Conhost.exe - a system process or a virus?

Each user of a modern Windows-system somehow in the process of work calls the Task Manager, where all running applications, services and processes are displayed. Many pay attention to the system component called conhost.exe. What it is, and why this service is needed at all, will now be considered.

What is conhost.exe in Task Manager?

For uninitiated users, we note at once that this system service is mandatory for inclusion. For the first time it appeared in Windows Vista, adding the process csrss.exe, which was originally present in the "ekspishek."

If we talk about the conhost.exe process in simple language, it should be noted that it is responsible for correcting the long-standing problem associated with drawing console windows (for example, a command-line window similar to what used to be in DOS-based systems ).

Analog in Windows XP

First, let's look at the Windows XP favorite. Maybe some users noticed that if you use a certain theme, different from the one installed by default, the console window always looks in the classic "flashy" form.

The fact is that the drawing of the window was entrusted to the system itself (the above process csrss.exe was responsible for this). Thus, it was impossible to change the appearance of the window to fit the current layout.

Problems in Windows Vista

To change this situation, a new service was used in Vista, the launch of which was the system file conhost.exe. The process, although working with a lower priority than csrss.exe, nevertheless in most cases corrected the appearance of the window.

However, as mentioned above, the service itself turned out to be unfinished, as a result of which the windows had an old look. In addition, in Vista, although this was originally intended, there was no way to drag the file into the console window from the standard Explorer, because it did not have high privileges in comparison with the parent process.

Changes in Windows 7 and above

Starting with the seventh version of Windows, conhost.exe has undergone drastic changes. Although it is still in the process priority tree between csrss.exe and cmd.exe, it still allows you to display the console window in a form that matches the installed theme.

The main change was that now you could insert files from the Explorer, for example, directly into the command window, which showed the full path to the specified file on the screen, eliminating the need for its input in manual mode.

In most cases, the conhost.exe service itself works exclusively with the command-line cone. Although today you can find many applications that can, to some extent, require access to console windows, their activation takes only a few seconds, and the appearance of the called call occurs automatically without user intervention. That is, for example, at a certain stage of installing the program, a window appears in the crane, in which some actions are performed, and when the process ends the window disappears by itself, which saves the user from having to close it manually.

The service conhost.exe is launched many times: how to treat?

Now consider the possible problems that may arise in the case of the autonomous operation of this system module. The executable file is located in the System32 folder of the Windows main directory. It is not difficult to guess that if the service is started by this file, there is nothing potentially dangerous in it, and it is not recommended to terminate it in any case.

But sometimes it happens that several same processes appear in the same Task Manager . What does this mean? But only that the virus has penetrated the system, which in such a simple way produces its own disguise for the system service. But many users simply do not know which process should be completed, if there are problems with the increased load on system resources due to this component. In addition, if you disable all these processes sequentially, nothing will happen - the viruses are activated again.

Among the most famous and most potentially dangerous threats masquerading under the conhost.exe process, today there are two: Trojan: Win32 / Alureon.FM, or Backdoor: Win32 / Cycbot.B and RiskTool.Win32.BitCoinMiner.amv, or Packed.Win32. Krap.hy. As can be seen from the classification, these are common Trojans that are aimed at opening access to the system in order to intercept user information and transfer it to third parties or use for their own purposes. In some cases, a malfunctioning of the system is possible, which is related to the increased load on the CPU and RAM.

How to get rid of this, I think, it is not necessary to explain. We will have to use an antivirus scanner, but not the one installed in the system by default (it already passed the virus), and some portable utility like Kaspersky Lab's KVRT, Dr. Web CurIt! Etc. If they do not help, then you should use heavy artillery in the form of special utilities with the common name Rescue Disk. As you can guess, the most powerful in this respect are Kaspersky products. Web. This is recognized by both experts and ordinary users.