In this Article, you will understand what conhost.exe is all about
What Is conhost.exe( Console Window Host Process)?
According to the name, CSRSS was a system level service. It has created a couple of problems. First, a crash in CSRSS could bring down a whole computer, which uncovers not just reliability issues, but possible security unprotection as well. Another problem was that CSRSS couldn’t be themed. So, the Command Prompt always had the classic appearance rather than using the new interface elements.
The Command Prompt does not get the same styling as an app like Notepad.
The Command Prompt earned some superficial theming from this, but it came at the expense of being able to drag and drop files, text, and so on into the Command Prompt window.
If you check the conhost in Windows Vista, you will notice that the scrollbars are still using the old style but it appears like it uses the same theme as everything else. This happens due to the fact that the Desktop Window Manager handles drawing the title bars and frame, but an old-fashioned CSRSS window still sits inside.
Enter Windows 7 and the Conhost process. The process sort of sits in between CSRSS and the Command Prompt (cmd.exe), allowing Windows to fix both of the previous issues—interface elements like scrollbars draw correctly, and you can again drag and drop into the Command Prompt. And that is the method still used in Windows 8 and 10, allowing all the new interface elements and styling that have come along since Windows 7.
Even though the Task Manager presents the Console Window Host as a separate entity, it is still closely related to CSRSS. If you check the conhost.exe process out in Process Explorer, you can see that it actually runs under the csrss.exe process.
In the end, the Conhost is something like a shell which maintains the power of running a system-level service such as CSRSS, while still securely and reliably granting the capacity to integrate modern interface elements.
Several Instances of the Process Running?why it occurs
You will often see several occurrences of the Conhost process running in Task Manager. Each occurrence of Command Prompt running will produce its own Console Window Host process. In addition, other applications that make use of the command line will produce their own Console Windows Host process—even if you do not see an active window for them. A good example of this is the Plex Media Server app, that runs as a background app and uses the command line to make itself usable to other devices on your network.
Many background apps work this way, so it is not uncommon to see multiple instances of the Console Window Host process running at any given time. This is the normal behavior. For the most part, each process should take up very little memory (usually under 10 MB) and almost zero CPU unless the process is working.
That said, if you notice that a particular instance of Console Window Host—or a related service—is causing trouble, like continual excessive CPU or RAM usage, you could check into the specific apps that are associated. That might give you an insight of where to start solving your troubles. Unluckily, Task Manager itself does not provide good information about this. The good news is that Microsoft provides an excellent advanced tool for working with processes as part of its Sysinternals lineup. Download Process Explorer and run it(it’s a portable app, so no need to install it). Process Explorer provides all kinds of advanced features.
What is the easiest way to track the process?
The easiest way to track these processes down in Process Explorer is to first hit Ctrl+F to start a search. Search for “conhost” and then check the results. As you do it, you will see the main window change to show you the app (or service) associated with that particular instance of Console Window Host.
If the CPU or RAM usage show that this is the instance causing you trouble, then at least you’ve got it narrowed down to a particular app.
Could The process Be a Virus?
The process itself is an official Windows component. While it is possible that a virus has replaced the real Console Window Host with an executable of its own, it is unlikely. If you want to be sure, you can check out the underlying file location of the process. In Task Manager, right-click any Service Host process and choose the “Open File Location” option.
If this file is located in your Windows\System32 folder, then you can be fairly sure you are not dealing with a virus.
There is, in fact, a trojan named Conhost Miner that masquerades as the Console Window Host Process. In Task Manager, it appears just like the real process, but a little digging will reveal that it is actually stored in the %userprofile%\AppData\Roaming\Microsoft folder rather than the Windows\System32 folder. The trojan is actually used to hijack your PC to collect Bitcoins from the victims, so the other behavior you will notice if it is installed on your system is that the memory usage is higher than you might expect and the CPU usage maintains at very high levels (often above 80%).
Using a good virus scanner is the best way to prevent malware like the Conhost Miner, and it is something you should be doing.