Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Is csrss.exe a virus?

Posted on 2003-11-13
Medium Priority
Last Modified: 2011-08-18
I found this file in my pc, I don't know what is about that.
Question by:mikezang
LVL 49

Expert Comment

ID: 9744683

Author Comment

ID: 9744709
I had read that, but I still don't understand, could you explain to me?

Expert Comment

ID: 9744835
Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 49

Accepted Solution

sunray_2003 earned 200 total points
ID: 9745352
Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.


Expert Comment

ID: 10408350
It is not a virus,


some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)

You should check the particular .exe, and see whether or not it contains a virus.

Expert Comment

ID: 10687242
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

Be careful when you use this test!

If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.

Expert Comment

ID: 10797304
There is also another way to see if it is the "authentic" CSRSS.EXE.  [Note: I am using SP4 with a whole load of other patches and updates].  

If you get the Task Manager up [CTRL+SHIFT+ESC etc.], and choose Processes, then find CSRSS.EXE.  If you then select the process (CSRSS.EXE) and choose End Process (Right Click menu or button at bottom of frame), you _should_ be presented with a dialog box that states that "This [CSRSS.EXE] is a critical system process.  Task Manager cannot end this process."  If you are presented with a box that asks whether you _want_ to end the process, it is up to you what you do (I would recommend choosing No, due to the above comments on the role of CSRSS.EXE).  If there is more than one CSRSS.EXE, then virus activity could be a possibility, and if one presents the dialog box as above when you attempt to close it, then the other one could be the virus.  


[Note: If you do not have SP4, then I do not know what will happen.  Be cautious, however, a restart would probably fix anything done by closing a process.]  

Expert Comment

ID: 10827204
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by <a href="http://securityresponse.symantec.com/avcenter/tools.list.html">Symantec</a> about the virus/worm Nimda:

It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from <a href="http://www.networkassociates.com/us/index.asp">McAfee</a> that takes care of most of the latest threats: <a href="http://vil.nai.com/vil/stinger/">Stinger</a>

Expert Comment

ID: 10827214
My bad with those tags!! =P

Expert Comment

ID: 11808830
csrss.exe is a system process, but the same filename is widelly used by various keyloggers and other parasites:

Expert Comment

ID: 11957901
here's a good link to look up common task list programs. could be usefull in the future.


Expert Comment

ID: 12751517
How do I get rid of the about:blank its seem to have taken over my IE.

Expert Comment

ID: 12846261
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

For more information go to:

Expert Comment

ID: 13042132
i recommend using WinTask.

Expert Comment

ID: 13275521
csrss.exe is a system executable that handles threads and some other stuff , sometimes hackers and programmers call their apps *csrss.exe* so you are unable to close it ! , check in the processes tab if you have more than once csrss.exe then you are having a virus ! , if its only one , that's the normal , but just download your latest virus definitions and scan your harddrive to make sure that there are no viruses binded to that exe.

Expert Comment

ID: 13952526
i once had it, it was listed as CSRSS.EXE in all caps. i would just do a virus scan and a tojan and spyware can

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Nowadays, technologies make investments easier and it's not even necessary to look for investors in some cases. In this article, we will consider Initial Coin Offering (ICO) investment scheme.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question