You’re probably reading this because you’ve seen conhost.exe running on your computer, and now you want to know all about it. Okay, maybe not all about it, but at least if it’s safe, right? Well today we continue our series on What is that Windows Process explaining that you don’t need to worry about conhost.exe because it’s not a virus!!! It’s a process made by Microsoft specifically for Windows Vista and Windows 7. Want to know more? In this article we’ll look at the process in further detail.
Great, it’s not a virus – so why is it there?
Here’s the history, you might want to grab a snack before you start reading this… In Windows XP, Microsoft used csrss (client-server runtime process) to handle the command prompt, but the problem was aesthetics and security. The visual problem was that csrss.exe was unable to execute Windows themes (it still is unable to) so the cmd prompt was always very plain and unsightly. By security and stability standards, hosting the cmd prompt under csrss was a huge liability, one series of errors, and the entire system could be brought down.
In Vista, Microsoft improved security by restricting applications running with different permissions levels from communicating with each other. Microsoft also fixed DWM.exe to properly draw console window title bars, but scroll boxes remained ugly with no theme support. Since the cmd console and csrss.exe run at different permission levels, this broke Drag & Drop functionality between text in the rest of Windows and text in the cmd prompt. When Windows 7 was released, conhost.exe (Console Window Host) was born and it solved everything with the groovy side effect of making the system much more stable. This process is a critical system file and should never be deleted.
How do I know it is the official process and not a virus pretending to be conhost.exe?
First off, make sure you have an anti-virus installed such as Microsoft Security Essentials.
There are a couple of ways to know that your particular conhost.exe is safe. First of all, this process should be stored in your system folder at:
If you find it saved anywhere else it is likely a counterfeit piece of malware (unless you installed your OS on a different drive that is…)
When you open up the Microsoft tool Process Explorer (made by SysInternals), it will show you a little bit more about the process. You’ll find it running under the csrss.exe process, and importantly under it’s Properties > Environment tab you’ll see that the ComSpec is cmd.exe.
Also, conhost.exe should only be running if you have the cmd prompt open. Though there are some other applications that access the prompt in order to run that might trigger it as well.
Conhost.exe is a core process of Windows 7 that allows you to operate the cmd prompt, hence the title: Console Window Host. This process is safe and should not be deleted, however be wary of viruses and malware that counterfeit the name in order to hide their true nature.