What is conhost.exe and Why Is It Running?

You’re probably reading this because you’ve seen conhost.exe running on your computer, and now you want to know all about it.

You’re probably reading this because you’ve seen conhost.exe running on your computer, and now you want to know all about it. Okay, maybe not all about it, but at least if it’s safe, right? Well, today, we continue our series on What is that Windows Process explaining that you don’t need to worry about conhost.exe because it’s not a virus. Instead, it’s a process created by Microsoft specifically for Windows Vista and Windows 7.

What is Conhost.exe and Why is it Running?

Here’s the history; you might want to grab a snack before you start reading this. On Windows XP, Microsoft used csrss (client-server runtime process) to handle the command prompt, but the problem was aesthetics and security. The visual problem was that csrss.exe was unable to execute Windows themes (it still is unable to), so the cmd prompt was always very plain and unsightly. Also, by security and stability standards, hosting the cmd prompt under csrss was a huge liability, one series of errors, and the entire system could be brought down.

conhost.exe in the task manager

On Vista, Microsoft improved security by restricting applications running with different permissions levels from communicating with each other. Microsoft also fixed DWM.exe to draw console window title bars properly, but scroll boxes remained ugly with no theme support. Since the cmd console and csrss.exe run at different permission levels, this broke Drag & Drop functionality between text in the rest of Windows and text in the cmd prompt. When Windows 7 was released, conhost.exe (Console Window Host) was born, and it solved everything with the side effect of making the system much more stable. This process is a critical system file and should never be deleted.

How do I know it is the official process and not a virus pretending to be conhost.exe?

First off, make sure you have an anti-virus installed such as Microsoft Security Essentials.

There are a couple of ways to know that your particular conhost.exe is safe. First of all, this process should be stored in your system folder at:

If you find it saved anywhere else, it is likely a counterfeit piece of malware (unless you installed your OS on a different drive, that is…)

When you open up the Microsoft tool Process Explorer (made by SysInternals), it will show you a little bit more about the process.  You’ll find it running under the csrss.exe process, and importantly under its Properties > Environment tab, you’ll see that the ComSpec is cmd.exe.

conhost environment tab cmd.exe

Also, conhost.exe should only be running if you have the cmd prompt open. Though some other applications access the prompt to run, that might trigger it.


Conhost.exe is a core process of Windows 7 that allows you to operate the cmd prompt, hence the title: Console Window Host.  This process is safe and should not be deleted; however, be wary of viruses and malware that counterfeit the name to hide their true nature.



  1. SubZero

    March 2, 2011 at 5:30 am

    When you start some progs like Mask Surf Pro, then this process running on your computer. It’s a threat for me!

  2. curious

    January 13, 2012 at 10:47 am

    i installed a keylogger on my computer a while back and it has been working fine.. now it is not reporting some things and it says conhost with a red x under the applications it should be reporting. any idea whats going on with that? why is conhost showing up in my keylogger now? any info is appreciated. thanks. God Bless!!

  3. Nice Mike

    October 27, 2021 at 5:15 pm

    Nice explanation.

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top