conhost.exe

conhost.exe (Console Window Host) supplies the console window and text I/O for character-mode applications. Before Windows 7, this was handled directly by csrss.exe, which ran as SYSTEM. Moving console hosting into a separate per-console process let it run in the user's own context and made room for features like window theming and drag-and-drop.

Because a console belongs to whatever program is using it, conhost.exe appears in the process tree as a child of that program, for example under cmd.exe, powershell.exe, or any other tool that opens a console. It runs from C:\Windows\System32\conhost.exe in the same user and integrity context as its parent, and a busy machine normally shows several instances at once, one per active console. Its command line typically looks cryptic but is benign, often ending in 0xffffffff -ForceV1.

The genuine conhost.exe is a trusted, signed Microsoft system file. It isn't something a user launches directly. Windows creates an instance automatically whenever a program needs a console and removes it once the last program using that console exits.

Like other trusted system processes, conhost.exe is sometimes imitated by malware attempting to avoid detection (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Be suspicious of copies running from other locations and of near-miss spellings such as conhast.exe or conhost32.exe.

The real conhost.exe is more valuable as evidence than as a target. Because Windows spawns a conhost.exe for any process that runs a console command, the parent of a conhost instance is a reliable record of what just used the command line. A conhost child under something that has no reason to run commands, an opened Office document, a PDF reader, or a server process like w3wp.exe, exposes command execution behind a macro, an exploit, or a web shell that would otherwise blend in (T1059.003).