Console Windows Host process (conhost.exe) – why is it running?

conhost.exe - What is this process?
Written by Wilbur Woodham

Console Windows Host process (conhost.exe) can be met in the Task Manager, regardless of the fact you have opened the Windows console in this session. However, the chance that this process belongs to the malicious app is relatively low. In this post, you can find the detailed list of conhost.exe functions, as well as recognizing the malicious copy of this process among legit ones.

Why does my system run the Console Windows Host process?

conhost.exe process appeared in Windows Vista, as a substitution for ClientServer Runtime System Service (a.k.a. CSRSS), which was used in all Windows NT systems up to NT 6.0 (i.e. Windows XP). This process was deeply embedded in the system, because of some rudimentary functions which were carried by it1. But more and more applications used this process to get access to the console, and in case of some errors, this app was prone to crash. The crash of the deep system process leads to the failure of the whole operating system, so Microsoft decided to split the console functions of CSRSS into the separated process to improve the system stability.

CSRSS process in the Task Manager

Nowadays, Console Windows Host is listed as a separated process in Task Manager. Nonetheless, if you use the process exploring tools with more precious detailing of the processes, you can see that conhost.exe is still associated with the csrss.exe app, which was left as a part of the past CSRSS process.

Console Windows Host may be present in several instances simultaneously. Don’t be scared, such situations appear when you have several applications running that need to use the console for their correct functioning. At the moment when one of such apps is closed, you will see the corresponding change in the Task Manager.

Is it a good idea to stop the conhost.exe process?

As it was stated before, conhost.exe is used by different programs to get access to the command prompt. Suspending this process will surely lead to different errors of these programs. And the performance boost that goes after this process is disabled is minimal: while being inactive, conhost.exe consumes about 5 MB RAM and less than 0.3% of CPU power.

Console Windows Host process consumption

The times when Windows processes may be disabled to increase the system performance have passed long ago. When Windows XP was the last actual OS version, computers were quite weak, and their upgrade was quite expensive, disabling several services could really make your PC faster without any significant problems. Nowadays, such tricks can make things even worse.

Can the Console Windows Hosts process be used by malware?

All legitimate system processes are listed in the Windows Processes category in Task Manager. If you see a duplicate of the process from Windows processes in the list of background processes, it may be malware. To check out the program the process belongs to, click it with a right mouse button, and choose the “Open file location” option.

Open the file location of Console Windows Host process

If this file is stored somewhere in the Windows/System32 folder, it is 100% legit. Don’t be scared with a massive number of processes in the background – the majority of them are needed to decrease the time of programs opening.

However, if this process is located among the user’s processes and “Open file location” leads to the unknown directory, it is recommended to check your PC with antimalware software. My choice for this case is GridinSoft Anti-Malware.

Sometimes, malware may not mimic the original svchost.exe, but use console functions for its own purposes. Such a behavior is usual for potentially unwanted software (PUP), that has the functions of a web browser, for example, or email client. In some cases, console access may be used even by severe viruses, like spyware or ransomware. Below, you can see the list of actions these viruses can do using the svchost.exe functions:

  • Change the registry keys;
  • Getting some configurations or other data;
  • Connecting to the servers that is needed for malware functioning.

Removing the viruses with GridinSoft Anti-Malware

  • Download and install the GridinSoft Anti-Malware. After the installation, you will be offered to perform the standard scan. Apply this action.
  • GridinSoft Anti-Malware during the scan process

  • Standard scan lasts up to six minutes and checks the system files together with the files of the programs you have installed on your computer.
  • GridinSoft Anti-Malware scan results

  • When the scan is complete, press “Apply” to wipe out the malicious items that are present on your PC.
  • Malware removing with GridinSoft Anti-Malware

    User Review
    0 (0 votes)
    Comments Rating 0 (0 reviews)


    1. Article about the Windows Console on Wikipedia
    Console Windows Host process (conhost.exe) - why is it running?
    Console Windows Host process (conhost.exe) - why is it running?
    Console Host Process (conhost.exe) is a Windows service that is needed to give the applications the ability to use the Windows console. It was implemented in Windows Vista to divide the CSRSS.exe app into two separated processes.

    About the author

    Wilbur Woodham

    I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

    Leave a Reply