What is conhost.exe? Should I remove it?

Conhost.exe a required Windows OS system file that can be abused by malware authors to mine Monero cryptocurency

Conhost.exe is an executable file created by Microsoft and is launched by csrss.exe – another Windows process. It stands for Console Window Host, and it is absolutely normal to see it running in the Task Manager. The file is needed in order to allow Command Prompt to interface with Windows Explorer; for example, it supports drag-and-drop function which enables users to drop folders or files directly into Command Prompt. The process can also be used by third-party applications, like Nvidia's WebHelper.exe. Unfortunately, cybercriminals can utilize the legitimate name to secretly mine cryptocurrency on victims' computers without their consent – victims can quickly notice the infection by multiple instances of the process running, as well as high CPU usage. For that reason, the file was also dubbed Conhost.exe virus, Conhost.exe malware, and Conhost Miner.

Name Conhost.exe
Type System file
Function Allows Command Prompt to associate with Windows Explorer
Is it malware? Possible. Conhost Miner crypto-miner is known to use this executable to mine cryptocurrency
Symptoms of malware infection Extremely high CPU usage, slow operation of the device, crashing programs, video stuttering, etc.
Infection means Spam email attachments, fake updates, pirated or repacked software
Detection and deletion Use reputable anti-malware software to terminate Conhost.exe virus
Recovery Crypto miners can infect system files and corrupt normal operation of Windows OS. To fix these issues, scan your PC with FortectIntego

Conhost.exe virus can result in a variety of problems to computer users – make sure it is not malware

Initially, the file is created by Microsoft and is an essential component of Windows, and it is highly unlikely that it is malicious. However, it does not mean that it's impossible. Security researchers associated a crypto-mining tool called Conhost Miner with a Conhost.exe process. 

In such a case, the original executable of Conhost.exe malware runs a separate instance and might look legitimate, unless users check the location of the file. The legitimate file is located in C:\Windows\System32 and nowhere else. Therefore, if any of Console Window Host processes are causing troubles, make sure to check where it originates from.

Another red flag is when the malicious Conhost.exe virus process is causing your CPU to run at high levels – above 80%. Crypto-mining tools utilize victims' hardware to process complicated mathematical calculations in order to obtain cryptocurrency for criminals. Those infected with Conhost.exe miner malware can face the following consequences:

  • Increased electricity bill
  • Hardware wear-and-tear
  • Slowdown (and crashes) of the computer
  • Increased risk of other malware infections

Therefore, if you experience any of the infection symptoms, you should use SpyHunter 5Combo Cleaner or Malwarebytes to remove Conhost.exe virus ASAP. In some cases, the malware could be running for weeks or months before being spotted, as many users might associate the symptoms with hardware aging or other technical issues.

In such a case, a significant amount of damage can be done to the system, as additional payloads might be installed during the operation of malware. For that reason, in addition to Conhost.exe virus removal, AV software might also detect and terminate additional infections.

The origin of the legitimate Conhost.exe process

In Windows XP and previous versions, Command Prompt's interface was handled by a process called ClientServer Runtime System Service (CSRSS). This functionality had a couple of problems, however:

  • If the CSRSS process crashed, it would bring down the whole system, compromising reliability and security; 
  • Command Prompt could not use a new interface and always used a basic theme.

With Windows Vista, the drag-and-drop feature was introduced. Although the old-fashioned CSRSS was still used in Command prompt, the title bar and frame was handled by Desktop Window Manager, making it look more modern.

All previous issues were fixed when Windows 7 was launched, as Console Window Host process now sat in-between CSRSS and the cmd.exe, which allowed the process to draw the scrollbars rightly. Thus, Windows 8 and 10 use the same principle still, letting the styling of the new OS to be used in Command Prompt.

Several instances of Conhost.exe running is normal

Users can often notice that there are several instances of Conhost.exe running in the Task Manager. It is completely normal behavior, as each of the Command Prompt instances will create its own process. Additionally, third-party applications that are using command line will also spawn a separate case. Examples of such apps include Nvidia's WebHelper.exe, Plex Media's PlexScriptHost.exe and a few others.

Originally, these processes should take very little memory – under 10 MB. When it comes to CPU usage, it should take almost zero, unless the application running the process is active. In case some of these processes are using a lot of RAM or CPU, you should determine which apps are involved by using Microsoft's Process Explorer. Simply download and run it (there is no need to install, its a portable application). 

By using this program, you can determine which apps are causing problems, and can look into it further.


Dangerous crypto-miners can be avoided with more awareness

It is not a secret that users are quite careless when it comes to internet safety, especially if they never had to deal with any sort of virus. Cybercriminals are well aware of that, and they will take any opportunity to make use of victims. Therefore, it is necessary to arm yourself with the information on how viruses spread, so that the chances of infection would lessen enormously.

Crypto-mining software on its own is not malicious and can be used by people who want to use their systems to mine digital currency. However, if in the hands of cybercrooks, it is a dangerous tool that is straight-out dangerous. 

Typically, the software enters computers as a trojan horse. These parasites are usually concealed inside a legitimately looking file, which is attached to spam emails. Therefore, you should take great caution when opening emails from unknown sources.

Hackers employ bots to send out thousands of phishing messages to random (or targeted) victims. Users are tricked to open the attachments or click on the hyperlink because the email looks legitimate, and often pretends to be from a reputable organization, like Amazon, or Tax office.

Therefore, be wary and do not open just about anything that is thrown your way. Ask yourself these questions first: “Was I supposed to get an email from this company,” “What is the “From address?” “Are there any styling/grammar/spelling mistakes in the text?,” “Am I being addressed to generically, without a name?.”

Remove Conhost.exe if the file is used by Conhost Miner

In case the executable is used by Cornhost malware, you will have to get rid of it. Do not even try to remove Conhost.exe virus manually – it is almost impossible. Only IT professionals are capable of such a complicated task. Malware is written in a complicated code and alters several processes of the operating system, including Windows registry.

To complete a full Conhost.exe removal, download and install FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. You can also use any other security tool that you already have installed on your system.

Remember that high CPU usage does not necessarily mean malware infection, it can be connected to malfunctioning apps or other system malfunctions. Therefore, make sure you scan your machine before you proceed with any actions.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions