Csrss.exe Windows process – is it a virus?

Csrss.exe Windows process – is it a virus?
csrss.exe process, csrss.exe miner, csrss.exe virus
Written by Robert Bailey

Csrss.exe process is a legitimate Windows process. It belongs to Client Server Runtime Subsystem, that carries several important functions in the operating system. The peculiarity of that process is that it is often counterfeited by viruses, primarily – by coin mining trojans1. If you see in Task Manager that this process consumes more than 10% of your CPU, it is not ok. Read the article to know how to figure out the malware, and how to remove it from your PC.

GridinSoft Anti-Malware Review
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | Gridinsoft
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

Why does the csrss.exe process consume so much CPU capacity?

The legitimate process never takes more than 10% of your system power. Moreover, the functions csrss carries are usually performed when the user will likely not admit this. This process is responsible for correct data saving at the moments of logout/shutdown of the PC. Another, and less needed function is providing the console access for the apps at the moment of their startup. During the operations, the access is granted by another system process – conhost.exe.

csrss,exe process in Task Manager

If you have a performance problem, and see that the csrss process has a lion’s share of CPU consumption, there is bad news for you. Your PC is likely infected with coin miner virus, or another dangerous malware which tries to stay unseen. Trojan-miner is a specific type of malware that performs quite a small amount of functions – it only mines cryptocurrency coins, using your CPU and GPU. While you have no programs running, you will not fill any suspicious moments. But when you even try to start a browser – the troubles begin.

How dangerous csrss virus is?

csrss.exe process will make use of more than 70% of your CPU’s power and also graphics cards resources

The biggest damage can be dealt to mobile devices, i.e. laptops. The cooling system of this type of device is not designed to constantly cool the system if it works on 100% of its capacity. In a typical (for the majority of laptop users) situation when you have your device on your laps, you can unintentionally close the air intake holes, so the cooling will not serve properly. With luck, your laptop will just turn off due to the CPU throttling2. But some systems, especially outdated, can have no throttling prevention mechanism, and such a strong overheating will surely lead to further CPU issues.

Fake csrss process

Desktop users will likely have less problems. But it is still an unpleasant experience to struggle with opening a browser window, or to wait for a minute while Photoshop attempts to create a new layer. CPU miners don’t care about the user, their target is to squeeze all possible coins from a single computer. That’s why the legit and familiar (at the first sight) csrss process can spontaneously start to consume up to 90-95% of CPU power.

File Name csrss.exe
Type Trojan Coin Miner
Detection Name Trojan:Win32/CoinMiner
Distribution Method Software bundling, Intrusive advertisement, redirects to shady sites etc.
Similar behavior Seed, Sheedscannerservice, Ie
Removal Download and install GridinSoft Anti-Malware for automatic csrss.exe removal.

Csrss virus distribution ways

There are three main ways of malware spreading that are used by coin miners developers. Malvertising is the most popular one, second by its share is software bundling, and the worst among the best is email spamming. Let’s check out each of them to understand how to detect that you are going to trap, and how to evade it.

Malicious advertisements on the web, however, is an old-timer of malware distribution. And the advice to stop clicking the blinking advertisements on untrustworthy websites exists as long as the ads on the Internet. You can also install ad blocking plugins for your web browser – they will deal with any kind of ads. However, if these ads are the result of adware activity, which is already present on your PC, ad blockers will be useless.

Malvertising example

Example of malvertising

Software bundling is a widespread practice among the virus developers. Users who hack the programs to make them usable without purchasing a license approve any offer to include another program to the pack, because they are gaining money in such a way. Check precisely the installation window for signs like “Advanced installation settings” or so. The ability to switch off the malware installation often hides under such items.

The users do not raise suspicion on notifications from DHL or Amazon about the incoming delivery. Hence, it is very easy to make the user believe that he opens a legit attachment from a real delivery report. Till he is not raising suspicion, the virus can do whatever it wants. However, it is quite easy to distinguish the malevolent email from the original one. One which is send by a cybercriminals has a strange sender address – something like [email protected], while the original email address has a specific domain name (@amazon.com or @dhl.us) and can also be seen on the official website in the “Contact us” tab.

How can I know that the csrss process is a legit or malicious one?

Unlike ransomware, cryptocurrencies extracting hazards are not meddlesome and are most likely to remain undetected by the target.

It is quite easy to check if the Client Server Runtime process is a real system task or a malicious copy. First way is to check the thread the process belongs to. By default, csrss.exe is a system process, so it is listed together with other Windows processes in the thread with the same name. You can spectate two instances of that process running simultaneously. That is nothing strange until both of them are among Windows processes:

CSRSS process in the Task Manager

If the csrss runs as a user process – it is time to raise suspicion. Check the location of this process by clicking it with the right mouse button. Then, choose the “Open file location” option. The legit process is stored in the C:/Windows/System32 folder. All other locations mean that this process is a fake, created by malware programs.

csrss,exe proper file location

How to remove the csrss virus?

As I promised, here is a removal guide for the case if the csrss.exe process is a virus. It is likely impossible to delete this virus manually, since it makes a lot of changes in registry and system settings. It is better to use antivirus software, because it will revert all changes in one click.

Microsoft Defender, that looks like an obvious solution, has several significant troubles, which makes it impossible to be used for malware removal. First, users often disable this antivirus program, because it consumes a lot of hardware resources while being active. Turning it back on is a very hard task. Another problem is that trojan viruses can disable that antivirus solution, and block all attempts to enable it back while staying active. That’s why it is better to use a separate antivirus. My choice for that case is GridinSoft Anti-Malware.

Enable the safe mode with networking

Before the removal process, it is recommended to boot your Windows into the safe mode with networking. Go to Start, click on the Power button, press on Shift button on the keyboard and choose the “Restart” option. Your PC will be booted into troubleshooting mode.

Enter the troubleshooting mode in Windows 10

In this menu, choose the Startup Settings. On the appeared screen, press F5 to activate the Windows safe mode with networking. This mode disables the launch of all programs, in spite of the original Windows processes. Hence, the malicious copy of csrss.exe will not be running and consuming so much CPU power.

Startup settings in troubleshooting mode

Remove the viruses with GridinSoft Anti-Malware

Download the GridinSoft Anti-Malware installation file (install-antimalware-fix.exe). Double click it to run the installation.

GridinSoft Anti-Malware Install

When the program is ready, it will offer you to activate a 6-day free trial. Then, you can start scanning. For the csrss virus, it is better to use Full scan.

Activate a trial license in GridinSoft Anti-Malware

This scan may last for up to 20 minutes. You are free to do everything you want, because GridinSoft Anti-Malware is very friendly to the PC resources.

GridinSoft Anti-Malware Scan

When the scan is over, click “Clean it” to get rid of the viruses. This operation is usually done in less than a minute, but if there are a lot of viruses, you may need to wait a little bit.

GridinSoft Anti-Malware after the scan process

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)


  1. Article about trojan-miners.
  2. About CPU throttling on Wikipedia.
Csrss.exe Windows process – is it a virus?
Csrss.exe Windows process – is it a virus?
Csrss.exe process is a legit process, which represents the activity of Client Server Runtime Subsystem. However, it is often counterfeited by different viruses, such as coin miners.

About the author

Robert Bailey

I'm Robert Bailey, a passionate Security Engineer with a deep fascination for all things related to malware, reverse engineering, and white hat ethical hacking.

As a white hat hacker, I firmly believe in the power of ethical hacking to bolster security measures. By identifying vulnerabilities and providing solutions, I contribute to the proactive defense of digital infrastructures.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.