> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/csrss.exe.md). # csrss.exe ## csrss.exe - Technical Overview ### Definition **csrss.exe** (Client Server Runtime Subsystem) is a core Windows process that manages the Win32 environment subsystem. It handles critical low-level OS functions like: * Console window operations * Thread creation/deletion * Shutdown sequence coordination * User-mode API validation ## csrss.exe Behavior Analysis
AttributeNormal BehaviorAbnormal Behavior
Image Path%SystemRoot%\System32\csrss.exePath outside C:\Windows\System32
Parent Processsmss.exe (then terminates)Persistent parent process
Instances2+ instances (Session 0 + Session 1)Misspelled variants (crss.exe, csrsss.exe)
User AccountNT AUTHORITY\SYSTEMNon-SYSTEM user account
Start TimeWithin seconds of boot (Sessions 0/1)Unexpected timing (e.g., long after boot)
*** #### Key Technical Notes: 1. ✅**Normal Operation**: * Session 0 (services) and Session 1 (interactive) instances launch at boot * No persistent parent process (smss.exe terminates after spawning csrss.exe) 2. ❌**Malware Indicators**: * Paths like:\ `C:\Temp\csrss.exe`\ `%AppData%\csrss.exe` * Unusual child processes (e.g., `cmd.exe` spawned from csrss.exe) * Modified subsystem DLLs (`winsrv.dll`, `basesrv.dll`) 3. **Verification Commands**: ```powershell # Check all csrss.exe instances: Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "csrss.exe" } | Select-Object ProcessId, ParentProcessId, ExecutablePath, CommandLine | Format-Table -AutoSize # Validate digital signature: Get-AuthenticodeSignature "$env:SystemRoot\System32\csrss.exe" | Select-Object Status, SignerCertificate | Format-List ``` ⚠️ **Warning**: Terminating csrss.exe crashes the system.
### Tactics & Techniques
TacticTechniquecsrss.exe Abuse Example
PersistenceT1547.004: Winlogon Helper DLLModifies HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to load malicious DLL
Privilege EscalationT1055: Process InjectionInjects code into csrss.exe to gain SYSTEM privileges
Defense EvasionT1036: Process MasqueradingRenames malware to crss.exe in %Temp%
ExecutionT1204.002: Malicious FileTriggers malicious payload via thread execution
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/csrss.exe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.