What is conhost.exe? Should I remove it?

by Jake Doevan - -

Conhost.exe – a safe file hosted by Windows operating system

Conhost.exe is an executable file created by Microsoft and is launched by csrss.exe – another Windows process. It stands for Console Window Host, and it is absolutely normal to see it running in the Task Manager. The file is needed in order to allow Command Prompt to interface with Windows Explorer; for example, it supports drag-and-drop function which enables users to drop folders or files directly into Command Prompt. The process can also be used by third-party applications, like Nvidia's WebHelper.exe. Unfortunately, cybercriminals can utilize the legitimate name to secretly mine cryptocurrency on victims' computers without their consent.

Name Conhost.exe
Type System file
Function Allows Command Prompt to associate with Windows Explorer
Malware infection? Possible. Conhost Miner crypto-miner is known to use this executable to mine cryptocurrency
Symptoms of malware infection Extremely high CPU usage
Detection and deletion Use Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

A little bit of history

In Windows XP and previous versions, Command Prompt's interface was handled by a process called ClientServer Runtime System Service (CSRSS). This functionality had a couple of problems, however:

  • If the CSRSS process crashed, it would bring down the whole system, compromising reliability and security; 
  • Command Prompt could not use a new interface and always used a basic theme.

With Windows Vista, the drag-and-drop feature was introduced. Although the old-fashioned CSRSS was still used in Command prompt, the title bar and frame was handled by Desktop Window Manager, making it look more modern.

All previous issues were fixed when Windows 7 was launched, as Console Window Host process now sat in-between CSRSS and the cmd.exe, which allowed the process to draw the scrollbars rightly. Thus, Windows 8 and 10 use the same principle still, letting the styling of the new OS to be used in Command Prompt.

Several instances of Conhost.exe running is normal

Users can often notice that there are several instances of Conhost.exe running in the Task Manager. It is completely normal behavior, as each of the Command Prompt instances will create its own process. Additionally, third-party applications that are using command line will also spawn a separate case. Examples of such apps include Nvidia's WebHelper.exe, Plex Media's PlexScriptHost.exe and few others.

Originally, these processes should take very little memory – under 10MB. When it comes to CPU usage, it should take almost zero, unless the application running the process is active. In case some of these processes are using a lot of RAM or CPU, you should determine which apps are involved by using Microsoft's Process Explorer. Simply download and run it (there is no need to install, its a portable application). 

By using this program, you can determine which apps are causing problems, and can look into it further.

Conhost.exe may be a virus if abused by cybercriminals

Initially, the file is created by Microsoft and is an essential component of Windows, and it is highly unlikely that it is malicious. However, it does not mean that it's impossible. Security researchers associated a crypto-mining tool called Conhost Miner with a Conhost.exe process. 

In such case, the original executable runs a separate instance and might look legitimate, unless users check the location of the file. The legitimate file is located in C:\Windows\System32 and nowhere else. Therefore, if any of Console Window Host processes are causing troubles, make sure to check where it originates from.

Another red flag is when the process is causing your CPU to run at high levels – above 80%. Crypto-mining tools utilize victims' hardware to process complicated mathematical calculations in order to obtain cryptocurrency for criminals. There are several negative consequences for the end user:

  • Increased electricity bill
  • Hardware wear-and-tear
  • Slowdown (and crashes) of the computer
  • Increased risk of other malware infections

Therefore, if you experience any of the infection symptoms, you should use Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes to remove Conhost.exe virus ASAP. Additionally, the malware may be hard to spot, especially for individuals who are not that computer-savvy.

Dangerous crypto-miners can be avoided with a little bit more awareness

It is not a secret that users are quite careless when it comes to internet safety, especially if they never had to deal with any sort of virus. Cybercriminals are well aware of that, and they will take any opportunity to make use of victims. Therefore, it is necessary to arm yourself with the information on how viruses spread, so that the chances of infection would lessen enormously.

Crypto-mining software on its own is not malicious and can be used by people who want to use their systems to mine digital currency. However, if in the hands of cybercrooks, it is a dangerous tool that is straight-out dangerous. 

Typically, the software enters computers as a trojan horse. These parasites are usually concealed inside a legitimately looking file, which is attached to spam emails. Therefore, you should take great caution when opening emails from unknown sources.

Hackers employ bots to send out thousands of phishing messages to random (or targeted) victims. Users are tricked to open the attachments or click on the hyperlink because the email looks legitimate, and often pretends to be from a reputable organization, like Amazon, or Tax office.

Therefore, be wary and do not open just about anything that is thrown your way. Ask yourself these questions first: “Was I supposed to get an email from this company,” “What is the “From address?” “Are there any styling/grammar/spelling mistakes in the text?,” “Am I being addressed to generically, without a name?.”

Remove Conhost.exe if the file is used by Conhost Miner

In case the executable is used by malware, you will have to get rid of it. Do not even try to remove Conhost.exe virus manually – it is almost impossible. Only IT professionals are capable of such a complicated task. Malware is written in a complicated code and alters several processes of the operating system, including Windows registry.

To complete a full Conhost.exe removal, download and install Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. You can also use any other security tool that you already have installed on your system.

Remember that high CPU usage does not necessarily mean malware infection, it can be connected to malfunctioning apps or other system malfunctions. Therefore, make sure you scan your machine before you proceed with any actions.

do it now!
Problem diagnosis program Happiness
Problem diagnosis program Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is a recommended tool to scan your system for possible threats and crappy software. The trial version of the product will find harmful applications in your system.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions