Why does conhost.exe file run on my PC?
If you encounter the Console Window Host process (conhost.exe) in Task Manager and ask yourself what is it? Well, here we have the answer for you.
This article is part of a series of ongoing publications, where we explain various processes found in Task Manager, such as svchost.exe , dwm.exe , rundll32.exe and many others. Don't you know what those processes are? Better start reading!
Content
- What is the Console Window Host process (conhost.exe)?
- Why are several Console Window Host running?
- Could the process conhost.exe be a virus?
What is the Console Window Host process (conhost.exe)?
To understand the Console Window Host process, you need to know some history. In the days of Windows XP, the command prompt was handled by a process called ClientServer Runtime System Service (CSRSS). As the name implies, CSRSS was a system level service. This created a couple of problems. First, an accident in CSRSS could bring down a system completely, which exposed not only reliability issues, but also potential security vulnerabilities. The second problem was that CSRSS could not be thematic, because developers did not want to risk the theme code to run in a system process. Therefore, the command prompt always looked classic instead of using new interface elements.
Note in the Windows XP screenshot that the command prompt does not have the same style as an application such as Notepad.
Windows Vista introduced the Desktop Window Manager: a service that "draws" composite views of windows on your desktop instead of allowing each application to handle it on its own. The system symbol obtained a superficial theme from this (as is the glassy frame present in other windows), but it was produced at the cost of being able to drag and drop files, text and so on in the system symbol window.
However, that issue just goes too far. But, if you take a look at the console in Windows Vista, it seems that it uses the same theme as everything else, but you will notice that scroll bars still use the old style. This is because the Desktop Window Manager is responsible for drawing the title bars and the frame, but an outdated CSRSS window will still be found inside it.
Enter Windows 7 and open the conhost.exe process (Windows Host Console). As the name implies, it is a host for the Windows console. The process is located in the middle of CSRSS and the command prompt (cmd.exe), which allows Windows to fix both problems: interface elements such as scroll bars, which draw correctly and that you can also drag and drop back into The command prompt. And that is the method that is still used in Windows 8 and 10, allowing all new interface elements and styles that have emerged since Windows 7.
Although Task Manager presents conhost.exe as a separate entity, it is still closely associated with CSRSS. If you check the conhost.exe process in Process Explorer , you can see that it actually runs under the csrss.exe process.
In the end, conhost.exe (Console Window Host) is something like a shell that maintains the power of running a system-level service like CSRSS, and that in turn ensures and makes the integration of modern interface elements reliable.
Why are several Console Window Host running?
You will often see several instances of the Console Window Host process running in the Task Manager. Each instance of the execution of the command prompt will generate its own Console Window Host process. In addition, other applications that use the command line will generate their own Console Window Host process, even if you do not see an active window for them. A good example of this is the Plex Media Server application, which runs as a background application and uses the command line to make it available to other devices on the network.
Many background applications work this way, so it is not uncommon to see multiple instances of the Console Window Host process running at any given time. This is normal behavior. For the most part, each process should take up very little memory (usually less than 10 MB) and almost zero CPU unless the process is active.
That said, if you notice that a particular instance of Console Window Host (or that some related service) is causing problems, such as excessive CPU or RAM consumption, you can check the specific applications that are involved. That could at least give you an idea of where to start troubleshooting. Unfortunately, the Task Manager itself does not provide good information about this. The good news is that Microsoft offers an advanced tool to work with processes as part of its Sysinternals line. Simply download Process Explorer and run it, it is a portable application, so it is not necessary to install it. Process Explorer provides all kinds of advanced features.
The easiest way to track these processes in Process Explorer is to first press Ctrl + F to start a search. Search for "conhost" and then click on the results. As you do, you will see the change of the main window to show you the application (or service) associated with that particular instance of Console Window Host.
If the use of the CPU or RAM indicates that this is the instance that causes problems, at least you have reduced the problem to a particular application.
Could the process conhost.exe be a virus?
The process itself is an official component of Windows. The chances that a virus has replaced the real Console Window Host with its own executable are almost nil. If you want to be sure, you can check the location of the underlying process file. In Task Manager, right-click on any Windows Host Console process and choose the "Open file location" option .
If the file is stored in your Windows \ System32 folder , you can be sure that it is not a virus.
In fact, there is a Trojan called Conhost Miner that disguises itself as the Console Window Host. In Task Manager, it appears as the actual process, but some digging will reveal that it is actually stored in the% userprofile% \ AppData \ Roaming \ Microsoft folder instead of the Windows \ System32 folder. The Trojan is actually used to hijack your PC to extract Bitcoins, so the other behavior you will notice if it is installed on your system, means that the memory usage is higher than you might expect and the use of the CPU stays at very high levels 80%).
Of course, using a good antivirus is the best way to prevent (and eliminate) malware like the Conhost Miner, and it's something you should do anyway. Better safe than sorry!