Wikipedia

Client/Server Runtime Subsystem: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
CSRSS.EXE
m Reverted edits by 182.76.219.70 (talk) to last version by ClueBot NG
Line 1:
'''Client Runtime Subsystem''', or <tt>csrss.exe</tt>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space|user mode]] side of the [[Windows API|Win32 subsystem]] and is included in [[Windows NT 3.1]] and later.<ref name="GDI"></ref> Because most of the Win32 subsystem operations have been moved to [[kernel mode]] [[Device driver|drivers]] in Windows NT 4 and later, CSRSS is mainly responsible for [[Win32 console]] handling and GUI shutdown. It is critical to system operation; therefore, terminating this [[Process (computing)|process]] will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the ''taskkill'' command or with [[Windows Task Manager]], although it is possible in Vista if the Task Manager is run in Administrator mode. On [[Windows 7]] and later, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue.
CSRSS.EXE is a process registered as a trojan . It is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms.[1][2][3] This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter,[4] and it can infect other devices on the same local network.It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. csrss circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks. It became more widespread in March 2015. In June 2015 security company Prevx discovered that csrss had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and Business Week.This kind of worm can only come from network if the firewall of your home network is not responding to your identity or might be expired.This process is a security risk and should be removed from your network.This infection can easily damage any anti virus security on computers and other devices and it can transfer to any device which is connected to the same internet or network.You need a network security firewall in order to protect your identity from this hacking file which can steal your identity and and missuse it for any fraudulent activities with anyone.you should not have this kind of process running in computer and network
 
== Malware hoaxes ==
There are numerous [[Virus hoax|virus hoaxes]] that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)|process]] will result in a [[Blue Screen of Death]].
 
In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam|last=Cimpanu|first=Catalin|publisher=[[Softpedia]]|date=Jan 22, 2016|accessdate=July 29, 2016}}</ref>
 
== Technical details ==
CSRSS runs as a user-mode [[Windows service|system service]]. When a user-mode process calls a function involving console windows, process/thread creation, or [[Side-by-side assembly|side-by-side]] support, instead of issuing a [[system call]], the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an [[Local Procedure Call|inter-process call]] to the CSRSS process which does most of the actual work without compromising the kernel.<ref>{{cite web
|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx
|title=Detailed implementation of a system service in Windows NT
|accessdate=2010-06-10
|work=Undocumented Windows NT
}}</ref> Window manager and [[Graphics Device Interface|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book|last=Russinovich|first=Mark|title=Windows Internals, 5th Edition|year=2009|publisher=Microsoft Press|pages=54}}</ref>
 
CSRSS is called along with <tt>winlogon.exe</tt> at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a [[Blue Screen of Death]]. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.
 
In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <tt>conhost.exe</tt> subprocesses to draw console windows for command line programs with the permissions of that user.
 
== History ==
The [[Windows NT 3.x]] series of releases had placed the [[Graphics Device Interface]] component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.<ref name="GDI">{{cite web
|url=https://technet.microsoft.com/en-us/library/cc750820.aspx#XSLTsection124121120120
|title=The Windows NT 4.0 Kernel mode change
|accessdate=2009-01-19
|work=MS Windows NT Kernel-mode User and GDI White Paper
|publisher=Microsoft
}}</ref> The Windows startup process from Vista onward has changed significantly. Two instances of csrss.exe are running in Windows 7 and Vista.<ref>{{cite web
|url=https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
|title=Inside the Windows Vista Kernel – Startup Processes
|accessdate=2010-10-01
|work=Inside the Windows Vista Kernel – Startup Processes
|publisher=Microsoft
}}</ref>
 
== See also ==
* [[List of Microsoft Windows components]]
 
== References ==
{{Reflist}}
 
== External links ==
* [https://technet.microsoft.com/en-us/library/bb457123.aspx Troubleshooting the Startup Process (Windows XP Professional Resource Kit)]
 
{{Windows Components}}
 
{{DEFAULTSORT:Client Server Runtime Subsystem}}
[[Category:Windows NT architecture]]
Retrieved from "https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem"