5

What is the purpose of the csrss.exe (Client/Server Runtime Server Subsystem) on Windows?

Maybe someone could give a good explanation or pointers to documentation? Unfortunately Google results are pretty noisy when searching a core process of Windows.

The reason I'm asking is that I got a BSOD from my service application which seems to be related to the csrss.exe process, at least this is what the analysis of the memory dump shows:

PROCESS_OBJECT: 85eeeb70

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0
MODULE_NAME: csrss
FAULTING_MODULE: 00000000 
PROCESS_NAME:  PreviewService.
BUGCHECK_STR:  0xF4_PreviewService.
DEFAULT_BUCKET_ID:  DRIVER_FAULT
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from 80998221 to 80876b40

STACK_TEXT:  
f5175d00 80998221 000000f4 00000003 85eeeb70 nt!KeBugCheckEx+0x1b
f5175d24 8095b1be 8095b1fa 85eeeb70 85eeecd4 nt!PspCatchCriticalBreak+0x75
f5175d54 8082350b 00000494 ffffffff 051bf114 nt!NtTerminateProcess+0x7a
f5175d54 7c8285ec 00000494 ffffffff 051bf114 nt!KiFastCallEntry+0xf8
051bf114 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

STACK_COMMAND:  kb
FOLLOWUP_NAME:  MachineOwner
FAILURE_BUCKET_ID:  0xF4_PreviewService._IMAGE_csrss.exe
BUCKET_ID:  0xF4_PreviewService._IMAGE_csrss.exe

Followup: MachineOwner

EDIT: Thanks already for the good answers, but I actually don't need help concerning my service, I just would like to get some basic understanding of what the purpose of this service is.

Jonas
  • 121,568
  • 97
  • 310
  • 388
Dirk Vollmar
  • 172,527
  • 53
  • 255
  • 316

4 Answers4

5

CSRSS hosts the server side of the Win32 subsystem. It is considered a system critical process, and if it is ever terminated you'll get a blue screen. More data is necessary, but you need to find out if some process is terminating csrss, or if it is crashing due to a bug.

Windows Internals is a great book for stuff like this. Wikipedia also has an article on CSRSS.

Michael
  • 54,279
  • 5
  • 125
  • 144
1

csrss is the user-mode portion of the Win32 subsystem -- the user-mode analog to the kernel-mode win32.sys. As for what's going on with your particular service, it's hard to say without some better hints about what your service is doing.

John Feminella
  • 303,634
  • 46
  • 339
  • 357
0

One thing it does is provide the default console window for console apps like cmd.exe. At least according to jdeBP:

On Windows, how does console window ownership work?

It would appear that when a console app process is created without being passed handles to stdin, stdout and stderr, then some interprocess comms asks csrss to create a console window in a new thread and give its IO handles to the console process.

Community
  • 1
  • 1
Andrew Bainbridge
  • 4,651
  • 3
  • 35
  • 50
0

It is related to the graphical system. However, right now there is an active trojan behind this name and it is causing many issues for people. I heard. It is mining crypto and since the exe process itself is common people have a difficult time to detect the main issue

Josh Ross
  • 114
  • 2