.. / csrss.exe

Star

• Image Path: System32 dir
• Parent Process: None
• Number of Instances: 2+
• User Account: SYSTEM
• Start Time: Multiple

The Client/Server Run-Time Subsystem is the user-mode process for the Windows subsystem. Its duties include managing processes and threads, importing many of the DLLs that provide the Windows API, and facilitating shutdown of the GUI during system shutdown. An instance of csrss.exe will run for each session. Session 0 is for services and Session 1 for the local console session. Additional sessions are created through the use of Remote Desktop and/or Fast User Switching. Each new session results in a new instance of csrss.exe.

Image Path

Executable’s image path.

%SystemRoot%\System32\csrss.exe

Parent Process

A process which spawned the analyzed process.

Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.

Number of Instances

Expected number of processes running which may normally run on Windows.

Two or more

User Account

Windows account with which the process was launched. This defines what privileges given process has.

Local System

Start Time

Expected time of process to be launched.

Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although often only Sessions 0 and 1 are created.