Unravelling CSRSS.exe and the new process architecture of Windows 7

joe7dust · 06 Dec 2011

One of the things I first noticed in Windows 7 is how now there are many "hidden" processes not shown in the normal tab of Task Manager, and instead lumped into the "Services" tab yet still somehow connected or underneath the 'umbrella' of other processes. I used to know all the processes that run in Windows, and which I could kill and which I couldn't. After this Services tab I've kinda given up on that due to the sheer number.

I hope to help change that with this thread. Finally deciding to create a whitelist in my head of these Services like I used to have for all Windows processes. The first problem I'm noticing is that if a service is loaded under a critical process (like CSRSS.exe), then there is no obvious way to kill it. What is the way around this?

This seems like a huge security vulnerability, because what if a virus installs to being under the 'umbrella' of CSRSS.exe? There is an anti-cheat program called PunkBuster that is needed to play games like Battlefield 3. I noticed that PnkBstrA is part of the CSRSS.exe

I decided to reinstall this game tonight, as well as Punkbuster and Origin. (both software related to this game only for me) After uninstalling all 3 software, deleting all related folders from my HD, and deleting all leftover registry keys related to them and parent companies I noticed PnkBstrA was somehow STILL running! I hit Stop process, nothing. I hit Go To Process, and it took me to CSRSS.exe ... well darn. I know from experience you can't kill CSRSS.exe and expect Windows to keep running.

I'm amazed at this, I did not think it was possible for anything to survive in Windows after uninstall, file delete, registry key delete...

Anyways, I was already 15 minutes into downloading the game files when I noticed this so I'm going to have to just hope its a "clean" re-installation and overlook this. Mainly posting this out of curiosity and hoping to pick up a couple of pointers that might help me in the future manually remove advanced viruses that take advantage of this vulnerability.

TL;DR: How can you kill a non-windows 7 service that has itself injected into an essential windows 7 service? (other than via taskmgr since that doesn't always work correctly)

Corazon · 06 Dec 2011

I would think that the uninstallation simply wasn't as thorough as it should've been. Did you reboot after uninstalling everything? Was that when you found Punkbuster still running?

I'd simply search the entire system drive for any occurrences of "PnkBstrA" and see what it comes up with. There might yet be something left to uninstall separately.
If not, you could try deleting whichever file you find; if it won't let you because the file is in use, try something like Unlocker to schedule deletion on the next restart.

Make sure to create a system restore point first, just in case this somehow breaks csrss.exe badly enough to prevent Windows from starting up again.

Another thought: is there any PunkBuster-related service listed under Administrative Tools -> Services?

joe7dust · 06 Dec 2011

I'm downloading/installing the whole package again so I'm not messing with it. If this doesn't fix the issue I'll simply reinstall Windows. That might not even be it, and I could use a new motherboard. Just trying to stop random system crashes that only happen during 1 game. Not sure if heat, driver issue, other software issue, etc.

Mainly just posted this to learn about the Services tab in Task Manager, and learn more about how there are now processes within processes.

It's almost as if the Services are to Processes, as the old DLLs were to Processes.

Manigue · 06 Dec 2011

joe7dust said:

This seems like a huge security vulnerability, because what if a virus installs to being under the 'umbrella' of CSRSS.exe? There is an anti-cheat program called PunkBuster that is needed to play games like Battlefield 3. I noticed that PnkBstrA is part of the CSRSS.exe

My PnkBstrA and/or PnkBstrB have been installed by Steam for certain games but never under the CSRSS.exe service. They always install independently and are displayed as such in Task Manager.

After the game(s) are installed, I remove the PnkBsrtA.exe & PnkBstrB.exe from the c:\windows\system32 directory were they live. I also remove the entries at the Windows Fireawall section.

Since I never ever play online nor multiplayer games, I don't need that crapware installed. If I need to use a cheat code, I do it! it's my game and I paid for it. So goodbye PunkBuster!! Never have had problems playing games after removing them.

By the way, enjoy BF3 !

joe7dust · 08 Dec 2011

When I reinstalled Punk Buster, I didn't have to give any special permissions for it to insert it self within CSRSS.exe

I fear this will become a common hiding place for malware if this isn't addressed soon...

Anyone have something to contribute to the OP on how the whole hidden services thing works, and how just any ole software and get in there? Looking pretty lean in here on information...

logicearth · 08 Dec 2011

joe7dust, what you describe is nothing new. NOTHING. Services were always lumped under a process like svchost.exe. The only real difference is task manager has a service tab now so you can see them. Can we get a few screenshots of the issue you are talking about?

joe7dust · 08 Dec 2011

I remember seeing lots of DLLs loaded into each process back in the day using a special "task manager", but never services. I would assume it going something like this, Processes -> Services -> DLLs, is that right? I don't have screen shots, they would just be simple anyways like a picture of PnkBstrA.exe showing as loaded within CSRSS.exe as I described in the OP.

I see viruses on a regular basis, but surprised more of them don't just hide in CSRSS.exe's umbrella.
I guess what I really want is to listen in on a conversation between 2+ people more knowledgeable than I on the subject. I'm definitely not going to go grab a computer science textbook and read about it, but still curious..

**cluberti** · 08 Dec 2011

Well, remember that you *did* have to provide administrative credentials (and if UAC is enabled, elevate the install) to allow this. It's a security risk, yes, but it's not possible unless the person running the code has administrative access. There's not a whole lot any system can do to prevent a system's administrators from blowing it up, if the user really is to have administrative access and decides to do something stupid.

Hence why running as administrator isn't a good idea on a day-to-day basis, paying attention to what one installs when they do elevate, etc.

logicearth · 08 Dec 2011

Is the below image what you are talking about of PnkBstrA.exe being loaded within CSRSS.exe? If so...its not being loaded within CSRSS.exe nor is it hidden. It just means CSRSS.exe loaded PnkBstrA.exe and is now a parent process. Otherwise I have no idea what you are going on about.

stormy13 · 08 Dec 2011

I'm trying to figure out how he is seeing PnkBstrA(or PnkBstrB) being attached to CSRSS. I have a couple of games that use Punkbuster and neither of its services are showing as being in or attached to CSRSS,