Client Server Runtime Subsystem, or csrss.exe, is a component of the

Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Win ...

family of

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

s that provides the

user mode A modern computer operating system usually segregates virtual memory into user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kernel ...

side of the Win32 subsystem and is included in

Windows NT 3.1 Windows NT 3.1 is the first major release of the Windows NT operating system developed by Microsoft, released on July 27, 1993. At the time of Windows NT's release, Microsoft's Windows 3.1 desktop environment had established brand recognition ...

and later. Because most of the Win32 subsystem operations have been moved to

kernel mode In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Compute ...

drivers in

Windows NT 4 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...

and later, CSRSS is mainly responsible for

Win32 console Windows Console is the infrastructure for console applications in Microsoft Windows. An instance of a Windows Console has a screen buffer and an input buffer. It allows console apps to run inside a window or in hardware text mode (so as to oc ...

handling and GUI shutdown. It is critical to system operation; therefore, terminating this

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...

will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the '' taskkill'' command or with

Windows Task Manager Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of r ...

, although it is possible in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

if the Task Manager is run in Administrator mode. On

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...

and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the

Session Manager Subsystem Session Manager Subsystem, or , is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the Windows NT startup process, startup process of those operating systems (it is the first ...

(SMSS) watching will not crash the system. However in

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

History

The Windows NT 3.x series of releases had placed the

Graphics Device Interface The Graphics Device Interface (GDI) is a legacy component of Microsoft Windows responsible for representing graphical objects and transmitting them to output devices such as monitors and printers. Windows apps use Windows API to interact with GD ...

component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance. The Windows startup process from Vista onward has changed significantly. Two instances of csrss.exe are running in Windows 7 and Vista.

Technical details

CSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a

system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...

, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel. Window manager and

GDI GDI may refer to: Science and technology * Gasoline direct injection, a type of fuel injection * Graphics Device Interface, a component of Microsoft Windows * Guanosine nucleotide dissociation inhibitor, a protein Organisations * Gabriel Dumont I ...

services are handled by a kernel mode driver (win32k.sys) instead. CSRSS is called along with winlogon.exe from smss.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, SMSS will tell the kernel to shut down the start-up process with a Blue screen of death. The error code for this fault is 0xc000021a (STATUS_SYSTEM_PROCESS_TERMINATED). In Windows 7 and later, instead of drawing console windows itself, CSRSS spawns conhost.exe subprocesses to draw console windows for command line programs with the permissions of that user.

Malware hoaxes

There are numerous

virus hoax A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up wind ...

es that claim that csrss.exe is malware and should be removed to prevent damage to the system; these are false, as removing csrss.exe or killing the csrss.exe

will result in a kernel panic. In addition,

technical support scam A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...

mers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their rogue security software to remove it.

References

External links

Troubleshooting the Startup Process (Windows XP Professional Resource Kit)
{{DEFAULTSORT:Client Server Runtime Subsystem Windows NT architecture

History

Technical details

Malware hoaxes

See also

References

External links