2 instances of csrss.exe?

[kilik3000]

Does anyone else out there have 2 instances of csrss.exe running? I'm
pretty sure it's not spy ware... is it a configuration issue?

It it by design for Vista?

-Thx

 

[Julian]

Does anyone else out there have 2 instances of csrss.exe running? I'm
pretty sure it's not spy ware... is it a configuration issue?

It it by design for Vista?

You may have a Trojan...
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/

 

[Julian]

You may have a Trojan...
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/

You might need to purchase their tools to get much joy from that site.

Try a full search on your drive(s) for csrss.exe

It's likely you'll find at least two examples which you can then compare
for details such as date and time created/modified etc. and the
folder in which they are located.
That should give you a clue about which is the genuine article.

Also, or altertnatively, you could run regdit and search for csrss.exe
and glean information to help you identify the imposter.

Then you can, probably, fix it quite easily by deleting the bastard.

 

[kilik3000]

Their both from C:\WINDOWS\system32. I think they are the legit exe
files from MS. Thoughts?

 

[Julian]

Their both from C:\WINDOWS\system32. I think they are the legit exe
files from MS. Thoughts?

I'm not sure how a folder can show two identically names entries but...

If they are identical in ALL respects....

(Carefully and recheck the details or each copy of csrss.exe
by right clicking on csrss.exe then take options

properties > General and details )

Rename one csrss.exe to csrss1.exe

Reboot and see what happens.

If you still have two occurrences you are going to have
to check with something like Autoruns (google it)
to see if it is being initiated twice.

 

[Richard Urban]

Try showing processes from all users. Now you will see two copies of
csrss.exe running.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[kilik3000]

I'm probably not being clear.

1) Run process explorer
2) Sort by process name
3) Note that there are two instances of csrss.exe running side by side
4) View the properties of each and note that they were both launched
from C:\Windows\System32
5) Note that both are running under the NT AUTHORITY\SYSTEM account.

I should also mention that I've seen this on another vista
installation (both are Ultimate BTW). Check yours for yourself.

Task Manager should also work for this.

Any ideas on why this is?

-Thx

 

[Julian]

I'm probably not being clear.

1) Run process explorer
2) Sort by process name
3) Note that there are two instances of csrss.exe running side by side
4) View the properties of each and note that they were both launched
from C:\Windows\System32
5) Note that both are running under the NT AUTHORITY\SYSTEM account.

I should also mention that I've seen this on another vista
installation (both are Ultimate BTW). Check yours for yourself.

Task Manager should also work for this.

Any ideas on why this is?

You have a virus, such as the Trojan.Gutta or W32.Netsky.AB@mm or
W32.Buchon.A@mm or Backdoor.Botnachala virus, or some other virus, if
you have Windows 95/98/ME or if the full path to this program is either
C:\Windows\csrss.exe or C:\WinNT\csrss.exe.

 

[kilik3000]

Okay it's turns out there is a reason for this and it is by design for
Vista. It is *not* a virus.

Apparently the Windows startup process has changed significantly
between Vista and XP.

Check out the "Startup Processes" section of the following article for
a better explanation:

http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/

-Thx

 

[Jon]

Does anyone else out there have 2 instances of csrss.exe running? I'm
pretty sure it's not spy ware... is it a configuration issue?

It it by design for Vista?

-Thx

For "user-mode" (as opposed to 'kernel-mode') processes. Probably one for
each "session" - ie one for session 0, and one for session 1.

User-mode = accesses hardware indirectly via Windows API
Kernel-mode = direct hardware access

 

[Julian]

Okay it's turns out there is a reason for this and it is by design for
Vista. It is *not* a virus.

Apparently the Windows startup process has changed significantly
between Vista and XP.

Check out the "Startup Processes" section of the following article for
a better explanation:

http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/

Excellent news.. I have the same thing and have been
saved from dabbling with things beyond my competence.

 

[Jimmy Brush]

Hello,

This is correct. Csrss.exe is the user-mode component of Windows that
manages, keeps information on/for, and provides services to Windows
applications (applications running under the Win32 subsystem).

As such, it needs to run once in each session, since the state of
Windows programs running in one session must be completely seperate
from the state of Windows programs running in another.

Since Windows Vista loads 2 sessions now on startup as opposed to just
1 in XP, you see this process duplicated when showing processes for
all users.

Nothing to be worried about