Process
csrss.exe
csrss.exe is the Client Server Runtime Process, a critical Windows system process that handles user-mode portions of the Win32 subsystem, serving as an essential link between applications and the operating system kernel. It's launched early in the boot sequence, runs once per session, and is fundamental to keeping Windows running.
File identity
- File type
- PE32+ executable
- Magic
- PE32+ executable
- Original name
- CSRSS.Exe.MUI
- Internal name
- CSRSS.Exe
- Product
- Microsoft® Windows® Operating System
- Status
- Signed
- Publisher
- Microsoft Corporation
- Signer
- Microsoft Windows
- Issuer
- Microsoft Windows Production PCA 2011
- Signature rate
- 100%
10.0.26100.1 (WinBuild.160101.0800)100%
37.70 KB100%
Execution context
C:\Windows\System32\csrss.exe100%
Not observed.
Not observed.
2100%
Session 050%Session 150%
SeLockMemoryPrivilege100%SeDelegateSessionUserImpersonatePrivilege100%SeSystemProfilePrivilege100%SeProfileSingleProcessPrivilege100%SeImpersonatePrivilege100%
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
calculatorapp.exe66.7%runtimebroker.exe66.7%backgroundtaskhost.exe66.7%svchost.exe66.7%applicationframehost.exe66.7%
Not observed.
Indicators
Not observed.
Analysis
Every session gets its own csrss.exe, including session 0. It's started by the same short-lived smss.exe copy that creates the session, so like wininit.exe and winlogon.exe it normally shows no parent in the process tree. It runs as NT AUTHORITY\SYSTEM from C:\Windows\System32\csrss.exe.
Over the years, many of csrss.exe's original responsibilities have moved into kernel mode, but it still manages several important functions. These have included handling the creation and deletion of threads and processes, managing console windows for command-line applications (a job that moved to conhost.exe in Windows 7), supporting the shutdown process, and other behind-the-scenes Win32 functionality like mapping drive letters.
There's typically one instance per session, so a normal system often shows two: one for session 0 and one for the interactive session, with more appearing for remote desktop connections. They start with the session and run until it ends. A legitimate csrss.exe starts no child processes on a modern system, so a large or unusual number of instances, or any children at all, warrants a closer look.
The genuine csrss.exe is a trusted, signed Microsoft system file that is vital to normal operation. It should never be removed or disabled, and attempting to terminate it will trigger a system crash (blue screen), since Windows depends on it to function.
Because it's a trusted, essential process, csrss.exe is a popular target for impersonation by malware trying to hide in plain sight (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Be highly suspicious of copies found in other locations or slight misspellings such as csrsss.exe or cssrs.exe.
Its position in the process tree is a quick check. A real csrss.exe has no living parent, since the smss.exe copy that started it exits immediately, and it never spawns children. An instance with a visible parent, or with children of any kind, is an anomaly (T1134.004).
Because it's a SYSTEM process that's always running and rarely watched, csrss.exe is also a target for code injection. Implanted code inherits both its privileges and its critical-process status, since killing the host crashes the machine (T1055). Unexpected network connections or odd loaded modules are the signs to look for.
- Image path other than
C:\Windows\System32\csrss.exehigh - Any child processeshigh
- A living parent process (the
smss.execopy that starts it exits immediately)high - Running as any account other than
NT AUTHORITY\SYSTEMhigh - Unsigned image or a signer other than Microsofthigh
- More instances than sessionsmed
- Start time long after boot without a matching new sessionmed
Telemetry
Microsoft Windows 11 Enterprise Evaluation100%
- First seen
- 2026-06-08
- Last seen
- 2026-06-08
- Machines
- 1