Is csrss.exe a virus?

Posted on 2003-11-13
Last Modified: 2011-08-18
I found this file in my pc, I don't know what is about that.
Question by:mikezang
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Expert Comment

ID: 9744683

Author Comment

ID: 9744709
I had read that, but I still don't understand, could you explain to me?

Expert Comment

ID: 9744835
Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

LVL 49

Accepted Solution

sunray_2003 earned 50 total points
ID: 9745352
Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.


Expert Comment

ID: 10408350
It is not a virus,


some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)

You should check the particular .exe, and see whether or not it contains a virus.

Expert Comment

ID: 10687242
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

Be careful when you use this test!

If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.

Expert Comment

ID: 10797304
There is also another way to see if it is the "authentic" CSRSS.EXE.  [Note: I am using SP4 with a whole load of other patches and updates].  

If you get the Task Manager up [CTRL+SHIFT+ESC etc.], and choose Processes, then find CSRSS.EXE.  If you then select the process (CSRSS.EXE) and choose End Process (Right Click menu or button at bottom of frame), you _should_ be presented with a dialog box that states that "This [CSRSS.EXE] is a critical system process.  Task Manager cannot end this process."  If you are presented with a box that asks whether you _want_ to end the process, it is up to you what you do (I would recommend choosing No, due to the above comments on the role of CSRSS.EXE).  If there is more than one CSRSS.EXE, then virus activity could be a possibility, and if one presents the dialog box as above when you attempt to close it, then the other one could be the virus.  


[Note: If you do not have SP4, then I do not know what will happen.  Be cautious, however, a restart would probably fix anything done by closing a process.]  

Expert Comment

ID: 10827204
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by <a href="">Symantec</a> about the virus/worm Nimda:
It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from <a href="">McAfee</a> that takes care of most of the latest threats: <a href="">Stinger</a>

Expert Comment

ID: 10827214
My bad with those tags!! =P

Expert Comment

ID: 11808830
csrss.exe is a system process, but the same filename is widelly used by various keyloggers and other parasites:

Expert Comment

ID: 11957901
here's a good link to look up common task list programs. could be usefull in the future.

Expert Comment

ID: 12751517
How do I get rid of the about:blank its seem to have taken over my IE.

Expert Comment

ID: 12846261
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

For more information go to:

Expert Comment

ID: 13042132
i recommend using WinTask.

Expert Comment

ID: 13275521
csrss.exe is a system executable that handles threads and some other stuff , sometimes hackers and programmers call their apps *csrss.exe* so you are unable to close it ! , check in the processes tab if you have more than once csrss.exe then you are having a virus ! , if its only one , that's the normal , but just download your latest virus definitions and scan your harddrive to make sure that there are no viruses binded to that exe.

Expert Comment

ID: 13952526
i once had it, it was listed as CSRSS.EXE in all caps. i would just do a virus scan and a tojan and spyware can

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question