SEARCH

How-To Geek

What is conhost.exe and Why Is It Running?

You are no doubt reading this article because you are wondering what on earth this conhost.exe process is doing in Task Manager, and why it’s running on your shiny new Windows 7 PC. We’ve got the answer for you.

image

So What Is It?

The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop in Vista.

It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Scanning your computer for viruses is never a bad idea, though.

Wait, What? So Why Do I Need It?

Oh, you wanted more information? I suppose I can oblige with some background information. Essentially, there’s a problem with the way the console process works on previous versions of Windows—they are all hosted under the csrss.exe (Client Server Runtime Process) service. This process runs as a system-privileged account.

If you take a look at the command prompt on Windows XP, you’ll probably notice that the window doesn’t use the active theme at all. This is because the CSRSS process doesn’t have the ability to be themed.

image

If you take a look at the console in Windows Vista, it looks like it uses the same theme as everything else, but you’ll notice that the scrollbars are still using the old style (look closely). This is because the DWM (Desktop Window Manager) process handles drawing the title bars, but underneath it still works the same way, and the scrollbars are part of the window itself.

image

You might also notice that Windows Vista broke the ability to drag and drop files from Explorer straight into the command prompt. It just flat out doesn’t work, because of security issues between the CSRSS process running with a higher level of privileges.

Windows 7 Does It Differently

Checking it out in Process Explorer under Windows 7 shows that the conhost.exe process is running underneath the csrss.exe process.

image

The conhost.exe process sitting in the middle between CSRSS and cmd.exe allows Windows 7 to fix both of the problems in previous versions of Windows—not only do the scrollbars draw correctly, but you can actually drag and drop a file from Explorer straight into the command prompt:

image

And it’ll paste in the path onto the command line. (of course this example isn’t very useful).

image

Still Aren’t Convinced?

I can see our relationship has some trust issues. If you really want to be sure, check out the file properties for the conhost.exe executable, and you’ll see that the description says Console Window Host:

image

If you look at the details of the process from within Process Explorer, you’ll notice that the ComSpec is set to cmd.exe, a clear indication that it’s hosting the command prompt.

image

So now you know what the conhost.exe process does, and why you should never attempt to delete it. Ever.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 10/14/09

Comments (58)

  1. stz8

    Thanks for the awesome writeup! I was wondering what this process is and I assumed it was something with the command prompt since when I ended the task the window got killed too, but this was very enlightening! Thanks a ton!

  2. crankyguy

    I had no idea that you could drag n drop to the command prompt. Not sure if I need to use that, but it’s a good tip just in case.

  3. jon

    Sweet! Windows 7 is looking to be a great upgrade.

    I never noticed the scrollbars thing before. Weird!

  4. KBPrez

    FUNNY write-up. BTW, it was very informative too. THANX!

  5. MichaelonTech

    Great post….The best part was I had no idea you can now drag’n'drop files or paths into the CMD window in Windows 7 …..

    Thanks for the info!

  6. Abraxas

    Apparently it starts one console per core, because I have four instantiations of conhost.exe running under csrss.exe.

  7. j-o

    Thanks. But I can not have this window commong up ALL the time on my computer. please tell me how i can stop this from disterbing me./j-o “in sweden and not knowing things about computerstuff”

  8. David R

    Regarding conhost.exe. On bootup of Windows 7, my virus program (Shaw Secure) keeps asking me if I want to allow or block conhost.exe. The error message states that it is trying to make a “system modification attempt”. It happens on every bootup. The number of times I have to “allow” it varies seemingly at random. A few times, I had to click on “allow” 63 times. How can I fix it?

  9. Sumon

    Cool. I knew this but read it for the first time

  10. khanz

    I have problem in booting Xp-3 in my p.c. which really irritates me. Can you have a solution please?

  11. jachymko

    Actually, the presence of ComSpec indicates nothing. This variable is loaded from registry on boot-up and then inherited by every process (unless one explicitly deletes its copy).

  12. calebstein

    What will happen if I delete conhost.exe?

  13. uber-geek

    Would be nice if the conhost.exe didnt stay lying around when the windows closes. Guess that will be fixed in a service pack :P

  14. Scott

    I have 2 conhost processes working, is that a problem?

  15. Joshua L.

    I would say if you have two conhost processes running, unless your running multiple command prompts it might be a problem (a.k.a. infected with virus.)

    Then again some processes like ZA Extreme Security Suite also utilize a ConHost Process as well.

    It’s a matter of paying attention to what your computer is doing as you add or delete programs. or maybe an AV and AS check.

  16. 1309

    I DEFINITELY have a virus… a file named… 0qsWLGGf.exe starts by itself… then opens 200+ iexplorer.exe processes… suspicious… I know…
    Anyway… I go to the file location and I delete the .exe but it KEEPS COMING BACK…
    Now… my real question is that I have 4 conhost.exe process running… could the virus (or whatever term you prefer) be hijacking this name and using it to create the 0qsWLGGf.exe file?

    -Thanks for any help

  17. JackV

    I have 30 conhost.exe processes running! What would you say is the problem then?

  18. Paul Sinnema

    Hi, thanks for the insight. You say:

    It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Scanning your computer for viruses is never a bad idea, though.

    The other day I got a message from Norton that an unauthorized access was blocked from C:\WINDOWS\SYSTEM32\CONHOST.EXE. It tried to access this file

    \Device\HarddiskVolume2\Program Files (x86)\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\cltlmh.exe

    So it’s running from SYSTEM32 and tried to do something with a Norton file. Oops what this?

    Regards
    Paul Sinnema

  19. theboss100

    i have running 2 conhost processes running in system32 is this dangerous??

  20. CommanderForce7

    @theboss100, as long everything is working fine, you will have nothing to worry about.

  21. z00

    My XP (SP2) machine I see conhost.exe is under C:\Program Files.

    Something wrong? My machine is infected with Fake AntiVirus removed several times by kept coming back.

  22. Aditya

    Nice post!
    But I see *two* conhost processes running. What now?

  23. randomcaller

    really helpful article – thanks!

  24. philip

    i have 10 conhost processes running, what should i do?
    it slows a bit my pc (im using win7)

  25. michaeldwest

    On my laptop, in Windows Task manager there are 20 conhost runny. It’s win 7.

    Is this unnecessary? Can I delete some?

    Help please.

  26. jaimeb

    Gee man! That’s plain english talking. Add me to your fans list, I wish tech support guys speak with less arrogance and make things more clear to us mortals. Thanx man, you made my day…

  27. jez

    ive running 2 conhosts
    plz help

  28. PCPRO

    This is a HACK TOOL from some GERMAN based web/user!
    It opens 2 ports with full remote control to your PC.
    Delete it and delete the startup entry in you registry as well.

  29. DeeDoubleU

    Damn! Delete or not delete!?

    I just want to know…..should I delete this COMHOST.EXE or not? Yes or no. Period.

    On the other hand….

    Maybe I will save it to my flash drive, then delete it from the system32 folder. If my Win7 F’s up, I will put it back.

    The thing is though, my system is running just fine. Norton just blocks it daily, that’s all.

    Also, if I am not dropping anything into the command area, should I just not give a damn and not waste my energy on this file?

    Thanks!
    Mike
    :)

  30. B. Gates

    If the conhost.exe is in the …\documents and settings\name\application data\microsoft folder, then definitely it is malware. It (often or always) comes together with some random names executables.
    The malware changed the proxy-settings, like 127.0.0.1:50202. The port could be random; 127.0.0.1 is not and is your own computer where the conhost.exe is the malware proxy-server on your own computer. (127.0.0.1 is the address of your own computer.)
    You can’t connect to the internet in the normal way (i.e. in the non-malware way) without changing back the proxy-settings to its normal settings (so you have to know what the normal settings are – otherwise, you can’t connect safely to the internet).

