What is the conhost.exe file and how to remove conhost.exe?

Question

2 Answers

Best answer

1. What is the conhost.exe file
2. Know if the file conhost.exe is a virus

Windows 10 is an operating system based on services and processes. Actually if you access the local services of the system you will run into a variety of services, some of which are very clear and others not so much. Precisely there we must be cautious because if we finish some process or service that we do not understand, we may be incurring in general failures that will result in the instability of the system or one of its components.

The process of conhost.exe starts when we execute the command terminal including both active and inactive windows. In this complex world of services and processes we will find with certainty at some point a file called "conhost.exe" and although its name and mission is not clear we must analyze it in detail before taking any action on it. Some actions to verify that we are not infected by an infectious copy of this service are:

Scan if if conhost.exe is malicious

Attempt to close all CMD windows or command console with the cmd.exe process
Review the scheduled tasks and see if there are any executing tasks.
Check if any application is using the command console to perform activities
Run a virus and malware scanner on your computer
Use the application for fault detection and system repair

Therefore, TechnoWikis is here to help you with your doubts about malware.

1. What is the conhost.exe file

The first thing we must understand and make very clear is that being an executable file (.exe) we are talking about a genuine file, which is signed by Microsoft and whose default location is in the system32 folder. The reason for talking about it is simple, many executables are configured with malicious code whose purpose is to attack the system and the local files, therefore its location will not be a folder of the system as it is the System32 folder.

There is an active process from the XP editions called ClientServer Runtime System Service (CSRSS). This process is a system level service. Well, Microsoft developed the conhost.exe process so that it runs under the csrss.exe process. But not everything is as simple as it seems since when executed in this way there were two problems that were:

Any failure, however minimal, in CSRSS blocked the whole system, logically affecting productivity and performance.

Secondly, CSRSS was not in the capacity to have new issues which limited the developer to modify the aspects of the window.

By nature of Windows, it is normal to observe different instances of the process of the Host of the console window (conhost.exe) being executed in the Task Manager. This is because each order we create will create a conhost process independently, for example, when you open the command prompt in Windows 10 and using the Process Explorer utility, we can see that conhost.exe is associated with that executed console:

Note

This utility can be downloaded at the following link:

Process Explorer

Typical errors of conhost.exe

Within this world of processes and services it is normal that we find some conhost.exe errors like:

Conhost.exe application error

Conhost.exe is not a valid Win32 application

Conhost.exe is not running

Conhost.exe has encountered a problem and needs to close. We're sorry for the inconvinience

Can not find conhost.exe

Conhost.exe not found

Path of the application with errors: conhost.exe

Error starting the program: conhost.exe

Conhost.exe wrong

For this type of situation TechnoWikis recommends you to use the Process Explorer utility since it will give the specific path where Conhost.exe is associated and from there we can make the respective administrative decisions.

2. Know if the file conhost.exe is a virus

The blunt and clear answer is "No", as we have mentioned, it is a process signed by Microsoft which is in the System32 directory, but since everything in this world has its copy or imitation, it is possible for an attacker to simulate a conhost file. exe to perform your actions.

Step 1

This is achieved by modifying some letter or its order, but to leave any doubt, we can go to the Task Manager and there detect the line "Host console window", right click on it and select the option "Open file location ":

To stay up to date, remember to subscribe to our YouTube channel! SUBSCRIBE

By doing this, we will be redirected to the original location of the conhost.exe file which, if it is original, must be in the path.

 C: \ Windows \ System32

Currently we have a Trojan whose name is Conhost Miner, which is a process that acts as a Bitcoin miner and we clearly know that this implies an excessive consumption of system resources such as CPU, memory, etc, affecting the optimal performance of it, this Trojan can be found in the following path.

We see that at the level of appearance it simulates being conhost.exe but its purpose is not at all typical of Microsoft, thus affecting the security and performance of our team.

 % userprofile% \ AppData \ Roaming \ Microsoft

We can use the antivirus or antimalware utilities to eliminate any threat of this type and thus know that the executed conhost.exe file is valid.

We have learned that before deleting a Windows file we must document its origin and operation to avoid destabilizing the system in general.

answered May 17, 2019 by stackoverflow (3.5m points)
edited May 17, 2019

Why does conhost.exe file run on my PC?

If you encounter the Console Window Host process (conhost.exe) in Task Manager and ask yourself what is it? Well, here we have the answer for you.

conhost.exe virus

This article is part of a series of ongoing publications, where we explain various processes found in Task Manager, such as svchost.exe , dwm.exe , rundll32.exe and many others. Don't you know what those processes are? Better start reading!

