Conhost.exe. What kind of process: system service or virus?

Probably, in the world there is not a single user of Windows operating systems, which, at least someday, would not launch the "Task Manager" to complete some hung application or to view the performance of the computer. But sometimes in the tree of currently active processes many users pay attention to the presence in the list of a service in the form of an executable file conhost.exe. What kind of process "hangs" in the system, really no one really understands, considering it a virus (especially if it is launched multiple times). Indeed, it can be a threat, but not always.

Conhost.exe: what kind of process is observed in the "Task Manager"?

First of all, we need to understand what the process is and the executable file responsible for it.

The process itself refers to Windows system services and appeared in Windows XP. It is responsible for opening the console windows like the command line or PowerShell. Its main purpose is to open the console window with the application defined for the current theme, installed for all graphic elements, in particular for windows.

What is the required service for conhost.exe?

To make it clearer, consider the same Windows XP. Probably, many noticed that with the default theme, the windows of all programs have the same design, for example in the form of a three-dimensional blue cap on top.

But when the same command line is called, the window looks different (in the standard design of older systems). To make the window look like the current theme, the system component conhost.exe was developed. The console console window when the executable itself is opened opens exactly in the form in which all other windows are displayed.

However, the most important problem was originally that this service in XP was obviously not sufficiently developed, because of what windows were opened in the wrong form, and sometimes the whole system was hanging up. In "Vista" the service was modified, although it worked with a priority lower than the scrss.exe component, which in XP was initially responsible for creating console windows. But there were a lot of problems.

And only since the seventh modification the service has been radically reworked. Despite the fact that its call and execution priority was preserved between the scrss and cmd levels, the console windows when looking for the corresponding programs began to look like they should (for example, in the design of the Aero theme).

Can I disable the service?

This is in brief the service conhost.exe. What a process before us, I think, is a little clear. Now a few words about whether you can turn off this process.

In general, this is not recommended, in fact, as for all other system components. However, if you are not confused by the appearance of windows without applying the design set for the current theme, the process can be disabled (complete in the "Task Manager"). Note that the service is only turned off, and then for a while. It can not be deleted, even if it has a full set of administrator rights (unless it's a virus). The system simply will not do this, and absolutely all third-party tools will be powerless. In addition, the process starts only when the console windows are started, and if they are not present or when the system is idle in the Task Manager, it does not exist. And the speed of the computer, this service does not have much influence.

Virus conhost.exe: checking the location of the program file

Quite a different situation - when in the same "Task Manager" in the active processes tree there are several services of the same name (at least more than two). This is already a clear hint at the presence of viruses in the system, which are masked for this service. And if there is also a component engine.exe, all - wait for trouble! It's just a virus. But even the presence of only one process may indicate the penetration into the system of threats in the form of malicious executable codes. Most often this applies to Trojans.

To make sure that the process is system (or virus), in the "Task Manager", using the process tab, you must select the line of opening the file location from the PKM menu. The original conhost.exe file is always located in the System32 system folder of the operating system's main directory. If a different location is indicated , urgent measures must be taken.

Threat Checking

Now let's see how to remove conhost.exe. In principle, nothing particularly complicated here. However, it is necessary to take into account some nuances. First of all, in the "Task Manager" itself you need to complete all processes with the same name. Even if the original service is left at that moment, it's okay (when restarting it will start again automatically).

After that, you need to use some powerful scanner, preferably a portable type (for example, Dr. Web CureIt! Or KVRT). Run an in-depth scan with the already installed antivirus looks inappropriate, if only because he has already missed the threat.

However, as practice shows, the most effective method of removing such a misfortune will be the use of special disk programs like Kaspersky Rescue Disk or analogs from other developers specializing in anti-virus protection. The advantage of such utilities is that they have their own bootloader, and when you write to removable media, you can boot from it even before the start of the main OS. In the application, you can use the graphical interface or DOS-mode. Next, you just need to check the entire system by setting the in-depth scan option and wait for the process to finish. In this case, even those viruses that are very deeply integrated into the system or even permanently in the RAM can be detected.

Instead of the total

This is the service conhost.exe. What kind of process is happening in the system when you open consoles is already clear, as well as the fact that the service can appear to be a malicious element upon repeated launch. Actually, getting rid of such a virus does not work. You just need to select the best tool for checking and removing the threat.