    It is really really REALLY stupid that just by surfing the web, a remote (malware) program can change the proxy-settings and can put itself in the startup-entries in Windows and can run itself. UAC is not a solution, it is a bad way to try to beat a SYMPTON of a failing Operaring System. Failing at its basics.
    This is one of the million goof-ups of ‘Windows’. It is by FAR the most insecure line of operating systems. And don’t come with that crap that Linux would be as vulnerable if it was as wide-spread as Windows. It simply isn’t the truth. Linux was designed from the ground up with security in mind. With Windows, security has never been a priority. It was always ‘feature’ and ‘new features’ and ‘automation’ which got priority. Which that strategy, they actually conquered the market. Security simply doesn’t sell. Feature does. Linux is not 100% secure either, but Windows doesn’t even come close to its shadow.

  31. Vlatko

    Tnx it was informative. Thumbs up

  32. theboss100

    @CommanderForce7
    but my pc runs slower than normal

    i have a intel core2quad 2,66ghz

  33. Blacktail

    Gates, speaking of malware, why don’t you write in detail, why “Special Logon” changed my firewall settings every night, like a thief in the night. Or the IPC$ share. Zone Alarm, which just 2-3 weeks ago spent over a half trilllion, A week later I sent checkpoint a copy of “Special logon”, that forcefields virtuilation captured. In addition anyone looking for some great free porn, drop me a line, Also, is there a windows version of the unix script program I can use for me next deep penetration attack against Dell?
    Powershell blows chunks.
    Blacktail
    “The Fatman Walks Alone”

  34. Anonymous Protagonist

    @Blacktail
    That’s one of the crappiest pieces of pretending-to-be-a-half-legit-user spam i’ve seen in ages.

  35. Anupam Kumar

    Amazing Info!!! Thanks!!! :-)

  36. staticuk

    recently i got hit with a virus and it came with conhost and mix of other background programs, withing a hour my accounts got hit and paypal was targated.

  37. ness

    I have 28 conhost.exe sessions running in my task manager, why and do I need all of them?

  38. Valmir

    I have 1 conhsts.exe running in my task, and my windows 64 bits?

  39. Surgio Computing

    Actually Conhost.exe is a tool used by maleware programs for ip masqureading. It can be used with the windows powershell to redirect or even hog system core heaps forcing you to buy new applications and upgrade your computer when it is not needed. I prefer and still by far would tell al users to stick with windows xp however if you want a more robust challenge with thwarting the psyware lamers then windows 7 is the super choice. However, windows 7 is just as bad with support as windows vista so all hands down windows xp is super choice for today’s laptops with quad core processors as it meets the standard security requirements emphasised by computer security experts. All you need is a damn good firewall and antivirus the rest is self explanitory.

  40. Ultradiver

    WIndows, linux, or unix, are all useless if you know nothing about the software! I swear If only there was a law that required anyone that buys a computer, has to pass a training course. Something like a drivers license, that would restrict people that can not “drive” a computer from ever getting on one. Some people do not need to operating Velcro let alone a complex piece of equipment. I’m talking about those who get a virus(that they installed) and then blame the Software or Hardware vendor that is their fault. THE BEST ANTI- VIRUS/MALWARE IS THE PERSON ON THE COMPUTER, BY STAYING OFF PORN SITES AND PEER TO PEER PROGRAMS(AKA Limewire/Frostwire). Also BACK UP your data! And I’m not talking about coping your precious Pics of our baby over to a thumb drive. I’m Talking about Imaging (Norton Ghost, Acronis, CloneZilla) your whole system (on a religious basis) BEFORE you get a virus/malware. Taking those Simple steps will save yourself a lot of headache down the road. And TAKE CLASSES (for God’s sake) you might learn something. If a IT tech says that issue is an ID 10DOT error or PIPCAC error, they mean the problem is you!

