Wikipedia

Client/Server Runtime Subsystem: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
dot
Tags: Mobile edit Mobile web edit
tried it on win7
Tags: Mobile edit Mobile web edit
 
(23 intermediate revisions by 17 users not shown)
Line 1:
{{Short description|Windows NT operating system component}}
{{refimprove|date=May 2020}}
The '''Client /Server Runtime Subsystem''', or <code>csrss.exe</code>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space|user mode]] side of the [[Windows API|Win32 subsystem]] and is included in [[Windows NT 3.1]] andIn later.<refmodern name="GDI" /> Because mostversions of theWindows, Win32it subsystemis operationsprimarily haveinvolved beenwith movedprocess toand [[kernelthread mode]]management, [[DeviceWin32 driverconsole|drivers]]console in [[Windows NT 4window]] and laterhandling, CSRSS is mainly responsible for [[Win32side-by-side consoleassembly]] handlingloading and GUIthe shutdown process. It is critical to system operation; thereforeHistorically, terminatingit thishad [[Processalso (computing)|process]]been willresponsible resultfor inwindow systemmanagement failure.and Undergraphics normalrendering, circumstanceshowever, CSRSSthese cannotoperations behave terminatedbeen withmoved theto ''[[killkernel (command)|taskkillmode]]'' command orstarting with [[Windows Task Manager]], although it is possible in [[Windows Vista]] if the Task Manager is run in Administrator mode. On [[Windows 7]] and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the [[Session Manager Subsystem]] (SMSS)to watchingimprove will not crash the systemperformance.<ref>{{cite However in [[Windows XP]], terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.web
 
== History ==
The [[Windows NT 3.x]] series of releases had placed the [[Graphics Device Interface]] component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.<ref name="GDI">{{cite web
|url=https://technet.microsoft.com/en-us/library/cc750820.aspx#XSLTsection124121120120
|title=The Windows NT 4.0 Kernel mode change
|accessdateaccess-date=2009-01-19
|work=MS Windows NT Kernel-mode User and GDI White Paper
|publisher=Microsoft
}}</ref>
}}</ref> The Windows startup process from Vista onward has changed significantly. Two instances of csrss.exe are running in Windows 7 and Vista.<ref>{{cite web
 
CSRSS instances are marked as critical processes, meaning that terminating one will [[blue screen of death|crash]] the system, if the critical status is removed and one is terminated, the system will freeze. Built-in process management tools in most Windows versions will also refuse to kill instances of CSRSS. Under normal operation, there is a CSRSS instance for each session (two in [[Windows Vista]] and newer, one in earlier versions,<ref>{{cite web
|url=https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
|title=Inside the Windows Vista Kernel – Startup Processes
|accessdateaccess-date=2010-10-01
|work=Inside the Windows Vista Kernel – Startup Processes
|publisher=Microsoft
}}</ref> both assuming there are no active [[Remote Desktop Protocol|RDP]] connections which spawn extra sessions).
}}</ref>
 
== Technical details ==
Line 21 ⟶ 19:
|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx
|title=Detailed implementation of a system service in Windows NT
|accessdateaccess-date=2010-06-10
|work=Undocumented Windows NT
|archive-url=https://web.archive.org/web/20110717032622/http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx
|archive-date=2011-07-17
|url-status=dead
}}</ref> Window manager and [[Graphics Device Interface|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book|last=Russinovich|first=Mark|authorlink=Mark Russinovich|title=Windows Internals, 5th Edition|year=2009|publisher=Microsoft Press|pages=54}}</ref>
 
CSRSS is called along with <code>winlogon.exe</code> from [[Session Manager Subsystem|smss.exe]] at Windows start-up. If either of the files is corrupted or otherwise inaccessible, SMSS will tell the kernel to shut down the start-up process with a [[Blue screen of death]].<ref>{{Cite web|url=https://support.microsoft.com/en-us/help/156669/how-to-troubleshoot-a-stop-0xc000021a-error-in-windows-xp-or-windows-s|title=How to troubleshoot a "STOP 0xC000021A" error in Windows XP or Windows Server 2003|last=|first=|date=|website=support.microsoft.com|url-status=live|archive-url=|archive-date=|access-date=2020-03-15}}</ref> The error code for this fault is 0xc000021a (STATUS_SYSTEM_PROCESS_TERMINATED).
 
In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <code>conhost.exe</code> subprocesses to draw console windows for command line programs with the permissions of that user.
 
== Malware hoaxes ==
There are numerous [[virus hoax]]es that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)|process]] will result in a [[Bluesystem Screencrash ofin Death]]Windows applications.
 
In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam|last=Cimpanu|first=Catalin|publisher=[[Softpedia]]|date=Jan 22, 2016|accessdateaccess-date=July 29, 2016}}</ref>
 
== See also ==
Retrieved from "https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem"