What is the Conhost.exe process? What's the role of Conhost.exe?

What is the Conhost.exe process?

The full name is the console host process, which is the host of the command line program. To put it simply, he's Microsoft. For security reasons, the new Console application processing mechanism introduced in Windows 7 and Windows Server 2008

Process Information Name: Conhost.exe
Produced by: Microsoft Corp.
Process Category: System process
Storage location:%Systemroot% System32
Virus Trojan: No

What's the role of Conhost.exe?

Previously, the host program before Win7 was completed by Csrss.exe, and all command-line processes used the session's only Csrss.exe process. by win7, each command line process has a separate conhost as the host. This certainly has a lot of benefits, such as the process will not affect each other, and will not affect the CSRSS, after all, csrss have other more important tasks to do. Of course, the most important thing is security, because CSRSS is running under the local System account, and if you're dealing with Windows message, you're going to have to take a lot of threats, such as the famous Windows message shatter Attack. However, if you are dealing with the conhost of the user right, even if there is an attack, the impact is only a low privilege hosting process.

In fact, both as a regular user or as an enterprise administrator, we will be more or less used to console applications in our day-to-day Windows applications and operations. Console applications do not have a user interface, we need to use the command prompt (CMD, this is not DOS, many people confused) to its input, output operations. Windows has its own console application, typically with Cmd.exe, Nslookup.exe, and Telnet.exe.

In earlier versions of Windows, all applications representing non-GUI activities (that is, console applications) were coordinated through system process Csrss.exe when they were to run on the desktop. When a console application needs to receive characters, a small "console APIs" is invoked in Kernel32.dll to allow KERNEL32 to generate LPC to invoke CSRSS. At this point, CSRSS checks and verifies the input queues for the console window and associates the result of the character pattern back to the console application by KERNEL32.

relationship with the Csrss.exe

Such a processing mechanism has already created a problem: even if a console application executes in the context of a normal user, Csrss.exe is always running under the Local System account authority. As a result, in some cases, malicious software developed by the "bad guy" may gain more privileges through the Csrss.exe of the Local System account privileges. This attack pattern is called shatter Attack.
And in the Win7 and Windows Server 2008 R2 era, All console applications are placed in a new context process ConHost.exe, and conhost (console host) runs in the same security-level context as the console program, instead of issuing the LPC message request to the CSRSS to process the mechanism, but to request conhost. Therefore, any application attempting to exploit a message request to cause automatic elevation of privilege will not succeed.

Conhost is not a virus ...

The Conhost full name is the console host process, which is the host of a command-line program. We all know what a command-line program is, such as Ipconfig.exe, because the command-line program itself has no code to display the UI, the command line window content We see is usually done by the hosting process, including window display, Windows message processing, and so on.

win7 A lot of netsh.exe and conhost.exe process, restart the computer again good, play a period of time will come out.

Netsh.exe is an important file that is stored in a Windows system folder and is typically created automatically during the installation of the operating system, and is critical for system uptime. Under normal circumstances, users are not advised to make arbitrary changes to the class of files (Netsh.exe). Its existence plays an important role in maintaining the stability of computer system. If the user's computer is Trojan virus, or rogue software tampering caused Netsh.exe lost, netsh.exe really damaged, such as window phenomenon, please carry out a comprehensive repair!