This post encompasses a lab wherein I research and examine the functions of the CSRSS.exe process in Windows.
"This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment."
CSRSS is mainly responsible for Win32 console handling and GUI shutdown.
It is critical to system operation and terminating this process will result in system failure. CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and Windows 8 Developer Preview, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue. I was not able to kill the process in Windows XP, 7, or 8.
Some virus hoax emails claim that csrss.exe is a virus that has been confirmed by Microsoft, and that the user should terminate it immediately. This, obviously, would actually lead to system failure and a blue screen of death.
CSRSS is called along with winlogon.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a Blue Screen of Death. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.
Some viruses, spyware, and trojans are known to disguise themselves as the CSRSS.exe process. These types of threats may include, but are not limited to:
Nimda.E
W32/Netsky.ab
W32/VBMania
Sources:
http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem
http://technet.microsoft.com/en-us/security/bulletin/ms13-033
No comments:
Post a Comment