I currently have 2 csrss.exe running under system, using 1700kb – 2156kb memory each. Related to them there seems to be 2 conhost.exes, one using roughly 1000kb ram and 1400kb. One is SYSTEM and one is NETWORK. I found 2 csrss.exes in my system, one In system32, one in winsxs/amd64_microsoft (with a large amount of numbers) I found 1 conhost in system32, and 8 conhosts in winsxs/amd64_microsoft followed by numbers Like csrss. Is this normal? I also may have seen a third conhost running, but I dont think it was attached to csrss
using event viewer logs and process explorer I found the 2 conhost files under csrss, were launched (in my test) at 15:33:52. At the same time, in event viewer under system, the MBAMservice entered a running state. Also, the server service entered a running state.
Other services that started around a second or two after: Network list service Diagnostic service host Human interface device access Micrsoft network inspection Diagnostic system host Portable device enumerator Computer browser service
There was no entry in the application part of event viewer.
Under security, at 15:33:52 there was an entry for:
Audit sucess:
An account has succesfully logged on.
Subject ID: null sid
(Further down on the same entry)
New logon:
Security id: anonymous logon Account name: anonymous logon
Account domain: nt authority
And theres several more sections of that entry.
Is this bad? I have found several of those anonymous logon entries back as far as the day I got my pc a year ago, so I don't think its bad.
Another pc in the house has the same amount of conhost and csrss.exe files on the hdd (around 8-9, in amd64 install folders, and the one that runs under system32, and the csrss files. The other pc had 2 csrss processes running but no conhost. )
Does it look bad or okay? Im going to run some safemode scans. (Mbam and mse). The scans have come clean.
here is an image of when I run Geforce experience, this conhost appears and shutsdown very quickly.
Best Answer
Any time you see ConHost.exe it means that a non-GUI program is being executed. This happens when you open the Command Prompt or when an application installer needs to run a standard "DOS" command as part of the installation routine. It's very normal to have the ConHost.exe process come and go, and should only be cause for concern if you have many (20-30+) instances for more than a few moments. Further, it's quite proper that you would observe program and service start/stop activity in connection with ConHost.exe processes starting and stopping, as it is at these times in a program's lifecycle that they'll often need to interact with a non-GUI application.
If you wish to dig in more deeply, the article http://blogs.technet.com/b/askperf/archive/2009/10/05/windows-7-windows-server-2008-r2-console-host.aspx explains the new addition (as of Windows 7) that is ConHost.exe and the problem it is meant to solve::
If you know much about how Windows handles separation of privilege between users, you might correctly see a potential weakness, confirm as the article continues:
Windows 7 permanently changed that model by introducing the ConHost.exe process:
Hope that helps!
EDIT:
Two instances of csrss.exe is not abnormal. I've observed this plenty of times on known-clean computers. If you don't have two instances running, simply start CMD.EXE and you'll likely end up with a second instance of csrss.exe hosting a child instance of conhost.exe.
In your case I don't see any evidence of their being a malicious reason for the second instance of csrss.exe or the multiple instances of conhost.exe.