conhost.exe and csrss.exe questions

windows-7

Any time you see ConHost.exe it means that a non-GUI program is being executed. This happens when you open the Command Prompt or when an application installer needs to run a standard "DOS" command as part of the installation routine. It's very normal to have the ConHost.exe process come and go, and should only be cause for concern if you have many (20-30+) instances for more than a few moments. Further, it's quite proper that you would observe program and service start/stop activity in connection with ConHost.exe processes starting and stopping, as it is at these times in a program's lifecycle that they'll often need to interact with a non-GUI application.

If you wish to dig in more deeply, the article http://blogs.technet.com/b/askperf/archive/2009/10/05/windows-7-windows-server-2008-r2-console-host.aspx explains the new addition (as of Windows 7) that is ConHost.exe and the problem it is meant to solve::

In previous versions of Windows [that is, prior to Windows 7], all GUI activity on behalf of non-GUI applications that ran on the desktop (console applications) was brokered by the system process CSRSS.exe.

If you know much about how Windows handles separation of privilege between users, you might correctly see a potential weakness, confirm as the article continues:

The problem with this was that even if an application ran in the context of a regular user’s account, CSRSS.EXE runs under the Local System account. So it was possible under certain circumstances for malware to exploit weaknesses in an application in order to execute code under the more privileged Local System account in CSRSS.EXE.

Windows 7 permanently changed that model by introducing the ConHost.exe process:

This exposure was addressed in Windows 7 and Windows Server 2008 R2 by running the console messaging code in the context of a new process, ConHost.exe. ConHost (Console Host) runs in the same security context as its associated console application. Instead of issuing an LPC request to CSRSS for message-handling, the request goes to ConHost.

Hope that helps!

EDIT:

Two instances of csrss.exe is not abnormal. I've observed this plenty of times on known-clean computers. If you don't have two instances running, simply start CMD.EXE and you'll likely end up with a second instance of csrss.exe hosting a child instance of conhost.exe.

In your case I don't see any evidence of their being a malicious reason for the second instance of csrss.exe or the multiple instances of conhost.exe.

Related

Some websites disable my back button, how can I still use it?
unable to merge primary partition with free space
Defragmentation and 15% minimum space with Windows XP
What's a good IPv6 tutorial? [closed]
Cannot use SSL/TLS on Mac OS X
OCR Image based PDF [duplicate]
Windows Batch File (WMI) - taskkill process based on memory usage
PDF Where does Acrobat reader save information about last view settings?
How do I disable auto-negotiation on DD-WRT?
Stuck with extended desktop cracked screen laptop - how to revert to normal display?
Print many copies of a pdf without using a for-loop?
How do I set my power plan to turn off the display in less than 1 minute?