Dual csrss.exe and conhost.exe are they virited?

EJGlass · 28 May 2015

Hi
I have seen two copies of csrss.exe in the run of Process Explorer, and can't figure out why there are two. Also is csrss.exe supposed to have this extra stuff on after the .exe part? (the added stuff looks like opening ports for sharing which is off)

=====
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
=====

The same file is loading up with csrss.exe it is conhost.exe and each occurrence of the conhost file has a different set of numbers after the .exe part as well.

=====(NT Authority/System in PE)
\??\C:\Windows\system32\conhost.exe "-19462917881928618761-14517701611313678421-1909588746-743542847-290976386389256608
=====
and the other is:
=====(NT Authority/Network Service in PE)
\??\C:\Windows\system32\conhost.exe "251829604-254933148129903086818709497291982502722-82799778550413321-274352356
=====

What is all this extra stuff after the .exe part of each file?
Any help would be great or is someone could look at their copies of these files in the system32 folder(win 7 64bit)

LMiller7 · 28 May 2015

Everything you are seeing is normal.

Starting with Vista there will be one instance of csrss.exe for the system session plus one for each logged in user. This is done for security reasons. The only time there will be only one is when there is no logged in user, but then there would be no one to see it.

It is not unusual to see one or more instances of conhost.exe.

The data following the process name is the command line passing required information to the process when it starts. Many of the details are undocumented.

It is not unusual to see multiple instances of some other processes as well. There may be a dozen or more instances of svchost.exe.

EJGlass · 28 May 2015

LMiller7 said:

Everything you are seeing is normal.

Starting with Vista there will be one instance of csrss.exe for the system session plus one for each logged in user. This is done for security reasons. The only time there will be only one is when there is no logged in user, but then there would be no one to see it.

It is not unusual to see one or more instances of conhost.exe.

The data following the process name is the command line passing required information to the process when it starts. Many of the details are undocumented.

It is not unusual to see multiple instances of some other processes as well. There may be a dozen or more instances of svchost.exe.

Thanks for the quick reply... Guess I should stick to "NOT" reading things into PE's logging...

Oh I just noticed something else though that I had not seen before today. There are two copies of dllhost.exe that load up then shut down within 2 seconds. Why are they doing this? I am logged in as Administrator for PE and this does not happen on normal.

Thanks again!

LMiller7 · 28 May 2015

Many programs use dllhost.exe for a variety of purposes. Having several running is not unusual.