csrss.exeSYSTEM PROCESScsrss.exe - Windows Client/Server Runtime Security Analysis
csrss.exe (Client/Server Runtime Subsystem) is a **critical Windows system process** responsible for console windows, thread creation/deletion, and Win32 subsystem functions. It is a **protected process** that cannot be terminated without causing a system crash (BSOD). Malware frequently impersonates csrss.exe by placing copies in non-System32 locations or using typosquatting variants.
Risk Summary
CRITICAL priority for SOC triage. csrss.exe is among the most impersonated Windows processes. Any instance running outside C:\Windows\System32 or with an unusual parent process requires **immediate escalation**. Legitimate csrss.exe is a protected process that cannot be terminated or debugged by standard means.
Overview
What is csrss.exe?
csrss.exe (Client/Server Runtime Subsystem) is one of the most critical processes in Windows. It has been a core component since Windows NT 3.1 and handles essential Win32 subsystem functions that the operating system cannot run without.
From a security perspective, csrss.exe is significant because:
- Protected Process: Windows marks it as critical; terminating it causes immediate BSOD
- High-Value Target: Attackers frequently impersonate or inject into csrss.exe
- Multiple Instances: Modern Windows runs 2+ instances (one per session)
- SYSTEM Privileges: Runs with highest system privileges
Core Functions
Console Management:
- Creates and manages console windows (cmd.exe, PowerShell windows)
- Handles console input/output operations
- Manages console properties and settings
Thread Management:
- Creates and terminates threads across the system
- Manages thread priority and scheduling
- Handles thread exception dispatching
Process Management:
- Assists in process creation and termination
- Manages process shutdown sequences
- Handles Windows subsystem initialization
Win32 Subsystem:
- Provides core Win32 API functionality
- Manages virtual DOS machine (VDM) for 16-bit apps
- Handles hard error messages and system dialogs
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\csrss.exe |
| Parent | smss.exe (Session Manager) |
| Instances | 2+ (one for Session 0, one per user session) |
| User | NT AUTHORITY\SYSTEM |
| Children | conhost.exe (Console Host) |
| Memory | 2-10 MB per instance |
| Startup | Very early in boot (before login) |
| Protection | Protected Process (cannot be terminated) |
Why Multiple Instances
Unlike processes that should have exactly one instance, csrss.exe legitimately runs multiple instances:
- Session 0: System session (services, background processes)
- Session 1+: One instance per logged-in user session
- Terminal Services: Additional instances for RDP sessions
A single-user Windows 10/11 system typically has 2 csrss.exe instances.
Normal Child Processes
csrss.exe legitimately spawns:
| Child Process | Purpose | When Created |
|---|---|---|
| conhost.exe | Console Window Host | When console app starts |
Important: csrss.exe should NOT spawn cmd.exe, PowerShell, or other interpreters directly.
Common Locations
C:\Windows\System32\csrss.exeSuspicious Indicators
Legitimate vs Suspicious: Recognition Guide
LEGITIMATE: Normal csrss.exe
Path: C:\Windows\System32\csrss.exe (ONLY location)
Signature: Signed by Microsoft Windows
Parent: smss.exe (Session Manager Subsystem)
Instances: 2+ (matches active session count)
User: NT AUTHORITY\SYSTEM
Children: conhost.exe only
Memory: 2-10 MB per instance
Command: No command-line arguments
Protection: Protected Process flag enabled
SUSPICIOUS: Malware Indicators
Path: C:\Windows\csrss.exe (wrong directory!)
C:\Users\...\csrss.exe
C:\Windows\Temp\csrss.exe
C:\csrss.exe
Any path NOT System32
Signature: Unsigned, invalid, or different publisher
Parent: explorer.exe, cmd.exe, powershell.exe, any non-smss.exe
Instances: More than expected for session count
User: Running as standard user or different account
Children: cmd.exe, powershell.exe, wscript.exe, mshta.exe
Misspelling: cssrs.exe, csrs.exe, csrrs.exe, csrss32.exe
Network: ANY network connections (should be none)
Comparison Table
| Indicator | Legitimate | Suspicious | Risk Level |
|---|---|---|---|
| File Path | C:\Windows\System32\csrss.exe | Anywhere else | CRITICAL |
| Parent Process | smss.exe | Any other process | CRITICAL |
| Digital Signature | Microsoft Windows, Valid | Unsigned/Invalid/Different | CRITICAL |
| Network Activity | None (no connections) | Any network connections | CRITICAL |
| Command Line | No arguments | Any arguments present | HIGH |
| Child Processes | conhost.exe only | Interpreters, unknown executables | HIGH |
| Instance Count | Matches session count | Excessive instances | MEDIUM |
Abuse Techniques
Attack Techniques Targeting csrss.exe
Technique #1: Process Name Masquerading (T1036.005)
Attack Flow: Attacker drops malware → Names it csrss.exe → Places in user-writable location → User or scheduled task executes → Malware runs with trusted process name
Common Malicious Locations:
C:\csrss.exe
C:\Windows\csrss.exe (NOT System32!)
