Client/Server Runtime Subsystem

Client/Server Runtime Subsystem, or csrss.exe, is a component of the Microsoft Windows NT operating system that provides the user mode side of the Win32 subsystem and is included in Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows Server 2008 and Windows 7. Because most of the Win32 subsystem operations have been moved to kernel mode drivers, in Windows NT 4 and later CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, though it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and Windows 8 Developer Preview, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue. Some virus hoax emails claim that csrss.exe is a virus that has been confirmed by Microsoft, and that the user should terminate it immediately. This, obviously, would actually lead to system failure.

Workings

CSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or Side-by-Side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel.^[1] Window manager and GDI services are handled by a kernel mode driver (win32k.sys) instead.^[2]

History

The Windows NT 3.x series of releases had placed the Graphics Device Interface component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.^[3] The Windows startup process has changed significantly since Vista. Two instances of csrss.exe are running in Windows 7 and Vista.^[4]

Threats

Viruses, spyware, and trojans are known to infect or disguise themselves as this process. These include, but are not limited to:

• Nimda.E^[5]
• W32/Netsky.ab@MM^[6]
• W32/VBMania@MM^[7]

See also

• List of Microsoft Windows components

References

1. "Detailed implementation of a system service in Windows NT". Undocumented Windows NT. http://www.left-brain.com/tabId/65/itemId/1642/pageId/29/Undocumented-Windows-NT.aspx. 
2. Russinovich, Mark (2009). Windows Internals, 5th Edition. Microsoft Press. pp. 54. 
3. "The Windows NT 4.0 Kernel mode change". MS Windows NT Kernel-mode User and GDI White Paper. Microsoft. http://technet.microsoft.com/en-us/library/cc750820.aspx#XSLTsection124121120120. Retrieved 2009-01-19. 
4. "Inside the Windows Vista Kernel - Startup Processes". Inside the Windows Vista Kernel - Startup Processes. Microsoft. http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx. Retrieved 2010-10-01. 
5. "csrss.exe Windows process - What is it?". http://www.neuber.com/taskmanager/process/csrss.exe.html. Retrieved 2009-01-12. 
6. "McAfee W32/Netsky.ab@MM Virus Profile". http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=124873. Retrieved 2009-01-12. 
7. "Widespread Reporting of "Here you have" Virus (aka W32/VBMania@MM)". http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/. Retrieved 2010-09-10. 

External links

• Troubleshooting the Startup Process (Windows XP Professional Resource Kit)