My desktop has two instances of conhost.exe running in the background at all times. Some googling brought up a few articles, like this one, but they don't explain why I have multiple instances of conhost running. I don't have any console windows open.
Here's a screenshot from Process Explorer:
I am cautious by nature. After a clean install of Windows 7, the first thing I did was turn up UAC, get an anti-virus, anti-malware and firewall up and running. I can't rule out a virus, but it's highly unlikely.
What's going on over here? What is that large number being passed as an argument to conhost?
Best Answer
Conhost runs console services for console windows. It is responsible for drawing the console window and for managing the input/output to the (normally invisible) console application.
Even though you don't have any console windows open, this is likely just a console window on another desktop or a zombie process that you're seeing - in normal Windows operation, conhost.exe is always started from csrss.exe which is a SYSTEM process - and this is the case in your picture which suggests that the conhost.exes are genuine.
If you're particularly worried that these might be malware pretending to be conhost, the best thing to do is to open Task Manager, navigate to the "Processes" tab, right click on the process you're worried about and select "Open File Location".
In the explorer window that opens up, right click on the application and click "View Properties" and look for a "Digital Signatures" tab. All Microsoft executables will have a Digital Signature verifying that the application is a genuine Microsoft application, and forging a Digital Signature is at least as hard as decrypting an SSL session between you and your bank, so you can rest assured that the executable is genuine.
In answer to the second part of your question, the large number being passed to conhost as an argument is a session ID that tells conhost.exe which console application it should be rendering on the screen - essentially it's the console application ID to connect to. The precise details of the number are specific to csrss which brokers the communication between the console application and conhost.exe.