What does the csrss.exe process do?
https://stackoverflow.com/questions/639832
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What is the purpose of the csrss.exe (Client/Server Runtime Server Subsystem) on Windows?
Maybe someone could give a good explanation or pointers to documentation? Unfortunately Google results are pretty noisy when searching a core process of Windows.
The reason I'm asking is that I got a BSOD from my service application which seems to be related to the csrss.exe process, at least this is what the analysis of the memory dump shows:
PROCESS_OBJECT: 85eeeb70
IMAGE_NAME: csrss.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: csrss
FAULTING_MODULE: 00000000
PROCESS_NAME: PreviewService.
BUGCHECK_STR: 0xF4_PreviewService.
DEFAULT_BUCKET_ID: DRIVER_FAULT
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 80998221 to 80876b40
STACK_TEXT:
f5175d00 80998221 000000f4 00000003 85eeeb70 nt!KeBugCheckEx+0x1b
f5175d24 8095b1be 8095b1fa 85eeeb70 85eeecd4 nt!PspCatchCriticalBreak+0x75
f5175d54 8082350b 00000494 ffffffff 051bf114 nt!NtTerminateProcess+0x7a
f5175d54 7c8285ec 00000494 ffffffff 051bf114 nt!KiFastCallEntry+0xf8
051bf114 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0xF4_PreviewService._IMAGE_csrss.exe
BUCKET_ID: 0xF4_PreviewService._IMAGE_csrss.exe
Followup: MachineOwner
EDIT: Thanks already for the good answers, but I actually don't need help concerning my service, I just would like to get some basic understanding of what the purpose of this service is.
Solution
CSRSS hosts the server side of the Win32 subsystem. It is considered a system critical process, and if it is ever terminated you'll get a blue screen. More data is necessary, but you need to find out if some process is terminating csrss, or if it is crashing due to a bug.
Windows Internals is a great book for stuff like this. Wikipedia also has an article on CSRSS.
OTHER TIPS
csrss is the user-mode portion of the Win32 subsystem -- the user-mode analog to the kernel-mode win32.sys. As for what's going on with your particular service, it's hard to say without some better hints about what your service is doing.
One thing it does is provide the default console window for console apps like cmd.exe. At least according to jdeBP:
On Windows, how does console window ownership work?
It would appear that when a console app process is created without being passed handles to stdin, stdout and stderr, then some interprocess comms asks csrss to create a console window in a new thread and give its IO handles to the console process.
It is related to the graphical system. However, right now there is an active trojan behind this name and it is causing many issues for people. I heard. It is mining crypto and since the exe process itself is common people have a difficult time to detect the main issue
