Is csrss.exe a virus?

Posted on 2003-11-13
Last Modified: 2011-08-18
I found this file in my pc, I don't know what is about that.
Question by:mikezang
LVL 49

Expert Comment

ID: 9744683

Author Comment

ID: 9744709
I had read that, but I still don't understand, could you explain to me?

Expert Comment

ID: 9744835
Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times.
Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

LVL 49

Accepted Solution

sunray_2003 earned 50 total points
ID: 9745352
Csrss.exe: The Client Server Runtime Subsystem process, also known as the Win32 subsystem, generates a worker thread for client requests.


Expert Comment

ID: 10408350
It is not a virus,


some virus makers know of this, and will bind a virus to this program, or rename their virus to CSRSS.exe (so you won't think it is a virus)

You should check the particular .exe, and see whether or not it contains a virus.

Expert Comment

ID: 10687242
If you want to know if a file, such as csrss.exe, is legitimite or not, a good hint is the "Date modified" information you can view when performing a search on the filename on your hard drive.

If you suspect a file has started trying to access the network illegally in recent days, the file may have been modified by a virus just prior to the date when this unwarranted activity started.

Be careful when you use this test!

If you recently patched your system, the "Modified date" on the file will correspond to the date a file may have been changed by the software editor in order to correct a problem.

The person writing the virus may also be aware of the date the file was last modified by the software editor and try to fool you into believing the file is legitimite. This could be done if the hacker is aware of the date the software vendor last changed the file and makes the the "Modified date" on the infected file correspond to it. A little far fetched, but possible.

Expert Comment

ID: 10797304
There is also another way to see if it is the "authentic" CSRSS.EXE.  [Note: I am using SP4 with a whole load of other patches and updates].  

If you get the Task Manager up [CTRL+SHIFT+ESC etc.], and choose Processes, then find CSRSS.EXE.  If you then select the process (CSRSS.EXE) and choose End Process (Right Click menu or button at bottom of frame), you _should_ be presented with a dialog box that states that "This [CSRSS.EXE] is a critical system process.  Task Manager cannot end this process."  If you are presented with a box that asks whether you _want_ to end the process, it is up to you what you do (I would recommend choosing No, due to the above comments on the role of CSRSS.EXE).  If there is more than one CSRSS.EXE, then virus activity could be a possibility, and if one presents the dialog box as above when you attempt to close it, then the other one could be the virus.  


[Note: If you do not have SP4, then I do not know what will happen.  Be cautious, however, a restart would probably fix anything done by closing a process.]  

Expert Comment

ID: 10827204
A few known viruses and worms attach themselves to (overwrite) windows executable services.
Here's a report by <a href="">Symantec</a> about the virus/worm Nimda:
It seems to copy itself as Csrss.exe in the windows folder (the good one is under system32)

I think Blaster also behaves similarly... If you have your reasons to believe there's a virus there, then you're probably right...
Keep an antivirus close to you at all times! Here's a very nice removal tool from <a href="">McAfee</a> that takes care of most of the latest threats: <a href="">Stinger</a>

Expert Comment

ID: 10827214
My bad with those tags!! =P

Expert Comment

ID: 11808830
csrss.exe is a system process, but the same filename is widelly used by various keyloggers and other parasites:

Expert Comment

ID: 11957901
here's a good link to look up common task list programs. could be usefull in the future.

Expert Comment

ID: 12751517
How do I get rid of the about:blank its seem to have taken over my IE.

Expert Comment

ID: 12846261
csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

For more information go to:

Expert Comment

ID: 13042132
i recommend using WinTask.

Expert Comment

ID: 13275521
csrss.exe is a system executable that handles threads and some other stuff , sometimes hackers and programmers call their apps *csrss.exe* so you are unable to close it ! , check in the processes tab if you have more than once csrss.exe then you are having a virus ! , if its only one , that's the normal , but just download your latest virus definitions and scan your harddrive to make sure that there are no viruses binded to that exe.

Expert Comment

ID: 13952526
i once had it, it was listed as CSRSS.EXE in all caps. i would just do a virus scan and a tojan and spyware can

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate DFS role 3 853
301 redirects on a non-existent site (the site was deleted) 1 304
cant not receive emails, due to low disk space. 16 262
windows 2000 - Enable wifi 7 142
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you have clients or friends from around the world, it becomes a challenge to arrange a meeting or effectively manage your time. This is where Outlook's capability to show 2 time zones in one calendar comes in handy.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question