C:\Users\Public\csrss.exe
C:\Users\<username>\AppData\Local\csrss.exe
C:\Users\<username>\AppData\Roaming\csrss.exe
C:\Windows\Temp\csrss.exe
C:\ProgramData\csrss.exe
Detection Signals:
- File creation event for csrss.exe outside System32
- Process execution with csrss.exe name but wrong path
- Unsigned or differently-signed csrss.exe binary
Technique #2: Typosquatting Variants
Attack Flow: Attacker creates executable with similar name → Relies on human oversight during investigation → Malware blends in with legitimate process list
Known Typosquatting Names:
| Malicious Name | Legitimate Name | Difference |
|---|---|---|
| cssrs.exe | csrss.exe | Letters swapped |
| csrs.exe | csrss.exe | Missing 's' |
| csrrs.exe | csrss.exe | Extra 'r' |
| csrss32.exe | csrss.exe | Added '32' |
| csrsss.exe | csrss.exe | Extra 's' |
| crsss.exe | csrss.exe | Missing first 's' |
Technique #3: Process Injection into csrss.exe (T1055)
Attack Flow: Attacker gains admin/SYSTEM → Attempts to inject code into csrss.exe → Executes malicious code in context of trusted process
Why It's Difficult:
- csrss.exe is a Protected Process on modern Windows
- Injection attempts typically fail or trigger alerts
- Requires kernel-level access to bypass protections
Detection Signals:
- Sysmon Event ID 8: CreateRemoteThread targeting csrss.exe
- Sysmon Event ID 10: Process access to csrss.exe with suspicious flags
- EDR alerts on cross-process injection attempts
Technique #4: Persistence via csrss.exe Impersonation
Attack Flow: Attacker creates fake csrss.exe → Establishes persistence mechanism → Fake csrss.exe runs at boot/login → Appears legitimate in process list
Persistence Mechanisms Used:
Registry Run Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scheduled Tasks:
schtasks /create /tn "SystemCheck" /tr "C:\Windows\csrss.exe" /sc onstart
Services:
sc create "Windows Subsystem" binPath= "C:\Temp\csrss.exe"
Detection Guidance
Detection Strategies
Detection Priority #1: Path Verification
Monitor for csrss.exe running from ANY location other than System32.
Detection Rule (Sysmon/EDR):
Process Name = "csrss.exe" AND
Image Path != "C:\Windows\System32\csrss.exe"
→ ALERT: CRITICAL - Fake csrss.exe detected
PowerShell Verification:
Get-Process csrss | Select-Object Id, Path | ForEach-Object {
if ($_.Path -ne "C:\Windows\System32\csrss.exe") {
Write-Warning "SUSPICIOUS csrss.exe: PID $($_.Id) at $($_.Path)"
}
}
Detection Priority #2: Parent Process Validation
Legitimate csrss.exe is ALWAYS spawned by smss.exe.
Detection Rule:
Process Name = "csrss.exe" AND
Parent Process != "smss.exe"
→ ALERT: CRITICAL - csrss.exe with invalid parent
PowerShell Check:
Get-CimInstance Win32_Process -Filter "Name='csrss.exe'" | ForEach-Object {
$parent = Get-Process -Id $_.ParentProcessId -ErrorAction SilentlyContinue
if ($parent.Name -ne "smss") {
Write-Warning "SUSPICIOUS: csrss.exe PID $($_.ProcessId) parent is $($parent.Name)"
}
}
Detection Priority #3: Network Activity
csrss.exe should NEVER make network connections.
Detection Rule:
Process Name = "csrss.exe" AND
Network Connection = True
→ ALERT: CRITICAL - csrss.exe network activity detected
Detection Priority #4: File Creation Monitoring
Monitor for:
- New csrss.exe files created outside System32
- Typosquatting variants (cssrs.exe, csrs.exe, etc.)
