What’s the Client Server Runtime Process csrss.exe

Modern operating systems are complex entities. In 1982, when Microsoft launched MS-DOS, the precursor to today’s Windows, it consisted of seven files with a total size of ap­prox­im­ately 400 kilobytes. At start-up, all you saw was a command line with a blinking cursor waiting for commands.

Today, when you boot up a Windows operating system, countless ex­ecut­ables are loaded into the memory. Several dozen processes and services are already running before you can even log on to the system. One of these critical system programs is called csrss.exe. In this article, we’ll take a closer look at the functions of this program.

The Client Server Runtime Subsystem runs once per session, although there are always two sessions running after Windows boots up: one “0” session for all services and one session for user processes. This means that at least two instances of csrss.exe are always running.

Each csrss.exe process loads multiple DLLs (dynamic libraries) such as basesrv.dll, winsrv.dll, or csrsv.dll. They provide the following functions, among others:

• Starting and stopping processes
• Starting and stopping threads
• Providing the console window (command line)
• Shutting down the system

These functions can be invoked and used by other programs and processes with the help of csrss.exe, further il­lus­trat­ing how essential the process is. If csrss.exe does not run properly or will not terminate, important functions of the operating system will suddenly become un­avail­able. Even processes that are already active will stop working once the system can no longer start threads.

There are several ways to examine the csrss.exe process more closely. The most con­veni­ent way is to use the built-in Task Manager. You can open it using the keyboard shortcut Ctrl + Shift + Esc or by typing “Task Manager” in the Windows search box. The Task Manager features multiple tabs with in­form­a­tion about CPU util­isa­tion, active processes, and services.

In Windows 10, you can find csrss.exe in the “Processes” tab of the Task Manager under Client Server Runtime Process. In previous versions, it was listed under its ap­plic­a­tion name (“csrss.exe”) in the Task Manager. You can right-click the process and choose from several options. The following are useful for in­spect­ing the process:

• Open file location: Opens a File Explorer window with the location of csrss.exe. This file location must always be “Windows\System32\.” If not, this is not the correct process.
• Go to details: You can view the process ID, see whether the process is running and find out which user is running it. For csrss.exe, the user should always be SYSTEM because it’s a system process.
• Prop­er­ties: You can display details about ap­plic­a­tion on the “Details” tab. You can open the cer­ti­fic­ate on the “Digital Sig­na­tures” tab. The issuer of the csrss.exe cer­ti­fic­ate must always be Microsoft.

One well-es­tab­lished al­tern­at­ive for scanning system processes like csrss.exe is to use programs by Windows insider Mark Russinovich. His Sys­in­tern­als Suite contains a wealth of useful software, including the Process Explorer program, which allows you to display active processes hier­arch­ic­ally. In addition, the software includes a direct link to the platform Virus­total.com, where you can submit processes for a quick check.

Many people on Internet forums ask whether processes like csrss.exe can be ter­min­ated or whether the software can be removed. Though possible, ter­min­at­ing csrss.exe would cause the system to shut down im­me­di­ately. For that reason alone, you should avoid doing this. The process cannot be ter­min­ated in the Task Manager without ad­min­is­trat­or priv­ileges.

If the process causes problems, such as a high CPU load, it’s better to find out which com­pon­ents may be re­spons­ible. You should also check whether you’re dealing with a “real” csrss process.

Com­pletely deleting the csrss.exe ap­plic­a­tion from the system folder would cause the system to stop running.

Since the csrss.exe process is always active, it stands out when you monitor running processes. In addition, the process’s cryptic name entices malware de­velopers to program similar sounding ap­plic­a­tions such as “crss.exe” or “cssrs.exe” and inject them into poorly protected systems. Unlike malware programs with foreign names, these ap­plic­a­tions can be easily over­looked or confused with the le­git­im­ate file if you don’t examine them carefully enough.

Always make sure the software has the correct spelling and file location. The csrss.exe ap­plic­a­tion in the system folder .\Windows\System32\ is very likely not malware. That said, if you still suspect that the file is a virus, we recommend re­in­stalling your system since malware would render your entire system unsafe.