Is csrss.exe a trojan?

Hi jmrathbun, welcome to 7F! :)

The first location looks okay, but the second in the winsxs folder does not.
When I searched for the class ID attached to the second csrss file: 31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3 I had one hit and it was a user looking for malware removal help. This doesn't necessarily mean your machine has malware, but,

Do you notice any recent peculiarities with your machine?

• Slowness,

• Browser redirects,

• Unusual web activity even when no one is using your machine and it's asleep (watch your router lights),

• HDD thrashing.

I would start several cleaning processes with these and the freeware versions are okay to use:

• AdwCleaner

• Mbam

• Superantispyware

If after running these and your CMD search still turns up that second csrss in winsxs I would seriously consider starting a new separate thread here in the System Security Forum.

You're welcome.

What you describe could indicate malware (a disk write). Try to get the name if it pops up again..

You could go to the Properties >Security tab of the file csrss in winsxs then click on advance. it might show more info on who/what is the trustedinstaller (TI), malware developers use TI to mask/spoof the real installer.

Have you tried to access the registry key with an elevated registry editor?
Type regedit into the Start Menu Search box, then right click on the first listing regedit.exe under Programs, and click 'run as administrator'

If that doesn't work try this, it may help the registry edit; Go to step #3 under Here's How: To Change the Access Permissions of a Registry Key

Remember to back up the Registry: Registry - Backup and Restore

Well, it seems an old dog can learn new tricks, and I'm going to have to re-think this csrss thing....

I've been looking around and if one has more than one csrss it's because; You have one for your logged on user and one for all users, that is normal.

"If you have more than one running in task manager for any/each user, there's a good chance you may be infected. If so, post back and we'll discuss how to deal with that. Otherwise it's not only normal but required."

You have one for your logged on user and one for all users, that is normal.
Multiple processes listed more than once is also normal.
svchost is a host process used by many different things. It is not unusual to see many listed running copies of this process.

-steve

Source; The bottom of page two

The trick here is: IF, you have more than one running in task manager for any/each user, then you have a problem.

Then at the top of page six, the second and third posts I found another user in the second post on that page that has the same class ID (CLSID) as you C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3.with Stephen Boots reply:

Hi there

I have the following csrss.exe files appear, can you look through them for me please to see if they are fine or not? Not sure how to get a file listing to post here

1) amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss

2) csrss..........System32 (C:\windows)

3) csrss..............C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3

4) csrss.exe.mui.....en-US (C:\Windows\System32)

5) csrss.exe.mui.....en-US (C:\Windows\SysWOW64)

6) csrss.exe.mui.....C:\Windows\winsxs\amd64_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3685fcbdfb21a5ac

7) csrss.exe.mui.....C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da67613a42c43476

Thanks

Mike


Stephen Boots
MVP Insider Community Moderator Wiki Author MCC: Content Creator MCC: Content Curator Launch expert - Windows 10

All good.

#2 is the one that is installed and running.

All the rest are either inside installers and backup copies.

-steve

So, according to Stephen Boots your screenshot is showing either and inside installer or a backup copy. Look at your screenshot, both are the same size and date.

Bottom line; If you don't have the problems I mentioned in my first reply to you, your two instances of csrss are normal.

Here's something to scare the masses, this is what SystemLookup has found: http://Search | csrss.exe | www.systemlookup.com

One of my system that has no problems or infections.