What is conhost.exe? Why is it running?

If you, like me are curious about what conhost.exe process is doing in Task Manager, and why it’s running, I’ve got good news!  We know and we’re going to explain it to you!

What is conhost.exe?

The conhost.exe process fixes a fundamental problem in the way previous versions of Microsoft Windows handled console windows.  In Windows Vista, this caused drag and drop to work incorrectly.

While scanning your system regularly for viruses and malware is certainly recommended, the good new is as long as conhost.exe is running from the system32 folder, and is signed by Microsoft it’s not a virus or file you should be worried about.

What does conhost.exe do?

Fundamentally there’s a problem with the way the console process works on previous versions of Windows, such as Windows Vista. Previously they were hosted under the csrss.exe (Client Server Runtime Process) service. This process runs as a system-privileged account.

You may have noticed that the console window in Windows XP doesn’t even use the active theme. It’s completely ignored. This is because the CSRSS process doesn’t have the ability to be themed.

In Windows Vista, it appears to use the same theme as everything else, but you’ll notice that the scrollbars are still using the old style. This is because the DWM (Desktop Window Manager) process handles drawing the title bars, but underneath it still works the same way, and the scrollbars are part of the window itself.

You’ll also notice that Windows Vista broke the ability to drag and drop files from Explorer straight into the command prompt. This is because of security issues between the CSRSS process running with a higher level of privileges.

Windows 7 Changes Everything

Checking it out in Process Explorer under Windows 7 shows that the conhost.exe process is running underneath the csrss.exe process.

The conhost.exe process sitting in the middle between CSRSS and cmd.exe allows Windows 7 to fix both of the problems in previous versions of Windows—not only do the scrollbars draw correctly, but you can actually drag and drop a files from Explorer straight into the command prompt:

And it’ll paste in the path onto the command line. (of course this example isn’t very useful).

More Information

If you really want to be sure, check out the file properties for the conhost.exe executable, and you’ll see that the description says Console Window Host:

If you look at the details of the process from within Process Explorer, you’ll notice that the ComSpec is set to cmd.exe, a clear indication that it’s hosting the command prompt.

And that explains what the conhost.exe process does.  It’s not spyware, a virus, or malware!

 

2 Comments

  1. DTRY says:

    “It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft.”

    Take note of this sentence very carefully. If you find conhost.exe outside of the system folder, there is a high chance that it’s indeed a malicious software. If it’s not signed, then the chance of it being harmful is extremely high.

    I got it while using Internet Explorer 6, despite having Firefox, to open ReplacementDocs, a depository of old game manuals. (Yes, stupid, I know. Firefox could save me such trouble.) Then I suspected a suspicious program running on the Task Manager (I always have it opened in case such situation happens.)

    First, there are legitimate Windows program running, like dexplore.exe (Visual Studio Document Explorer), msiexec.exe (Windows Installer – Unicode), and outlook.exe (well, MS Outlook,) none of which I am familiar with.

    Then there was another file running, with a very long nonsensical name consisting only of numbers, which is probably randomly generated. That was really a big red alarm. Then, Windows Defender warned me of attempt registry change, another big red warning. I denied it immediately. The malware was trying to add conhost.exe to the automatic start up file list. So I kill the process afterwards.

    After the process with a very long name was killed, all 3 legitimate Windows processes were killed as well. So I guess the first process ran them all.

    Checking creation and modification time, there seem to be 5 files associated with this malware:

    1. The .exe file with a very long numerical name, found on my desktop.
    2. The conhost.exe itself, found in C:\Documents and Settings\[UserName]\Application Data\Microsoft\conhost.exe
    3. A log file of some sort, also with a nonsensical short name with numbers and alphabets, with the file extension of 3 numbers (such as E11E.576, 790F.247). This file is found in C:\Documents and Settings\[UserName]\Application Data
    4. A .tmp file copy of 1. and 2. (all three files are the same but with different extensions.) My copy started with “jar_cache” followed by a lot of numbers. Found in the C:\Documents and Settings\[UserName]\Local Settings\Temp
    5. Another .tmp file with is much larger than all others (about 2 MB compared with 170 KB of others), also with a nonsensical short name with numbers and alphabets.

    The file names and locations were from my own experience. They can be different in your case. For example, conhost.exe could be in another folder under C:\Documents and Settings

    Luckily, removal can be done easily with System Restore, which will remove all executable files. As for those back-ups in the Temp folder, you can removed it later, perhaps while in Safe Mode. Temp folder should be cleaned periodically anyway, for malwares like to store their copies there.

    If you have Windows Defender, it will help you prevent the malware from auto-starting. I’m not sure what will happen if it successfully install itself, though. It could be harder to remove.

    P.S. These web sites have useful instructions on how to remove conhost.exe malware. I bid you good luck keeping your computer malwar-free.

    http://comprolive.com/remove/trojan/cycbot/conhost-exe
    http://www.threatexpert.com/report.aspx?md5=178a0b1875a1007349793b29f2e69580

    Rate this comment: Thumb up 0 Thumb down 0

  2. Dave says:

    Hi,
    I have win7 64 bit hp. When I open taskbar and click “Process” tab I see 2(two) conhost.exe there, only one of them is system process. I can kill those processes by the way. I checked locations, both are located in the system32 folder and signed by microsoft. I also find a previous version for both of them when I check for previous versions. So here is my questions:
    1) Are these processes harmful? Or maybe one of them?
    2) If yes, how can I delete them permanently from computer?
    3) Why they have previous versions? What’s their function?

    Hope I’ll get help! Thanks!

    Rate this comment: Thumb up 0 Thumb down 0

Leave a Comment

 
 



 

Recent Comments

  • Shaan: I bought all this stuff from home depot, i dont have a blade…
  • Roy Gantt: Is it positively accurate that it's not a hack …
  • Roy Gantt: These Processes scare me …
  • Jason Chase: Hi I am thinking about making one and I want to know how muc…

Your Hosts

Mike has a love for all things technology and science.
David is firearms expert and a science guy all rolled up into one.