Content deleted Content added
No edit summary |
No edit summary |
||
Line 1:
'''Client Server Runtime Subsystem''', or <tt>csrss.exe</tt>, is a component of the [[Windows NT]] family of [[operating system]]s that provides the [[User space|user mode]] side of the [[Windows API|Win32 subsystem]] and is included in [[Windows NT 3.1]] and later.<ref name="GDI"></ref> Because most of the Win32 subsystem operations have been moved to [[kernel mode]] [[Device driver|drivers]] in [[Windows NT 4]] and later, CSRSS is mainly responsible for [[Win32 console]] handling and GUI shutdown. It is critical to system operation; therefore, terminating this [[Process (computing)|process]] will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the ''[[kill (command)|taskkill]]'' command or with [[Windows Task Manager]], although it is possible in [[Windows Vista]] if the Task Manager is run in Administrator mode. On [[Windows 7]] and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue.
== Malware hoaxes ==▼
There are numerous [[Virus hoax|virus hoaxes]] that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)|process]] will result in a [[Blue Screen of Death]]. ▼
In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam|last=Cimpanu|first=Catalin|publisher=[[Softpedia]]|date=Jan 22, 2016|accessdate=July 29, 2016}}</ref>▼
== Technical details ==▼
CSRSS runs as a user-mode [[Windows service|system service]]. When a user-mode process calls a function involving console windows, process/thread creation, or [[Side-by-side assembly|side-by-side]] support, instead of issuing a [[system call]], the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an [[Local Procedure Call|inter-process call]] to the CSRSS process which does most of the actual work without compromising the kernel.<ref>{{cite web▼
|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx▼
|title=Detailed implementation of a system service in Windows NT▼
|accessdate=2010-06-10▼
|work=Undocumented Windows NT▼
}}</ref> Window manager and [[Graphics Device Interface|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book|last=Russinovich|first=Mark|title=Windows Internals, 5th Edition|year=2009|publisher=Microsoft Press|pages=54}}</ref>▼
CSRSS is called along with <tt>winlogon.exe</tt> at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a [[Blue Screen of Death]]. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.▼
In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <tt>conhost.exe</tt> subprocesses to draw console windows for command line programs with the permissions of that user.▼
== History ==
Line 32 ⟶ 15:
|publisher=Microsoft
}}</ref>
▲== Technical details ==
▲CSRSS runs as a user-mode [[Windows service|system service]]. When a user-mode process calls a function involving console windows, process/thread creation, or [[Side-by-side assembly|side-by-side]] support, instead of issuing a [[system call]], the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an [[Local Procedure Call|inter-process call]] to the CSRSS process which does most of the actual work without compromising the kernel.<ref>{{cite web
▲|url=http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx
▲|title=Detailed implementation of a system service in Windows NT
▲|accessdate=2010-06-10
▲|work=Undocumented Windows NT
▲}}</ref> Window manager and [[Graphics Device Interface|GDI]] services are handled by a kernel mode driver (win32k.sys) instead.<ref>{{cite book|last=Russinovich|first=Mark|title=Windows Internals, 5th Edition|year=2009|publisher=Microsoft Press|pages=54}}</ref>
▲CSRSS is called along with <tt>winlogon.exe</tt> at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a [[Blue Screen of Death]]. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.
▲In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns <tt>conhost.exe</tt> subprocesses to draw console windows for command line programs with the permissions of that user.
▲== Malware hoaxes ==
▲There are numerous [[Virus hoax|virus hoaxes]] that claim that csrss.exe is [[malware]] and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe [[Process (computing)|process]] will result in a [[Blue Screen of Death]].
▲In addition, [[technical support scam]]mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their [[rogue security software]] to remove it.<ref>{{cite web|url=http://news.softpedia.com/news/symantec-disavows-business-partner-caught-running-a-tech-support-scam-499310.shtml|title=Symantec Disavows Business Partner Caught Running a Tech Support Scam|last=Cimpanu|first=Catalin|publisher=[[Softpedia]]|date=Jan 22, 2016|accessdate=July 29, 2016}}</ref>
== See also ==
| |||