Jump to content

Client/Server Runtime Subsystem

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 203.189.254.53 (talk) at 20:25, 5 October 2019. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.


csrss.exe is a hidden monitoring software that tracks your personal information such as credit card, social security number, ID, email addresses, websites that you surfed or surfing habits, IP addresses etc.

This information can be sent to hackers or third parties to damage your computer by sending viruses, spyware, malware or use your personal information for criminal activities or fraud purchases.



History

The Windows NT 3.x series of releases had placed the Graphics Device Interface component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.[1] The Windows startup process from Vista onward has changed significantly. Two instances of csrss.exe are running in Windows 7 and Vista.[2]

Technical details

CSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel.[3] Window manager and GDI services are handled by a kernel mode driver (win32k.sys) instead.[4]

CSRSS is called along with winlogon.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a Blue Screen of Death. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a (STATUS_SYSTEM_PROCESS_TERMINATED).

In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns conhost.exe subprocesses to draw console windows for command line programs with the permissions of that user.

Malware hoaxes

There are numerous virus hoaxes that claim that csrss.exe is malware and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe process will result in a Blue Screen of Death.

In addition, technical support scammers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their rogue security software to remove it.[5]

See also

References

  1. ^ "The Windows NT 4.0 Kernel mode change". MS Windows NT Kernel-mode User and GDI White Paper. Microsoft. Retrieved 2009-01-19.
  2. ^ "Inside the Windows Vista Kernel – Startup Processes". Inside the Windows Vista Kernel – Startup Processes. Microsoft. Retrieved 2010-10-01.
  3. ^ "Detailed implementation of a system service in Windows NT". Undocumented Windows NT. Archived from the original on 2011-07-17. Retrieved 2010-06-10.
  4. ^ Russinovich, Mark (2009). Windows Internals, 5th Edition. Microsoft Press. p. 54.
  5. ^ Cimpanu, Catalin (Jan 22, 2016). "Symantec Disavows Business Partner Caught Running a Tech Support Scam". Softpedia. Retrieved July 29, 2016.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Client/Server_Runtime_Subsystem&oldid=919789817"