Starting with versions of Windows 2000, a user opens the Task Manager and sees the Csrss.exe service in the active process tree. What is this, far from all users know. Now we will consider this topic, and at the same time we will see why errors occur and how to deal with them.
Csrss.exe: what is it?
First of all, it is worth saying that the Csrss.exe service is an important system process. The abbreviation in the file name comes from the Server Client Runtime Subsystem, which in translation can be interpreted as the "subsystem of server-client interaction".
To be more precise, the Csrss.exe process is a layer that provides interaction between the server and client parts of the "OS".
Process description
Let's take a closer look at the Csrss.exe process. What kind of process we have and how it works will be clear with a simple example. We can cite as an illustrative example, for example, user-installed applications that run precisely thanks to this service.
However, the best option is to provide user access to all system features through a graphical interface. The Csrss.exe service is also responsible for this.
In a sense, it can be compared with the Rundll.32 process, only this process interacts exclusively with dynamic libraries, and the Csrss.exe service works in a broader aspect, it is responsible for starting both system and user processes.
Program file location
If we talk about the program file, the standard location is the path C: \ Windows \ System32. The Csrss.exe file is located exactly in the System32 folder and cannot be found anywhere else.
The simplest conclusion follows from this: in the task manager, the user should not observe more than one Csrss.exe process. That being said, de facto. True, sometimes a situation arises when, for example, several Csrss.exe services “hang” in the task manager. Two processes or more are a clear sign of the presence of the virus, although there are exceptions to the rules.
So, for example, depending on the version of Windows OS, there can be more than one such process. Indeed, such situations occur. For example, in Windows 7 or 8, two Csrss.exe processes can be present in the task manager at the same time, but no more. But if there are already more than two of them, then things are bad. We'll have to deal with this, especially since many viruses can easily disguise themselves as system services. But this will be discussed a little later.
Why does the Csrss.exe service load the processor?
Now we are approaching the resolution of an unpleasant situation when this process uses the system resources too actively, loading the RAM and the central processor to the limit.
Initially, as it was intended by the developers, the Csrss.exe process should not occupy more than 3000 Kb in the "RAM" (during normal operation). If you look at the use of processor resources, then here is usually displayed a value equal to zero, or a little more. This “little more” is expressed in no more than fractions of a percent. So if the user observes a load commensurate with tens of percent, emergency measures must be taken.
Suspected Viruses
To begin with, today you can find quite a lot of viruses disguised as the Csrss.exe system process. What exactly is this in the understanding of computer infection? And here is what. First, the virus copies itself by placing copies of the same name (Csrss.exe) in the folders used to store temporary Internet files, moving its own copies to USB drives, etc. As already clear, all running copies can be seen in the task manager.
Moreover, even if you look at the data on the file location or command line, the average user may not see anything suspicious. All data will be just identical to each other. Next, we will consider several ways, the use of which will allow to combat such negative manifestations.
The simplest ways to remedy the situation
Let's start with the simplest. So, we have a suspicion of a virus disguised as the Csrss.exe process. How to treat the system in this case? Easy peasy. First you need to “walk” through the system with a powerful anti-virus scanner installed in the system, or use online scanners.
Which antivirus to give preference to, the user decides for himself. But in this particular case, it is more powerful to use utilities, say, of the same Kaspersky or Eset NOD32. A very interesting thing is the “cloud” Panda scanner, which combines the capabilities of regular standard antiviruses and online scanners. This is not the point.
Sometimes situations may occur that antivirus software does not detect threats associated with this process. Viruses become much more sophisticated in their behavior. Sometimes a weak antivirus, etc., can simply be installed on a user computer terminal. What should I do in this case?
Here you can advise manual intervention. Of course, you can delve into the registry, delete unnecessary keys or repair damaged ones, but you can do much easier. The easiest way is the same task manager. If the user sees in it several processes that load the system to impossibility, you can try to complete each of them in turn. If the process turns out to be a virus, nothing bad will happen. It will end, that's all.
If the shutdown is applied to the original service, Windows itself will immediately display a message asking if the user really wants to complete this process (Do you want to end this process?), And also with a warning that the completion of the process may affect stability system workers. Note that such a message is displayed exclusively when accessing the real Csrss.exe file.
Deleting Files
Now let's see what can be done after we have detected a threat in the system and completed the corresponding processes in the task manager. We need to find all the suspicious files and delete them manually.
To do this, use the keyboard shortcut Win + F to call the Windows search engine. In the search field, write the name of the file (in this case, Csrss.exe), and the search itself is performed on all hard drives, logical partitions, and removable media. Removable media must be used necessarily (naturally, in the event of a threat when they were connected to a computer terminal or laptop), since one of the manifestations of spontaneous copying of viruses of this type is precisely the transfer of their copies to ordinary USB-HDD flash drives or hard drives. Probably, it is already clear that if you get rid of the virus in the system itself, you can’t avoid infection when reconnecting a removable USB-drive.
The search can take a lot of time, but it's better to be patient. After the search is over, and the results display all the found files with the same name, you need to check each of them at least for a digital signature. Right-click on each file to call up the "Properties" menu.
On the “Details” tab, this doge file has a digital signature (Microsoft copyrights, product name, location, and most importantly - 6 Kb). Now all files that do not meet these criteria can be deleted without a twinge of conscience.
True, sometimes it will be impossible to delete, or the files will be masked so that the system does not find them. In this situation, you will have to use special scanners, usually called Rescue Disc. Their advantage is that the download of antivirus software takes place before the Windows OS starts. As practice shows, such utilities are able to detect and remove viruses in 99.9% of cases out of a hundred.
Conclusion
So, we examined the Csrss.exe process. What is it, I think, at least a little has become clear. In principle, the process itself, if it loads the system and is the only one in the list, it is forcibly better not to terminate, but to check the system with antivirus. It may well be that the file is simply damaged or infected. The above steps apply only if several Csrss.exe processes are detected on the system.