Is csrss.exe a virus?

Posted on 2003-11-13
Last Modified: 2011-08-18
I found this file in my pc, I don't know what is about that.
Question by:mikezang
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Expert Comment

ID: 9744683

Author Comment

ID: 9744709
I had read that, but I still don't understand, could you explain to me?

Expert Comment

ID: 9744835
Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

LVL 49

Accepted Solution

sunray_2003 earned 50 total points
ID: 9745352
Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.


Expert Comment

ID: 10408350
It is not a virus,


some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)

You should check the particular .exe, and see whether or not it contains a virus.

Expert Comment

ID: 10687242
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

Be careful when you use this test!

If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.

Expert Comment

ID: 10797304
There is also another way to see if it is the "authentic" CSRSS.EXE.  [Note: I am using SP4 with a whole load of other patches and updates].  

If you get the Task Manager up [CTRL+SHIFT+ESC etc.], and choose Processes, then find CSRSS.EXE.  If you then select the process (CSRSS.EXE) and choose End Process (Right Click menu or button at bottom of frame), you _should_ be presented with a dialog box that states that "This [CSRSS.EXE] is a critical system process.  Task Manager cannot end this process."  If you are presented with a box that asks whether you _want_ to end the process, it is up to you what you do (I would recommend choosing No, due to the above comments on the role of CSRSS.EXE).  If there is more than one CSRSS.EXE, then virus activity could be a possibility, and if one presents the dialog box as above when you attempt to close it, then the other one could be the virus.  


[Note: If you do not have SP4, then I do not know what will happen.  Be cautious, however, a restart would probably fix anything done by closing a process.]  

Expert Comment

ID: 10827204
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by <a href="">Symantec</a> about the virus/worm Nimda:
It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from <a href="">McAfee</a> that takes care of most of the latest threats: <a href="">Stinger</a>

Expert Comment

ID: 10827214
My bad with those tags!! =P

Expert Comment

ID: 11808830
csrss.exe is a system process, but the same filename is widelly used by various keyloggers and other parasites:

Expert Comment

ID: 11957901
here's a good link to look up common task list programs. could be usefull in the future.

Expert Comment

ID: 12751517
How do I get rid of the about:blank its seem to have taken over my IE.

Expert Comment

ID: 12846261
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

For more information go to:

Expert Comment

ID: 13042132
i recommend using WinTask.

Expert Comment

ID: 13275521
csrss.exe is a system executable that handles threads and some other stuff , sometimes hackers and programmers call their apps *csrss.exe* so you are unable to close it ! , check in the processes tab if you have more than once csrss.exe then you are having a virus ! , if its only one , that's the normal , but just download your latest virus definitions and scan your harddrive to make sure that there are no viruses binded to that exe.

Expert Comment

ID: 13952526
i once had it, it was listed as CSRSS.EXE in all caps. i would just do a virus scan and a tojan and spyware can

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cursor typing problems 5 58
Cursed with a Windows 2000 Server that needs to copy files 3 734
Change port for terminal servers (2000 and 2003) 3 175
Can’t delete a file 14 229
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question