  41. J

    I have three instances of conhost.exe running at once. All of them have the same description (“Console Window Host”), but the memory sizes aren’t all the same. Two of the processes have 1248K, but one has 1252K. Problem?

  42. padrone_39

    Hi!

    I have 2 conhost.exe, with different PID and both go back to windows/system 32

    Is that okay?

    Thanks!

  43. morphine

    I finally got rid of a viral conhost.exe that was hidden under AppData/Roaming/Microsoft. This conhost.exe automatically set proxy in Internet Option and prevented me from have any internet connection.
    If you saw any conhost.exe in your AppData folder, please be alerted!

  44. SecuritySwifty

    To remove this kind of virus you will need to make x steps:

    1) Download MalwareBytes,
    2) Scan your computer with it
    3) Remove all the malware it finds
    4) Restart your computer
    5) When you login, Open your IE / FireFox / whatever you use and Disable the proxy settings
    6) Feel free to surf the web :)

    ***When the virus is still there, it won’t allow you to surf the web without connecting to a proxy server of the hacker, and when you remove it – the settings are still the same but you cant connect to the hacker’s server, so all you need to do is to remove all the proxy setting so you can surf the web normally like you should :)***

  45. adam

    soooo i read all these comments but never heard a straight up answer

    so what if I have two of these conhost.exe running?
    is it safe to delete one?
    they are both running out of system32.
    3 of them were running while I was messing with my connection/network trying to fix my internet
    didnt want to open so I pressed it a bunch

    I just wanna know if its safe to delete one

  46. icy

    good info

    thanx

  47. lukas

    well that’s interesting…because i just had a severe trojan virus and it went away just after i removed conhost.exe…

  48. gcmax

    This is not a legitimate file in Windows Vista, it is a rather nasty trojan backdoor downloader that usually comes packed with a fake anti virus. It can change the desktop background colour, redirect internet searches to further infection sites, change various system settings, prevent the execution of any programs or system utilities and will kill any open processes like applications without warning.

    Took over my system, took 4 hours to get rid of it and lost 2 hours of work.

    Requires safe mode + networking Malwarebytes and Doctor Web

  49. ox

    I just want to set things straight here. First I’ll discuss the actual topic involved, conhost.exe. Then I’ll move on to the comments by B. Gates and Surgio Computing.

    Conhost.exe:
    This file is a legit Windows 7 process. For those of you with multiple copies running at the same time, it is safe to kill/end every one that is running. You’ll probably be able to determine what’s using the process because the application will stop functioning correctly once you kill it. At a clean install of Win7, you should not see conhost.exe. As you install software and that software starts will windows, you may then notice conhost.exe showing up. Another way to determine which file is using it, is to use msconfig and uncheck start up process/services(NOTE: Not recommended for normal users, and I hold no responsibility if you do this and your system crashes).

    So does this mean conhost.exe is always safe? No. As Surgio Computing attempted to convey, it *CAN* be a virus. So how do you know when it’s a virus and when it’s not? Even for experts in the field it’s hard to give an answer because there is no “one size fits all” answer. If you’re concerned, as others have suggested, download Malwarebytes(www.malwarebytes.org), update the definitions and scan your system.

    @Surgio Computing: Would you tell me that winlogon.exe or svchosts.exe is a virus? How about explorer.exe? All three of those are legit windows processes and I have seen all three posing to be a virus, and I have the virus actually bind itself those files. XP being more secure than 7? Very questionable. For the most part, users don’t ever or rarely use windows update giving them the most recent patches. Secondly, zero-day exploits for both systems are always surfacing. Clean install to clean install, I’d say 7 is more secure.

