New
#41
See this post about Process Explorer and VirusTotal:
Process Explorer 16
You might also want to select:
Options > Verify Image Signatures.
See this post about Process Explorer and VirusTotal:
Process Explorer 16
You might also want to select:
Options > Verify Image Signatures.
I am also having this issue, however i cannot post the req info via this thread as its too big.
Welcome to the forum.
What issue are you having?
The fact that the process is running is not an issue.
Hi jmrathbun, welcome to 7F! :)
The first location looks okay, but the second in the winsxs folder does not.
When I searched for the class ID attached to the second csrss file: 31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3 I had one hit and it was a user looking for malware removal help. This doesn't necessarily mean your machine has malware, but,
Do you notice any recent peculiarities with your machine?
- Slowness,
- Browser redirects,
- Unusual web activity even when no one is using your machine and it's asleep (watch your router lights),
- HDD thrashing.
I would start several cleaning processes with these and the freeware versions are okay to use:
If after running these and your CMD search still turns up that second csrss in winsxs I would seriously consider starting a new separate thread here in the System Security Forum.
Thanks for your input!
I got interested when I saw a popup at logon this AM asking if it was OK for a program I didn't recognize to do a disc write. Unfortunately, I wasn't alert enough to write down the program's name, but I wasn't so stupid as to allow it to go to work on my system.
I tried to rename the second copy of CSRSS but it won't let me; it requires permission of 'Trusted Installer'. I don't know who that would be other than me, because I built this machine myself!
Currently I'm running a deep scan with Webroot, since that's already installed. I've noticed a few unexpected behaviors this AM but was attributing that to having run around 150 Windows Updates yesterday.
I wonder if there's a way to edit the Registry to give me access to the second copy of CSRSS?
You're welcome.
What you describe could indicate malware (a disk write). Try to get the name if it pops up again..
You could go to the Properties >Security tab of the file csrss in winsxs then click on advance. it might show more info on who/what is the trustedinstaller (TI), malware developers use TI to mask/spoof the real installer.
Have you tried to access the registry key with an elevated registry editor?
Type regedit into the Start Menu Search box, then right click on the first listing regedit.exe under Programs, and click 'run as administrator'
If that doesn't work try this, it may help the registry edit; Go to step #3 under Here's How: To Change the Access Permissions of a Registry Key
Remember to back up the Registry: Registry - Backup and Restore
Well, it seems an old dog can learn new tricks, and I'm going to have to re-think this csrss thing....
I've been looking around and if one has more than one csrss it's because; You have one for your logged on user and one for all users, that is normal.The trick here is: IF, you have more than one running in task manager for any/each user, then you have a problem."If you have more than one running in task manager for any/each user, there's a good chance you may be infected. If so, post back and we'll discuss how to deal with that. Otherwise it's not only normal but required."
You have one for your logged on user and one for all users, that is normal.
Multiple processes listed more than once is also normal.
svchost is a host process used by many different things. It is not unusual to see many listed running copies of this process.
-steve
Source; The bottom of page two
Then at the top of page six, the second and third posts I found another user in the second post on that page that has the same class ID (CLSID) as you C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3.with Stephen Boots reply:
So, according to Stephen Boots your screenshot is showing either and inside installer or a backup copy. Look at your screenshot, both are the same size and date.Hi there
I have the following csrss.exe files appear, can you look through them for me please to see if they are fine or not? Not sure how to get a file listing to post here
1) amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss
2) csrss..........System32 (C:\windows)
3) csrss..............C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3
4) csrss.exe.mui.....en-US (C:\Windows\System32)
5) csrss.exe.mui.....en-US (C:\Windows\SysWOW64)
6) csrss.exe.mui.....C:\Windows\winsxs\amd64_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3685fcbdfb21a5ac
7) csrss.exe.mui.....C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da67613a42c43476
Thanks
Mike
Stephen Boots
MVP Insider Community Moderator Wiki Author MCC: Content Creator MCC: Content Curator Launch expert - Windows 10
All good.
#2 is the one that is installed and running.
All the rest are either inside installers and backup copies.
-steve
Bottom line; If you don't have the problems I mentioned in my first reply to you, your two instances of csrss are normal.
Here's something to scare the masses, this is what SystemLookup has found: http://Search | csrss.exe | www.systemlookup.com