Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Is csrss.exe a trojan?

20 Sep 2015   #41

W7 Pro SP1 64bit

Quote   Quote: Originally Posted by kacperrools View Post
When i try to do properties it does not do any thing ... please help . is it a virus ?
See this post about Process Explorer and VirusTotal:
Process Explorer 16

You might also want to select:
Options > Verify Image Signatures.

My System SpecsSystem Spec
10 Dec 2015   #42

windows 7 professional x64

I am also having this issue, however i cannot post the req info via this thread as its too big.
My System SpecsSystem Spec
10 Dec 2015   #43

Windows 7 Pro 64 bit

Welcome to the forum.

What issue are you having?
The fact that the process is running is not an issue.
My System SpecsSystem Spec

26 Dec 2015   #44

Win 7 Pro (64)
I have this issue also

I have the file csrss.exe active. Unlike the others on the list, right-clicking and trying to open the location doesn't work. My scan for the file location showed this result:

Is csrss.exe a trojan?-csrss.jpg

Your thoughts?

My System SpecsSystem Spec
26 Dec 2015   #45

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

Hi jmrathbun, welcome to 7F! :)

The first location looks okay, but the second in the winsxs folder does not.
When I searched for the class ID attached to the second csrss file: 31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3 I had one hit and it was a user looking for malware removal help. This doesn't necessarily mean your machine has malware, but,

Do you notice any recent peculiarities with your machine?
  • Slowness,
  • Browser redirects,
  • Unusual web activity even when no one is using your machine and it's asleep (watch your router lights),
  • HDD thrashing.

I would start several cleaning processes with these and the freeware versions are okay to use:

If after running these and your CMD search still turns up that second csrss in winsxs I would seriously consider starting a new separate thread here in the System Security Forum.
My System SpecsSystem Spec
26 Dec 2015   #46

Win 7 Pro (64)

Thanks for your input!

I got interested when I saw a popup at logon this AM asking if it was OK for a program I didn't recognize to do a disc write. Unfortunately, I wasn't alert enough to write down the program's name, but I wasn't so stupid as to allow it to go to work on my system.

I tried to rename the second copy of CSRSS but it won't let me; it requires permission of 'Trusted Installer'. I don't know who that would be other than me, because I built this machine myself!

Currently I'm running a deep scan with Webroot, since that's already installed. I've noticed a few unexpected behaviors this AM but was attributing that to having run around 150 Windows Updates yesterday.

I wonder if there's a way to edit the Registry to give me access to the second copy of CSRSS?
My System SpecsSystem Spec
26 Dec 2015   #47

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

You're welcome.

What you describe could indicate malware (a disk write). Try to get the name if it pops up again..

You could go to the Properties >Security tab of the file csrss in winsxs then click on advance. it might show more info on who/what is the trustedinstaller (TI), malware developers use TI to mask/spoof the real installer.

Have you tried to access the registry key with an elevated registry editor?
Type regedit into the Start Menu Search box, then right click on the first listing regedit.exe under Programs, and click 'run as administrator'

If that doesn't work try this, it may help the registry edit; Go to step #3 under Here's How: To Change the Access Permissions of a Registry Key

Remember to back up the Registry: Registry - Backup and Restore
My System SpecsSystem Spec
26 Dec 2015   #48

Win 7 Pro (64)

Well, here's what it has to say for itself:
Is csrss.exe a trojan?-csrss-properties.jpg

I'm currently corresponding with Webroot technical support to see if that's possibly part of their library of malware names.

My System SpecsSystem Spec
26 Dec 2015   #49

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

Well, it seems an old dog can learn new tricks, and I'm going to have to re-think this csrss thing....

I've been looking around and if one has more than one csrss it's because; You have one for your logged on user and one for all users, that is normal.
"If you have more than one running in task manager for any/each user, there's a good chance you may be infected. If so, post back and we'll discuss how to deal with that. Otherwise it's not only normal but required."

You have one for your logged on user and one for all users, that is normal.
Multiple processes listed more than once is also normal.
svchost is a host process used by many different things. It is not unusual to see many listed running copies of this process.


Source; The bottom of page two
The trick here is: IF, you have more than one running in task manager for any/each user, then you have a problem.

Then at the top of page six, the second and third posts I found another user in the second post on that page that has the same class ID (CLSID) as you C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3.with Stephen Boots reply:

Hi there

I have the following csrss.exe files appear, can you look through them for me please to see if they are fine or not? Not sure how to get a file listing to post here

1) amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss

2) csrss..........System32 (C:\windows)

3) csrss..............C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3

4) csrss.exe.mui.....en-US (C:\Windows\System32)

5) csrss.exe.mui.....en-US (C:\Windows\SysWOW64)

6) csrss.exe.mui.....C:\Windows\winsxs\amd64_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3685fcbdfb21a5ac

7) csrss.exe.mui.....C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da67613a42c43476



Stephen Boots
MVP Insider Community Moderator Wiki Author MCC: Content Creator MCC: Content Curator Launch expert - Windows 10

All good.

#2 is the one that is installed and running.

All the rest are either inside installers and backup copies.

So, according to Stephen Boots your screenshot is showing either and inside installer or a backup copy. Look at your screenshot, both are the same size and date.

Bottom line; If you don't have the problems I mentioned in my first reply to you, your two instances of csrss are normal.

Here's something to scare the masses, this is what SystemLookup has found: http://Search | csrss.exe |
My System SpecsSystem Spec
26 Dec 2015   #50
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64

One of my system that has no problems or infections.

Is csrss.exe a trojan?-today-only.png

My System SpecsSystem Spec

 Is csrss.exe a trojan?

Thread Tools

Similar help and support threads
Thread Forum
I have been experiencing unusual lag which never happened to me before when I used a Unity application and while watching a Youtube video so I opened Task Manager to check what was causing this. I saw a process which was at at around 116000K usage when I was using a Unity application. Then I...
System Security
I've had issues with random laggy-ness and pop-ups. thought it was nothing till today, when everytime I turn on my computer it goes to blue screen after a few seconds, the only way my computer still functions is in safe-mode. Did some research and it turns out it is csrss.eve, trojon virus. Is...
General Discussion
Trojan called 'Trojan.Generic.2582177' on my system
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
System Security
[Help] csrss.exe
I have an old computer, it's a 2005 Dell Dimension 5100 w/ an i3 processor. So naturally I try to close out as many programs using any CPU that would cause my game (RuneScape) to lag. In this case, I noticed csrss.exe. I did a quick Google search (which actually led me to these forums) & it can...
System Security
I have installed a clean copy of Windows 7, after a full format of the drives. However CSRSS.exe has started doing nonstop I/O reads and I can find no way to stop it. (I know not to touch the exe itself) I shut down everything that may be hitting the hard drive including the virus scan and it...
Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:02.
Twitter Facebook Google+