Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unravelling CSRSS.exe and the new process architecture of Windows 7

06 Dec 2011   #1
joe7dust

Windows 7 Ultimate 64-bit
 
 
Unravelling CSRSS.exe and the new process architecture of Windows 7

One of the things I first noticed in Windows 7 is how now there are many "hidden" processes not shown in the normal tab of Task Manager, and instead lumped into the "Services" tab yet still somehow connected or underneath the 'umbrella' of other processes. I used to know all the processes that run in Windows, and which I could kill and which I couldn't. After this Services tab I've kinda given up on that due to the sheer number.

I hope to help change that with this thread. Finally deciding to create a whitelist in my head of these Services like I used to have for all Windows processes. The first problem I'm noticing is that if a service is loaded under a critical process (like CSRSS.exe), then there is no obvious way to kill it. What is the way around this?

This seems like a huge security vulnerability, because what if a virus installs to being under the 'umbrella' of CSRSS.exe? There is an anti-cheat program called PunkBuster that is needed to play games like Battlefield 3. I noticed that PnkBstrA is part of the CSRSS.exe

I decided to reinstall this game tonight, as well as Punkbuster and Origin. (both software related to this game only for me) After uninstalling all 3 software, deleting all related folders from my HD, and deleting all leftover registry keys related to them and parent companies I noticed PnkBstrA was somehow STILL running! I hit Stop process, nothing. I hit Go To Process, and it took me to CSRSS.exe ... well darn. I know from experience you can't kill CSRSS.exe and expect Windows to keep running.

I'm amazed at this, I did not think it was possible for anything to survive in Windows after uninstall, file delete, registry key delete...

Anyways, I was already 15 minutes into downloading the game files when I noticed this so I'm going to have to just hope its a "clean" re-installation and overlook this. Mainly posting this out of curiosity and hoping to pick up a couple of pointers that might help me in the future manually remove advanced viruses that take advantage of this vulnerability.

TL;DR: How can you kill a non-windows 7 service that has itself injected into an essential windows 7 service? (other than via taskmgr since that doesn't always work correctly)


My System SpecsSystem Spec
.
06 Dec 2011   #2
Corazon

Windows 7 Professional SP1 32-bit
 
 

I would think that the uninstallation simply wasn't as thorough as it should've been. Did you reboot after uninstalling everything? Was that when you found Punkbuster still running?

I'd simply search the entire system drive for any occurrences of "PnkBstrA" and see what it comes up with. There might yet be something left to uninstall separately.
If not, you could try deleting whichever file you find; if it won't let you because the file is in use, try something like Unlocker to schedule deletion on the next restart.

Make sure to create a system restore point first, just in case this somehow breaks csrss.exe badly enough to prevent Windows from starting up again.

Another thought: is there any PunkBuster-related service listed under Administrative Tools -> Services?
My System SpecsSystem Spec
06 Dec 2011   #3
joe7dust

Windows 7 Ultimate 64-bit
 
 

I'm downloading/installing the whole package again so I'm not messing with it. If this doesn't fix the issue I'll simply reinstall Windows. That might not even be it, and I could use a new motherboard. Just trying to stop random system crashes that only happen during 1 game. Not sure if heat, driver issue, other software issue, etc.

Mainly just posted this to learn about the Services tab in Task Manager, and learn more about how there are now processes within processes.

It's almost as if the Services are to Processes, as the old DLLs were to Processes.
My System SpecsSystem Spec
.

06 Dec 2011   #4
Manigue

Windows 7 Home Premium 64Bits SP1
 
 

Quote   Quote: Originally Posted by joe7dust View Post
This seems like a huge security vulnerability, because what if a virus installs to being under the 'umbrella' of CSRSS.exe? There is an anti-cheat program called PunkBuster that is needed to play games like Battlefield 3. I noticed that PnkBstrA is part of the CSRSS.exe
My PnkBstrA and/or PnkBstrB have been installed by Steam for certain games but never under the CSRSS.exe service. They always install independently and are displayed as such in Task Manager.

After the game(s) are installed, I remove the PnkBsrtA.exe & PnkBstrB.exe from the c:\windows\system32 directory were they live. I also remove the entries at the Windows Fireawall section.

Since I never ever play online nor multiplayer games, I don't need that crapware installed. If I need to use a cheat code, I do it! it's my game and I paid for it. So goodbye PunkBuster!! Never have had problems playing games after removing them.

