If you, like me are curious about what conhost.exe process is doing in Task Manager, and why it’s running, I’ve got good news! We know and we’re going to explain it to you!
What is conhost.exe?
The conhost.exe process fixes a fundamental problem in the way previous versions of Microsoft Windows handled console windows. In Windows Vista, this caused drag and drop to work incorrectly.
While scanning your system regularly for viruses and malware is certainly recommended, the good new is as long as conhost.exe is running from the system32 folder, and is signed by Microsoft it’s not a virus or file you should be worried about.
What does conhost.exe do?
Fundamentally there’s a problem with the way the console process works on previous versions of Windows, such as Windows Vista. Previously they were hosted under the csrss.exe (Client Server Runtime Process) service. This process runs as a system-privileged account.
You may have noticed that the console window in Windows XP doesn’t even use the active theme. It’s completely ignored. This is because the CSRSS process doesn’t have the ability to be themed.
In Windows Vista, it appears to use the same theme as everything else, but you’ll notice that the scrollbars are still using the old style. This is because the DWM (Desktop Window Manager) process handles drawing the title bars, but underneath it still works the same way, and the scrollbars are part of the window itself.
You’ll also notice that Windows Vista broke the ability to drag and drop files from Explorer straight into the command prompt. This is because of security issues between the CSRSS process running with a higher level of privileges.
Windows 7 Changes Everything
Checking it out in Process Explorer under Windows 7 shows that the conhost.exe process is running underneath the csrss.exe process.
The conhost.exe process sitting in the middle between CSRSS and cmd.exe allows Windows 7 to fix both of the problems in previous versions of Windows—not only do the scrollbars draw correctly, but you can actually drag and drop a files from Explorer straight into the command prompt:
And it’ll paste in the path onto the command line. (of course this example isn’t very useful).
If you really want to be sure, check out the file properties for the conhost.exe executable, and you’ll see that the description says Console Window Host:
If you look at the details of the process from within Process Explorer, you’ll notice that the ComSpec is set to cmd.exe, a clear indication that it’s hosting the command prompt.
And that explains what the conhost.exe process does. It’s not spyware, a virus, or malware!