You are no doubt reading this article because you are wondering what on earth this conhost.exe process is doing in Task Manager, and why it’s running on your shiny new Windows PC. We’ve got the answer for you.
This article is part of our ongoing series explaining various processes found in Task Manager, like svchost.exe, dwm.exe, ctfmon.exe, mDNSResponder.exe, rundll32.exe, Adobe_Updater.exe, and many others. Don’t know what those services are? Better start reading!
So What Is It?
The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop in Vista.
It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Scanning your computer for viruses is never a bad idea, though.
Wait, What? So Why Do I Need It?
Oh, you wanted more information? I suppose I can oblige with some background information. Essentially, there’s a problem with the way the console process works on outdated versions of Windows—they are all hosted under the csrss.exe (Client Server Runtime Process) service. This process runs as a system-privileged account.
If you take a look at the command prompt way back on Windows XP, you’ll probably notice that the window doesn’t use the active theme at all. This is because the CSRSS process doesn’t have the ability to be themed.
If you take a look at the console in Windows Vista, it looks like it uses the same theme as everything else, but you’ll notice that the scrollbars are still using the old style (look closely). This is because the DWM (Desktop Window Manager) process handles drawing the title bars, but underneath it still works the same way, and the scrollbars are part of the window itself.
You might also notice that Windows Vista broke the ability to drag and drop files from Explorer straight into the command prompt. It just flat out doesn’t work, because of security issues between the CSRSS process running with a higher level of privileges.
Windows 7, 8, and 10 Do It Differently
Checking it out in Process Explorer under a modern version of Windows shows that the conhost.exe process is running underneath the csrss.exe process.
The conhost.exe process sitting in the middle between CSRSS and cmd.exe allows Windows to fix both of the problems in previous versions of Windows—not only do the scrollbars draw correctly, but you can actually drag and drop a file from Explorer straight into the command prompt:
And it’ll paste in the path onto the command line. (of course this example isn’t very useful).
Still Aren’t Convinced?
I can see our relationship has some trust issues. If you really want to be sure, check out the file properties for the conhost.exe executable, and you’ll see that the description says Console Window Host:
If you look at the details of the process from within Process Explorer, you’ll notice that the ComSpec is set to cmd.exe, a clear indication that it’s hosting the command prompt.
So now you know what the conhost.exe process does, and why you should never attempt to delete it. Ever.