By the way, enjoy BF3 !
My System SpecsSystem Spec
08 Dec 2011   #5
joe7dust

Windows 7 Ultimate 64-bit
 
 

When I reinstalled Punk Buster, I didn't have to give any special permissions for it to insert it self within CSRSS.exe

I fear this will become a common hiding place for malware if this isn't addressed soon...

Anyone have something to contribute to the OP on how the whole hidden services thing works, and how just any ole software and get in there? Looking pretty lean in here on information...
My System SpecsSystem Spec
08 Dec 2011   #6
logicearth

Windows 10 Pro (x64)
 
 

joe7dust, what you describe is nothing new. NOTHING. Services were always lumped under a process like svchost.exe. The only real difference is task manager has a service tab now so you can see them. Can we get a few screenshots of the issue you are talking about?
My System SpecsSystem Spec
08 Dec 2011   #7
joe7dust

Windows 7 Ultimate 64-bit
 
 

I remember seeing lots of DLLs loaded into each process back in the day using a special "task manager", but never services. I would assume it going something like this, Processes -> Services -> DLLs, is that right? I don't have screen shots, they would just be simple anyways like a picture of PnkBstrA.exe showing as loaded within CSRSS.exe as I described in the OP.

I see viruses on a regular basis, but surprised more of them don't just hide in CSRSS.exe's umbrella.
I guess what I really want is to listen in on a conversation between 2+ people more knowledgeable than I on the subject. I'm definitely not going to go grab a computer science textbook and read about it, but still curious..
My System SpecsSystem Spec
08 Dec 2011   #8
cluberti

Windows 10 Pro x64
 
 

Well, remember that you *did* have to provide administrative credentials (and if UAC is enabled, elevate the install) to allow this. It's a security risk, yes, but it's not possible unless the person running the code has administrative access. There's not a whole lot any system can do to prevent a system's administrators from blowing it up, if the user really is to have administrative access and decides to do something stupid.

Hence why running as administrator isn't a good idea on a day-to-day basis, paying attention to what one installs when they do elevate, etc.
My System SpecsSystem Spec
08 Dec 2011   #9
logicearth

Windows 10 Pro (x64)
 
 

Is the below image what you are talking about of PnkBstrA.exe being loaded within CSRSS.exe? If so...its not being loaded within CSRSS.exe nor is it hidden. It just means CSRSS.exe loaded PnkBstrA.exe and is now a parent process. Otherwise I have no idea what you are going on about.


Attached Images
Unravelling CSRSS.exe and the new process architecture of Windows 7-untitled.png 
My System SpecsSystem Spec
08 Dec 2011   #10
stormy13
Microsoft MVP

Win 7 Ultimate x64
 
 

I'm trying to figure out how he is seeing PnkBstrA(or PnkBstrB) being attached to CSRSS. I have a couple of games that use Punkbuster and neither of its services are showing as being in or attached to CSRSS,

Unravelling CSRSS.exe and the new process architecture of Windows 7-csrss.png


My System SpecsSystem Spec
Reply

 Unravelling CSRSS.exe and the new process architecture of Windows 7




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Architecture upgrade
My sys confg is win 7 ultimate 32 bit,and 64 bit upgradable. How can i change my arch.to 64 bit operating system?
General Discussion
Windows APIs: Microsoft's hidden guide to architecture
Read more at source: Windows APIs: Microsoft's hidden guide to architecture | ZDNet
News
Windows 7 + Process Explorer + Patch: [Opening error process]
Hi fooks, I hope you all can read this, i'm from Belgium so my Englsich is not as good as it might be. I have bought last year a little notebook with Windows 7 Home Premium on it. On this machine i am the Administrator, and there are no other people on that, or guestaccounts made. On...
Installation & Setup
BSOD win32k.sys debug references csrss.exe process
Hi All, I have a brand new build that worked fine, stress testing and all, until the IT company for the business I built it for got it attached to the network and installed a bunch of printers, etc. (the computer is at a printing company). I went in shortly after they left and received a blue...
BSOD Help and Support
up to 1000 csrss.exe process', under different session ID's, spanwing
This started happening recently, although I cannot pinpoint an action that could have caused it. I was messing around with GPRESULT and GPUPDATE, and added a custom event with EVENTCREATE in cmd around the time it started doing a project for class. I have scanned with Avira and...
System Security
can't boot windows, csrss.exe corrupt and unreadable
hi guys, im a newbie here, i have a question, my windows 7 recently has this problem upon boot where the computer automatically directed me to startup repair mode and the windows saying Recenv.exe - corrupt file "c:\windows\system32\csrss.exe corrupt and unreadable.." i'd faced this problem...
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:49.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App