Console Windows Host process (conhost.exe) can be met in the Task Manager, regardless of the fact you have opened the Windows console in this session. However, the chance that this process belongs to the malicious app is relatively low. In this post, you can find the detailed list of conhost.exe functions, as well as recognizing the malicious copy of this process among legit ones.
Why does my system run the Console Windows Host process?
conhost.exe process appeared in Windows Vista, as a substitution for ClientServer Runtime System Service (a.k.a. CSRSS), which was used in all Windows NT systems up to NT 6.0 (i.e. Windows XP). This process was deeply embedded in the system, because of some rudimentary functions which were carried by it1. But more and more applications used this process to get access to the console, and in case of some errors, this app was prone to crash. The crash of the deep system process leads to the failure of the whole operating system, so Microsoft decided to split the console functions of CSRSS into the separated process to improve the system stability.
Nowadays, Console Windows Host is listed as a separated process in Task Manager. Nonetheless, if you use the process exploring tools with more precious detailing of the processes, you can see that conhost.exe is still associated with the csrss.exe app, which was left as a part of the past CSRSS process.
Console Windows Host may be present in several instances simultaneously. Don’t be scared, such situations appear when you have several applications running that need to use the console for their correct functioning. At the moment when one of such apps is closed, you will see the corresponding change in the Task Manager.
Is it a good idea to stop the conhost.exe process?
As it was stated before, conhost.exe is used by different programs to get access to the command prompt. Suspending this process will surely lead to different errors of these programs. And the performance boost that goes after this process is disabled is minimal: while being inactive, conhost.exe consumes about 5 MB RAM and less than 0.3% of CPU power.
The times when Windows processes may be disabled to increase the system performance have passed long ago. When Windows XP was the last actual OS version, computers were quite weak, and their upgrade was quite expensive, disabling several services could really make your PC faster without any significant problems. Nowadays, such tricks can make things even worse.
Can the Console Windows Hosts process be used by malware?
All legitimate system processes are listed in the Windows Processes category in Task Manager. If you see a duplicate of the process from Windows processes in the list of background processes, it may be malware. To check out the program the process belongs to, click it with a right mouse button, and choose the “Open file location” option.
If this file is stored somewhere in the Windows/System32 folder, it is 100% legit. Don’t be scared with a massive number of processes in the background – the majority of them are needed to decrease the time of programs opening.
However, if this process is located among the user’s processes and “Open file location” leads to the unknown directory, it is recommended to check your PC with antimalware software. My choice for this case is GridinSoft Anti-Malware.
Sometimes, malware may not mimic the original svchost.exe, but use console functions for its own purposes. Such a behavior is usual for potentially unwanted software (PUP), that has the functions of a web browser, for example, or email client. In some cases, console access may be used even by severe viruses, like spyware or ransomware. Below, you can see the list of actions these viruses can do using the svchost.exe functions:
- Change the registry keys;
- Getting some configurations or other data;
- Connecting to the servers that is needed for malware functioning.
Removing the viruses with GridinSoft Anti-Malware
User Review( votes)
- Article about the Windows Console on Wikipedia