Medium RiskWindowsLegitimateCommonly Abused
conhost.exeSYSTEM PROCESSconhost.exe - Console Host Security Analysis
conhost.exe (Console Host) provides the graphical interface for console applications (cmd.exe, PowerShell). One instance runs per console window. Malware may impersonate or inject into conhost.exe.
Risk Summary
MEDIUM priority. Monitor for: conhost.exe outside System32, unusual parent processes, and excessive instances without corresponding console apps.
Overview
What is conhost.exe?
conhost.exe is the Console Window Host, providing the GUI for console apps.
Security Significance
- Console Rendering: Handles console window display
- Per-Window Instance: One per console application
- Parent of Console Apps: Can appear as parent in process trees
Normal Behavior
Normal Behavior
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\conhost.exe |
| Parent | csrss.exe or console application |
| User | Same as console app user |
Common Locations
C:\Windows\System32\conhost.exeSuspicious Indicators
Suspicious Indicators
| Indicator | Risk |
|---|---|
| Path not System32 | CRITICAL |
| No associated console app | HIGH |
| Unusual network activity | HIGH |
| Running as SYSTEM unexpectedly | MEDIUM |
Abuse Techniques
Attack Techniques
Process Masquerading
Malware named conhost.exe in user directories.
Injection
Injecting code into legitimate conhost.exe for persistence.
Detection Guidance
Detection
conhost.exe path != System32 → ALERT
conhost.exe without console parent → INVESTIGATE
Remediation Steps
- Verify file path and signature
- Check for associated console application
- Review for process injection
Investigation Checklist
- Verify path is System32
- Check parent is csrss.exe or console app
- Review network activity
- Check for injection
MITRE ATT&CK Techniques
Last verified: January 18, 2026