- Executable files in C:\Windows\ root (not subdirectories)
Sysmon Config Example:
<FileCreate onmatch="include">
<TargetFilename condition="contains">csrss</TargetFilename>
<TargetFilename condition="excludes">System32</TargetFilename>
</FileCreate>
Enterprise EDR Detection Rules
Rule #1: Fake csrss.exe Location
Filter: ProcessName = "csrss.exe" AND ImagePath NOT CONTAINS "System32"
Action: ALERT | Severity: CRITICAL
Rule #2: csrss.exe Invalid Parent
Filter: ProcessName = "csrss.exe" AND ParentProcessName != "smss.exe"
Action: ALERT | Severity: CRITICAL
Rule #3: csrss.exe Network Connection
Filter: ProcessName = "csrss.exe" AND NetworkConnection = True
Action: ALERT | Severity: CRITICAL
Rule #4: csrss.exe Typosquatting
Filter: ProcessName MATCHES "(cssrs|csrs|csrrs|csrss32|crsss)\.exe"
Action: ALERT | Severity: HIGH
Remediation Steps
csrss.exe Protection and Hardening
Defense Layer #1: Protected Process Verification
Verify csrss.exe maintains Protected Process status:
# Check if csrss.exe has PP/PPL status
Get-Process csrss | Select-Object Id, ProcessName, @{
Name="Protected"
Expression={
$p = Get-CimInstance Win32_Process -Filter "ProcessId=$($_.Id)"
# Protected processes have specific flags
"Check via kernel debugger or specialized tools"
}
}
Defense Layer #2: Application Control
Use Windows Defender Application Control (WDAC) or AppLocker to:
- Block execution of unsigned executables
- Restrict execution from user-writable paths
- Whitelist only Microsoft-signed system binaries
AppLocker Rule Example:
<FilePathRule Action="Deny" UserOrGroupSid="S-1-1-0" >
<Conditions>
<FilePathCondition Path="%USERPROFILE%\*\csrss.exe"/>
</Conditions>
</FilePathRule>
Defense Layer #3: Audit Policy Configuration
Enable detailed auditing for process creation:
# Enable command-line logging in process creation events
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWord
If csrss.exe Compromise Suspected
Immediate Response:
- DO NOT TERMINATE legitimate csrss.exe (causes BSOD)
- Identify the suspicious instance by path verification
- Isolate affected system from network
- Capture memory dump of suspicious process
- Preserve all logs (Sysmon, Security, Application)
- Check for persistence mechanisms
- Hunt for related indicators across environment
Investigation Checklist
Investigation Checklist
- Verify all csrss.exe instances are in C:\Windows\System32\csrss.exe
- Confirm all csrss.exe parent processes are smss.exe
- Check instance count matches active user sessions
- Validate Microsoft Windows digital signature on all instances
- Review for any network connections (should be none)
- Check for command-line arguments (should be none)
- Search for csrss.exe files outside System32
- Hunt for typosquatting variants (cssrs.exe, csrs.exe, etc.)
- Review child processes (only conhost.exe expected)
- Check for persistence mechanisms using csrss.exe name
- Review Sysmon Event ID 1 for csrss.exe creation events
- Check Sysmon Event ID 10 for process access to csrss.exe
- Document findings for incident report
MITRE ATT&CK Techniques
Frequently Asked Questions
Is csrss.exe a virus or malware?
The legitimate csrss.exe located in C:\Windows\System32 is NOT a virus. It is a critical Windows system process that has been part of Windows since NT 3.1. However, csrss.exe is one of the most commonly impersonated processes by malware. If you find csrss.exe in ANY location other than System32, or if it has an invalid Microsoft signature, it is almost certainly malicious. Always verify the file path and digital signature when investigating.
Can I safely terminate or end csrss.exe?
NO. You should NEVER terminate the legitimate csrss.exe process. Windows marks csrss.exe as a critical system process, and terminating it will cause an immediate Blue Screen of Death (BSOD) crash. If you suspect a malicious process is impersonating csrss.exe, first verify its file path. Only terminate a process if it is confirmed to be running from a non-System32 location.
Why are there multiple csrss.exe processes running?
Multiple csrss.exe instances are NORMAL on modern Windows. Windows runs one csrss.exe instance for Session 0 (system services) and one additional instance for each logged-in user session. On a typical single-user system, you will see 2 csrss.exe processes. With RDP sessions or multiple logged-in users, you will see more. The number of instances should match your active session count.
What is the parent process of csrss.exe?
The legitimate parent process of csrss.exe is always smss.exe (Session Manager Subsystem). If you observe a csrss.exe process with any other parent (such as explorer.exe, cmd.exe, or powershell.exe), this is a CRITICAL indicator of malware impersonation and requires immediate investigation.
How do I verify if csrss.exe is legitimate?
To verify csrss.exe legitimacy: 1) Check the file path is exactly C:\Windows\System32\csrss.exe, 2) Verify the parent process is smss.exe, 3) Confirm the digital signature shows "Microsoft Windows" as the publisher, 4) Check that no command-line arguments are present, 5) Verify no network connections exist. Any deviation from these norms indicates potential malware.