What is Conhost.exe in Windows and Is it Safe?
A TechJunkie reader contacted me yesterday asking about a particular Windows service that he noticed on his machine. It was ‘conhost.exe’ and the reader wondered what it was, what it did and whether it was safe to run on his PC or not.
Given all the news about computer security, it is natural that people are concerned about services they don’t recognize. I would always suggest finding out what a service or program is and what it does if you don’t immediately recognize it. Even the most secure systems can still be susceptible to malware. So it really is better to be safe than sorry!
I am always happy to answer Windows-related questions wherever I can so here is everything I know about conhost.exe.
Conhost.exe in Windows
Conhost.exe appears as Console Windows Host in Windows 10 computers. Open Task Manager (right click on the Windows Task Bar and select it), then scroll down to Windows processes and there should be one or more instances of it running. You may see more instances, you may not.
Multiple instances of Conhost.exe are fine if you have multiple programs open, but if you just booted your computer from a powered-off state, it means you have a few programs running in the background that you don’t need.
What does Conhost.exe do?
Conhost.exe is an evolution of crss.exe which ran on older versions of Windows such as XP. Crss.exe was a middleman API that allowed GUI applications to interact with non-Gui applications such as the command line. For example, if you had a text file containing a batch command, you could drag that text file into CMD and the command line could execute the batch file. Programs that used a GUI would also use crss.exe. to interact with the console behind the scenes.
Crss.exe allowed the console to perform drag and drop in a traditionally non-drag and drop console. However, crss.exe used the Local System account to work which has a lot of privileges over a computer. Crss.exe theoretically allowed exploits to interact between restricted user accounts where the GUI programs worked and the Local System account where the console applications worked. This provided something of a bridge for malware to gain unrestricted access to your computer.
Crss.exe was replaced with conhost.exe in Windows 7 and is still present in Windows 10. It still does the same thing as crss.exe but without granting access to Local System accounts or any elevated privileges.
The Microsoft Technet website has a useful page on crss.exe and conhost.exe.
Some tech websites talk about conhost.exe concerning itself with aesthetics and theming but I do not believe this to be true. The Technet page explains that conhost.exe was introduced to help secure Windows core by breaking that bridge between User accounts and Local Machine accounts. It mentions nothing about how the console appears.
My own experience with Windows Server of various generations backs this up. Since Server 2003, Microsoft did a lot of work to separate the core OS from user accounts in order to make it more secure. Not a lot of thought was given to how it looked. It was all about how it worked.
Is conhost.exe safe?
As you likely already know, some malware can mimic the properties of legitimate Windows processes or programs. So while on the surface it might seem obvious that conhost.exe is safe, it is always a good idea to check. Here’s how.
- Right click the Windows Task Bar and select Task Manager.
- Scroll down to Windows processes and locate Console Windows Host.
- Right click and select Properties.
Under Location, you should see C:\Windows\System32. All instances of conhost.exe should run from System32 so if you see this, it is safe. If the file location is something different it is likely to not be legitimate.
One way to check is to use Process Explorer. This is a program that takes Task Manager and turns it up to 11. Open Process Explorer and find conhost.exe. As well as showing you that it is legitimate, it should also show you which program it is interacting with. In the image, you can see the one on my Windows 10 machine is working with the Nvidia Web Helper process. This is a legitimate instance of conhost.exe.
You can repeat this process for any Windows process you want to check out. Every process should have its Location at C:\Windows\System32. If it doesn’t, run your antivirus and malware scanner just in case. For Background processes, the Location should match the installed directory of the process.
I hope that adequately answered the question. Yes, conhost.exe is legitimate and yes it is safe as long as it has its Location at C:\Windows\System32.
Got any other Windows processes you would like to know more about? Tell us about them below if you do and I shall try to answer as many as I can!