Csrss.exe - what is this? Csrss.exe loads the processor, how to treat?

Starting with versions of Windows 2000, the user, when opening the Task Manager, sees the Csrss.exe service in the active processes tree. What is it, do not know all the users. Now we will look at this topic, and at the same time we will see why there are mistakes and how to deal with them.

Csrss.exe: what is this?

First of all, it should be noted that the Csrss.exe service is an important system process. The abbreviation in the file name is derived from the Server Client Runtime Subsystem, which in translation can be treated as a "server-client interaction subsystem."

To be more precise, the Csrss.exe process is an interlayer that provides interoperability between the server and client parts of the operating system.

Process description

Let's take a closer look at the Csrss.exe process. What kind of process we have and how it works will be clear on a simple example. It is possible to give as an illustrative example, say, user-installed applications that are launched precisely thanks to this service.

However, the best option is to provide the user with access to all the features of the system through a graphical interface. Csrss.exe is also responsible for this.

In a sense, it can be compared to the process Rundll.32, only this process interacts exclusively with dynamic libraries, and the Csrss.exe service works in a broader aspect, responsible for running both system and user processes.

Program file location

If we talk about the program file, the standard location is the path C: \ Windows \ System32. The Csrss.exe file is located in the System32 folder and can not be found anywhere else.

From here follows the simplest conclusion: in the task manager, the user should not watch more than one process Csrss.exe. This is, as they say, de facto. True, sometimes there is a situation where, for example, in the task manager "hangs" several services Csrss.exe. Two processes and more is a clear sign of the presence of the virus, although there are exceptions to the rules.

So, for example, depending on the version of Windows OS, there may be more than one such processes. Indeed, such situations are encountered. For example, in Windows 7 or 8, two Csrss.exe processes can be present in the task manager simultaneously, but no more. But if there are more than two of them, then it's bad. We will have to fight this, especially since many viruses can easily be masked for system services. But this will be discussed a little later.

Why does the Csrss.exe service load the processor?

Now we come to the resolution of an impartial situation, when this process is too actively using system resources, loading the RAM and the CPU to the limit.

Initially, as it was intended by the developers, the Csrss.exe process should not take more than 3000 Kb (in normal operation) in the "operative". If you look at the use of CPU resources, then usually a value of zero is displayed, or a little more. This "little more" is expressed in not more than a fraction of a percent. So if a user watches a load commensurate with tens of percent, emergency measures must be taken.

Suspicion of viruses

To begin with, today you can find quite a lot of viruses that masquerade as the system process Csrss.exe. What is it exactly in understanding the infection of the computer? And here's what. The virus, first, copies itself by placing copies of the same name (Csrss.exe) in folders used to store temporary Internet files, moves its own copies to USB-drives, etc. As you can see, all running copies can be seen in the task manager.

At the same time, even if you look at the location of the file or the command line, the average user can not see anything suspicious. All data will be simply identical to each other. Next, we will consider several methods, the use of which will help to combat such negative manifestations.

The simplest ways to remedy the situation

Let's start with the simplest. So, we have a suspicion of a virus disguised as a Csrss.exe process. How to treat the system in this case? As easy as pie. First, you need to "walk" through the system with a powerful anti-virus scanner installed in the system, or use online scanners.

What kind of antivirus to give preference, the user decides himself. But in this particular case, you can use utilities more useful, say, the same "Kaspersky" or Eset NOD32. A very interesting thing is the "cloud" scanner Panda, which combines the capabilities of regular standard antivirus and online scanners. This is not the point.

Sometimes there can be situations that the antivirus software of threats associated with this process does not detect. Viruses in fact become much more sophisticated in their behavior. Sometimes a user's computer terminal can just have a weak antivirus installed, etc. What should I do in this case?

Here you can advise manual intervention. Of course, you can dig into the registry, remove unnecessary keys or repair damaged ones, but you can do much easier. The simplest means is the same task manager. If the user sees in it several processes that load the system to impossibility, you can try to complete each of them in turn. If the process turns out to be a virus, nothing terrible will happen. It will end, that's all.

If the completion of the work is applied to the original service, the Windows operating system will immediately prompt you with a request whether the user really wants to terminate this process (Do you want to end this process?), And also with a warning that the completion of the process can affect the stability Rabbit system. Note that this message is displayed only when accessing this Csrss.exe file.

Deleting files

Now let's see what can be done after we found a threat in the system and completed the corresponding processes in the task manager. We need to find all the suspicious files and delete them manually.

To do this, use the combination of keys Win + F to call the Windows search engine. In the search field, we write the name of the file (in this case Csrss.exe), and we perform the search on all hard disks, logical partitions and removable media. Removable media must be used necessarily (of course, in the event of a threat when they were connected to a computer terminal or laptop), as one of the manifestations of spontaneous copying of viruses of this type is precisely the transfer of their copies to regular USB flash drives or hard drives. Probably, it is already clear that if you get rid of the virus in the system itself, when you reconnect a removable USB-media infection can not be avoided.

Search can take a lot of time, but it's better to suffer. After the search is finished, and the results show all the files found with this name, you must check each of them at least for the presence of a digital signature. Right click on each file, we call the "Properties" menu.

On the "Details" tab of the present file, the Doge must have a digital signature (Microsoft copyright, product name, location, and most importantly - 6 KB). Now all the files that do not meet these criteria can be deleted without a twinge of conscience.

However, sometimes the removal will be impossible, or the files will be masked so that the system will not find them. In this situation, you will have to use special scanners, usually called Rescue Disc. Their advantage is that antivirus software downloads occur before the Windows OS starts. As practice shows, such utilities are able to detect and remove viruses in 99.9% of cases out of a hundred.

Conclusion

So, we looked at the Csrss.exe process. What is it, it seems, at least a little became clear. In principle, the process itself, if it loads the system and is the only one on the list, is compulsorily better not to complete, but to check the system with an antivirus. It may well be that the file is simply damaged or infected. The above actions apply only if several Csrss.exe processes are detected on the system.