Content

What is the Console Window Host process (conhost.exe)?
Why are several Console Window Host running?
Could the process conhost.exe be a virus?

What is the Console Window Host process (conhost.exe)?

To understand the Console Window Host process, you need to know some history. In the days of Windows XP, the command prompt was handled by a process called ClientServer Runtime System Service (CSRSS). As the name implies, CSRSS was a system level service. This created a couple of problems. First, an accident in CSRSS could bring down a system completely, which exposed not only reliability issues, but also potential security vulnerabilities. The second problem was that CSRSS could not be thematic, because developers did not want to risk the theme code to run in a system process. Therefore, the command prompt always looked classic instead of using new interface elements.

Note in the Windows XP screenshot that the command prompt does not have the same style as an application such as Notepad.

what is console windows host

Windows Vista introduced the Desktop Window Manager: a service that "draws" composite views of windows on your desktop instead of allowing each application to handle it on its own. The system symbol obtained a superficial theme from this (as is the glassy frame present in other windows), but it was produced at the cost of being able to drag and drop files, text and so on in the system symbol window.

However, that issue just goes too far. But, if you take a look at the console in Windows Vista, it seems that it uses the same theme as everything else, but you will notice that scroll bars still use the old style. This is because the Desktop Window Manager is responsible for drawing the title bars and the frame, but an outdated CSRSS window will still be found inside it.

console windows host windows 10

Enter Windows 7 and open the conhost.exe process (Windows Host Console). As the name implies, it is a host for the Windows console. The process is located in the middle of CSRSS and the command prompt (cmd.exe), which allows Windows to fix both problems: interface elements such as scroll bars, which draw correctly and that you can also drag and drop back into The command prompt. And that is the method that is still used in Windows 8 and 10, allowing all new interface elements and styles that have emerged since Windows 7.

Although Task Manager presents conhost.exe as a separate entity, it is still closely associated with CSRSS. If you check the conhost.exe process in Process Explorer , you can see that it actually runs under the csrss.exe process.

what is console windows host

In the end, conhost.exe (Console Window Host) is something like a shell that maintains the power of running a system-level service like CSRSS, and that in turn ensures and makes the integration of modern interface elements reliable.

Why are several Console Window Host running?

conhost exe

You will often see several instances of the Console Window Host process running in the Task Manager. Each instance of the execution of the command prompt will generate its own Console Window Host process. In addition, other applications that use the command line will generate their own Console Window Host process, even if you do not see an active window for them. A good example of this is the Plex Media Server application, which runs as a background application and uses the command line to make it available to other devices on the network.

Many background applications work this way, so it is not uncommon to see multiple instances of the Console Window Host process running at any given time. This is normal behavior. For the most part, each process should take up very little memory (usually less than 10 MB) and almost zero CPU unless the process is active.

That said, if you notice that a particular instance of Console Window Host (or that some related service) is causing problems, such as excessive CPU or RAM consumption, you can check the specific applications that are involved. That could at least give you an idea of where to start troubleshooting. Unfortunately, the Task Manager itself does not provide good information about this. The good news is that Microsoft offers an advanced tool to work with processes as part of its Sysinternals line. Simply download Process Explorer and run it, it is a portable application, so it is not necessary to install it. Process Explorer provides all kinds of advanced features.

The easiest way to track these processes in Process Explorer is to first press Ctrl + F to start a search. Search for "conhost" and then click on the results. As you do, you will see the change of the main window to show you the application (or service) associated with that particular instance of Console Window Host.

conhost

If the use of the CPU or RAM indicates that this is the instance that causes problems, at least you have reduced the problem to a particular application.

Could the process conhost.exe be a virus?

The process itself is an official component of Windows. The chances that a virus has replaced the real Console Window Host with its own executable are almost nil. If you want to be sure, you can check the location of the underlying process file. In Task Manager, right-click on any Windows Host Console process and choose the "Open file location" option .

conhost.exe how to remove

If the file is stored in your Windows \ System32 folder , you can be sure that it is not a virus.

windows console

In fact, there is a Trojan called Conhost Miner that disguises itself as the Console Window Host. In Task Manager, it appears as the actual process, but some digging will reveal that it is actually stored in the% userprofile% \ AppData \ Roaming \ Microsoft folder instead of the Windows \ System32 folder. The Trojan is actually used to hijack your PC to extract Bitcoins, so the other behavior you will notice if it is installed on your system, means that the memory usage is higher than you might expect and the use of the CPU stays at very high levels 80%).

Of course, using a good antivirus is the best way to prevent (and eliminate) malware like the Conhost Miner, and it's something you should do anyway. Better safe than sorry!