager Subsystem\|smss.exe]] at Windows start-up. If either of the files is corrupted or otherwise inaccessible, ~~the~~SMSS NTwill tell the kernel ~~will~~to shut down the start-up process with a [[Blue ~~Screen~~screen of ~~Death~~death]].<ref>{{Cite ~~This is caused by~~ web\|url=https://support.microsoft.com/en-us/help/156669/how-to-troubleshoot-a ~~failure~~-stop-0xc000021a-error-in-windows-xp-or-windows-s\|title=How to ~~move~~troubleshoot ~~out~~a of"STOP ~~kernel~~0xC000021A" ~~mode~~error ~~and~~in ~~into~~Windows ~~user~~XP ~~mode,~~or ~~the~~Windows ~~"normal"~~Server ~~operation of Windows~~2003\|website=support.microsoft.com\|access-date=2020-03-15}}</ref> The error code for this fault is 0xc000021a (STATUS_SYSTEM_PROCESS_TERMINATED). In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <ttcode>conhost.exe</ttcode> subprocesses to draw console windows for command line programs with the permissions of that user. == Malware hoaxes == There are numerous [[virus hoax]]es that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)\|process]] will result in a ~~[[Blue~~system ~~Screen~~crash ofin ~~Death]]~~Windows applications. In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web\|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml\|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam\|last=Cimpanu\|first=Catalin\|publisher=[[Softpedia]]\|date=Jan 22, 2016\|~~accessdate~~access-date=July 29, 2016}}</ref> == See also == Line 53 ⟶ 44: * [https://technet.microsoft.com/en-us/library/bb457123.aspx Troubleshooting the Startup Process (Windows XP Professional Resource Kit)] {{Microsoft Windows ~~Components~~components}} {{DEFAULTSORT:Client Server Runtime Subsystem}}