The story of multiple conhost.exe
I came a cross a question from customer, asking “Why do I see so many conhost.exe in the system”
The first important thing to understand is that (taken from here):
conhost.exe is the new host process for console windows. Previously those were handled by csrss.exe which is the “Client Server Runtime Process”, a process running with system-level privileges.
Starting with Windows Vista, Microsoft made some very substantial improvements and changes in regard to security. One of those changes was that applications running in different “levels” or as different users weren't allowed to exchange data freely.
Since console windows were handled by csrss.exe this had the side-effect that you could no longer drag files onto a console window and have the full path and file name inserted. Drag & drop is such a case of data exchange which was ruled out. People cried out even though most Windows users probably didn't even know of that feature.
Before we continue please read this very good article by Microsoft.
Now that we understand that every console application should get a dedicated conhost.exe to handle its IO, we can create simple pattern to understand why we have multiple conhost in the system.
The pattern will be very simple, we will use ProcMon to monitor all new processes that are created (let assume the Operation is “Process Start” and that the process name ends with “.exe.”
After running for some time we should see that each conhost.exe that was created will have another application created almost on the same time.
This means that we can easily understand which conhost belong to which application by monitoring the system.
side note if you kill the conhost, the console application that triggered this will die <smile />
Now you can continue and investigate if this is your application and if its needed (if that’s important)