    @B. Gates: UAC is annoying, very annoying to techies. On Vista, it’s annoying to everyone. But on Win 7, it’s much better. And it actually does help secure the operating. Unless you’re an advanced computer user and/or want to a higher risk of getting infected, leave this turned on. Seriously man, you’re going to pull “don’t give me crap about if it was as widespread” line? Yeah yeah, you threw out the disclaimer saying Linux isn’t secure either but you’re absolutely right. It’s not. It has viruses, trojans, and worms just like Windows and Macs. Are you’re aware that one of the repositories was hacked and an infected file was binded to the original file injecting several linux machines? That’s as bad as Microsoft getting hacked and infecting the Windows Update files. There are less virus because it’s not as widespread. Get off your linux high horse and accept the truth. I have Macs, Linux and Windows machines. I’m not biased by any means. They all hold their own unique strengths and weaknesses.

    Again, if you’re worried that conhost.exe is a virus… run a system scan with Malwarebytes, SuperANTISpyware, AVG, Microsoft Security Essentials, or a flood of other FREE anti-virus software. The ones I have mentions are some of the better ones. There are other good ones, but those are MY choice. NOTE: It doesn’t make them the best because I suggested them, do your own research.

  50. Stefania Castelli

    A clever and pragmatic synthesis.
    I do appreciate and I agree with everything you wrote.
    My compliments…..

    To add some more considerations, I would suggest the more worried ones to take it easy.
    The world is overfilled by information and data.
    And probably the content on our machines is not so precious that someone may be eager to steal it.

    Falling inside the firewall or process explorer monitoring paranoia, in the age of Vista and 7 (much more sophisticated than 2000 and XP and with a rich architecture based on virtualized functions for security purposes) may lead to insomnia and psychosis.

    I tell this because it occurred to me when I started to use several connected OS, without deeply knowing some of them….

  51. DTRY

    “It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft.”

    Take note of this sentence very carefully. If you find conhost.exe outside of the system folder, there is a high chance that it’s indeed a malicious software. If it’s not signed, then the chance of it being harmful is extremely high.

    I got it while using Internet Explorer 6, despite having Firefox, to open ReplacementDocs, a depository of old game manuals. (Yes, stupid, I know. Firefox could save me such trouble.) Then I suspected a suspicious program running on the Task Manager (I always have it opened in case such situation happens.)

    First, there are legitimate Windows program running, like dexplore.exe (Visual Studio Document Explorer), msiexec.exe (Windows Installer – Unicode), and outlook.exe (well, MS Outlook,) none of which I am familiar with.

    Then there was another file running, with a very long nonsensical name consisting only of numbers, which is probably randomly generated. That was really a big red alarm. Then, Windows Defender warned me of attempt registry change, another big red warning. I denied it immediately. The malware was trying to add conhost.exe to the automatic start up file list. So I kill the process afterwards.

    After the process with a very long name was killed, all 3 legitimate Windows processes were killed as well. So I guess the first process ran them all.

    Checking creation and modification time, there seem to be 5 files associated with this malware:

    1. The .exe file with a very long numerical name, found on my desktop.
    2. The conhost.exe itself, found in C:\Documents and Settings\[UserName]\Application Data\Microsoft\conhost.exe
    3. A log file of some sort, also with a nonsensical short name with numbers and alphabets, with the file extension of 3 numbers (such as E11E.576, 790F.247). This file is found in C:\Documents and Settings\[UserName]\Application Data
    4. A .tmp file copy of 1. and 2. (all three files are the same but with different extensions.) My copy started with “jar_cache” followed by a lot of numbers. Found in the C:\Documents and Settings\[UserName]\Local Settings\Temp
    5. Another .tmp file with is much larger than all others (about 2 MB compared with 170 KB of others), also with a nonsensical short name with numbers and alphabets.

    The file names and locations were from my own experience. They can be different in your case. For example, conhost.exe could be in another folder under C:\Documents and Settings

    Luckily, removal can be done easily with System Restore, which will remove all executable files. As for those back-ups in the Temp folder, you can removed it later, perhaps while in Safe Mode. Temp folder should be cleaned periodically anyway, for malwares like to store their copies there.

