Client/Server Runtime Subsystem
Client/Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 4 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue.
There are numerous virus hoaxes that claim that csrss.exe is malware and should be removed to prevent damage to the system- these are false, as removing csrss.exe or killing the csrss.exe process will result in a Blue Screen of Death. In addition, several scammers pretending to be Microsoft representatives are known to use csrss.exe as "proof" of a virus infection, and convince the user being scammed into purchasing their rogue security software to remove it.
The Windows NT 3.x series of releases had placed the Graphics Device Interface component in CSRSS, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance. The Windows startup process has changed significantly since Vista. Two instances of csrss.exe are running in Windows 7 and Vista.
- "The Windows NT 4.0 Kernel mode change". MS Windows NT Kernel-mode User and GDI White Paper. Microsoft. Retrieved 2009-01-19.
- "Inside the Windows Vista Kernel – Startup Processes". Inside the Windows Vista Kernel – Startup Processes. Microsoft. Retrieved 2010-10-01.