Does anyone else out there have 2 instances of csrss.exe running? I'm
pretty sure it's not spy ware... is it a configuration issue?

It it by design for Vista?

-Thx

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Does anyone else out there have 2 instances of csrss.exe running? I'm
> pretty sure it's not spy ware... is it a configuration issue?
>
> It it by design for Vista?

You may have a Trojan...
http://www.liutilities.com/products/...library/csrss/

"Julian" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Does anyone else out there have 2 instances of csrss.exe running? I'm
>> pretty sure it's not spy ware... is it a configuration issue?
>>
>> It it by design for Vista?
>
> You may have a Trojan...
> http://www.liutilities.com/products/...library/csrss/

You might need to purchase their tools to get much joy from that site.

Try a full search on your drive(s) for csrss.exe

It's likely you'll find at least two examples which you can then compare
for details such as date and time created/modified etc. and the
folder in which they are located.
That should give you a clue about which is the genuine article.

Also, or altertnatively, you could run regdit and search for csrss.exe
and glean information to help you identify the imposter.

Then you can, probably, fix it quite easily by deleting the bastard.

Their both from C:\WINDOWS\system32. I think they are the legit exe
files from MS. Thoughts?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Their both from C:\WINDOWS\system32. I think they are the legit exe
> files from MS. Thoughts?

I'm not sure how a folder can show two identically names entries but...

If they are identical in ALL respects....

(Carefully and recheck the details or each copy of csrss.exe
by right clicking on csrss.exe then take options
> properties > General and details )

Rename one csrss.exe to csrss1.exe

Reboot and see what happens.

If you still have two occurrences you are going to have
to check with something like Autoruns (google it)
to see if it is being initiated twice.

Try showing processes from all users. Now you will see two copies of
csrss.exe running.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

"Julian" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Does anyone else out there have 2 instances of csrss.exe running? I'm
>> pretty sure it's not spy ware... is it a configuration issue?
>>
>> It it by design for Vista?
>
> You may have a Trojan...
> http://www.liutilities.com/products/...library/csrss/

I'm probably not being clear.

1) Run process explorer
2) Sort by process name
3) Note that there are two instances of csrss.exe running side by side
4) View the properties of each and note that they were both launched
from C:\Windows\System32
5) Note that both are running under the NT AUTHORITY\SYSTEM account.

I should also mention that I've seen this on another vista
installation (both are Ultimate BTW). Check yours for yourself.

Task Manager should also work for this.

Any ideas on why this is?

-Thx

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm probably not being clear.
>
> 1) Run process explorer
> 2) Sort by process name
> 3) Note that there are two instances of csrss.exe running side by side
> 4) View the properties of each and note that they were both launched
> from C:\Windows\System32
> 5) Note that both are running under the NT AUTHORITY\SYSTEM account.
>
> I should also mention that I've seen this on another vista
> installation (both are Ultimate BTW). Check yours for yourself.
>
> Task Manager should also work for this.
>
> Any ideas on why this is?

You have a virus, such as the Trojan.Gutta or W32.Netsky.AB@mm or
W32.Buchon.A@mm or Backdoor.Botnachala virus, or some other virus, if
you have Windows 95/98/ME or if the full path to this program is either
C:\Windows\csrss.exe or C:\WinNT\csrss.exe.

Okay it's turns out there is a reason for this and it is by design for
Vista. It is *not* a virus.

Apparently the Windows startup process has changed significantly
between Vista and XP.

Check out the "Startup Processes" section of the following article for
a better explanation:

http://www.microsoft.com/technet/tec...3/VistaKernel/

-Thx

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Does anyone else out there have 2 instances of csrss.exe running? I'm
> pretty sure it's not spy ware... is it a configuration issue?
>
> It it by design for Vista?
>
> -Thx
>


For "user-mode" (as opposed to 'kernel-mode') processes. Probably one for
each "session" - ie one for session 0, and one for session 1.

User-mode = accesses hardware indirectly via Windows API
Kernel-mode = direct hardware access

--
Jon