    If you have Windows Defender, it will help you prevent the malware from auto-starting. I’m not sure what will happen if it successfully install itself, though. It could be harder to remove.

  52. Locke

    So… Bottom line is, if I have this on my Windows XP operating system… It’s a virus? I found it under Documents and Settings/name/application date/Microsoft, and it’s description data is just conhost.exe when I go to its properties, and not Console Window Host. I’m trying to corner every possible bit of malware, as I have the XP Home Security virus, and it’s blocking Malwarebytes and all of my browsers – I’m using SwiftKit Browser to be online right now. O_o
    Thanks!
    Logan

  53. ox

    @Locke, if it’s located in that folder then Yes, it’s probably a virus.

    I will share with you one of prized techniques for figuring out such a thing. Rename the file and reboot. The beauty of renaming prior to deleting is this: If it was a system file you’ll probably get an error during the reboot, you may not more than likely will. If it was a critical system file, it’s likely it won’t even boot. Move the file a “quarantined” folder(just make one up yourself and create a .txt file stating where the file was originally located). Run your system for a few hours,days,weeks, or months then you can feel more assured about deleting it. So what if it was a legit system file and it doesn’t boot? Recovery disk allow for a command prompt accessed from the CD. Simply boot from it and rename the file back to its original file name and you’re all done. The command is “ren” short for “rename”. Example usage: “ren c:\windows\system32\conhost.exe.bak c:\windows\system32\conhost.exe” – this will rename conhost.exe.bak to conhost.exe which is located in the system32 directory, change parameters where necessary. Don’t have your recovery disk? Borrow one, order it from the manufacture, remove your hard drive and plug it in another machine via a USB adapter($20-$40 and can purchased at BestBuy) or directly as a slave drive, or just use a live linux cd(which is free by the way).

    Want a safe browsing experience? Try Google Chrome(This browser has passed the Pwn2Own contest 3 years running) or FireFox with the NoScript add-on. For those who don’t know about the Pwn2Own contest, it’s a huge and legal contest held annually were hackers around the world try to exploit systems. If a hacker is successful, he/she must disclose how to the manufacturer so the manufacturer can create a patch and in return gets to keep the device/software(software is sometimes substituted with money as would be the case for the Chrome browser). Enjoy and safe browsing ;)

  54. Robert

    Nice but you need to know that there is now something spoofing the same in the wild that has landed on my XP system…

    CONHOST.EXE-2189DF48.pf in C:\windows\prefetch
    Zone Alarm caught it trying to reach http:: 96.6.46.19
    With the “Cur Felice Junk” is trying to access the internet
    Application conhost.exe

  55. Dante

    I have Norton which is stating that unauthorized access as been blocked by “conhost.exe” should I be worried since I have “KMSemulator.exe” repeatly trying to inject a Trojan.Gen.2 in to my computer.

  56. aku720

    HELP!!!!
    well my conhost.exe is running in windows/temp why is that?
    my PC crashed few days ago and kept on rebooting itself again and again and from that time conhost.exe started running and the CPU usage is like at 100%
    what will happen if i remove the temp file or end process

  57. dilandau

    I have the exact same problem with conhost.exe in the Windows temp folder. I have ended the process and deleted it bit it just reappears. Anyone knows how to find the source for the file revival?

  58. bruno

    hi there i’ve found the source of my infection after seeing that some of u were having this problem … my problem was http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=DOS%2fAlureon … just use security essentials from microsoft .. after cleaning your pc … insert installation pen or dvd and boot -> repair -> command line …. use this commands bootrec /fixmbr and bootrec /fixboot it sould be fine … you can also go check c:\windows\temp\ after running that commands and check if there is conhost.exe there .. if it is .. delete it :p using command del conhost.exe

    i hope it works :p

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!