The story of multiple conhost.exe

I came a cross a question from customer, asking “Why do I see so many conhost.exe in the system”

The first important thing to understand is that (taken from here):

conhost.exe is the new host process for console windows. Previously those were handled by csrss.exe which is the “Client Server Runtime Process”, a process running with system-level privileges.

Starting with Windows Vista, Microsoft made some very substantial improvements and changes in regard to security. One of those changes was that applications running in different “levels” or as different users weren't allowed to exchange data freely.

Since console windows were handled by csrss.exe this had the side-effect that you could no longer drag files onto a console window and have the full path and file name inserted. Drag & drop is such a case of data exchange which was ruled out. People cried out even though most Windows users probably didn't even know of that feature.

 

Before we continue please read this very good article by Microsoft.

 

Now that we understand that every console application should get a dedicated conhost.exe to handle its IO, we can create simple pattern to understand why we have multiple conhost in the system.

The pattern will be very simple, we will use ProcMon to monitor all new processes that are created (let assume the Operation is “Process Start” and that the process name ends with “.exe.”

ProcMon-Filter

After running for some time we should see that each conhost.exe that was created will have another application created almost on the same time.

ProcMon-Output

This means that we can easily understand which conhost belong to which application by monitoring the system.

side note if you kill the conhost, the console application that triggered this will die <smile />

Now you can continue and investigate if this is your application and if its needed (if that’s important)

The story of multiple conhost.exe The story of multiple conhost.exe Reviewed by Ran Davidovitz on 9:11 PM Rating: 5

8 comments:

Evgeny said...

You wrote:
"we should see that each conhost.exe that was created will have another application created almost on the same time"

Q: Do conhost is parent of this process?

Evgeny said...
This comment has been removed by a blog administrator.
Ran Davidovitz said...

The parent of conhost.exe is csrss.exe and Conhost.exe is not the parent of your application, this is the reason you need to use procmon to figure out which application is triggers which conhost.exe

Also if your application is hang while waiting for IO on the console, than you can use "Analyze Wait Chain” feature of Resource Monitor to see that your application is actually waiting for the specific conhost.exe

Unknown said...

Thanks Ran it helped me a lot

Unknown said...

Thanks Ran it helped a lot

Anonymous said...

Hi everyone,
I have win7 64bit home premium. I see 2 conhost.exe processes when I opened taskbar. One is system process, other one is not. I can kill both of them and nothing happens. I have no enough knowledge about this kind of stuff so can I ask,

1)Are these processes harmful?(like virus or something like that?)
2)If yes, how can I delete them (or the harmful one) permanently?

Waiting for your answer(s)


have a great day

Anonymous said...

Actually there is a better way to identify which process belongs to each conhost.exe.

1) Open Process Explorer by SysInternals.
2) Select a conhost.exe process.
3) Make sure you have the lower pane showing the open handles.
4) Go through the list to find a row named "Process" and there you go.

Ran Davidovitz said...

Nice trick!

as for question about CONHOST and different identity, probably you see the SYSTEM and you local user - this depend on the on the process running.

What i would suggest is to check where is the conhost.exe originated from (using regular task manager - add the "command line" column or process explorer)

Powered by Blogger.