Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CSRSS.exe keeps running items from WinSxS folder


  • Please log in to reply
2 replies to this topic

#1 xad

xad

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 October 2010 - 10:19 PM

Is this normal behaviour in Windows XP SP3? Or can it be disabled/fixed? I've noticed in FileMon that csrss.exe keeps running, or at least trying to run (with a lot of errors), items from the WinSxS folder.

Attached is a log i isolated for process csrss.exe only, here's a snippet:
99	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	Attributes: Error	
100	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST	PATH NOT FOUND	Attributes: Error	
101	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\	SUCCESS	Options: Open Directory  Access: 00100001	
102	3:57 am	csrss.exe:804	DIRECTORY	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\	SUCCESS	FileBothDirectoryInformation: *.policy	
103	3:57 am	csrss.exe:804	DIRECTORY	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\	SUCCESS	FileBothDirectoryInformation	
104	3:57 am	csrss.exe:804	DIRECTORY	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\	NO MORE FILES	FileBothDirectoryInformation	
105	3:57 am	csrss.exe:804	CLOSE	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\	SUCCESS		
106	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS	Options: Open Sequential  Access: Read	
107	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS	Options: Open  Access: 00100001	
108	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS	FileInternalInformation	
109	3:57 am	csrss.exe:804	CLOSE	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS		
110	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS	FileFsVolumeInformation	
111	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	BUFFER OVERFLOW	FileAllInformation	
112	3:57 am	csrss.exe:804	READ 	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS	Offset: 0 Length: 4095	
113	3:57 am	csrss.exe:804	READ	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	END OF FILE	Offset: 621 Length: 8178	
114	3:57 am	csrss.exe:804	CLOSE	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy	SUCCESS		
115	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\	NOT FOUND	Options: Open Directory  Access: 00100001	
116	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest	SUCCESS	Attributes: A	
117	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest	SUCCESS	Attributes: A	
118	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_186470ec\	NOT FOUND	Options: Open Directory  Access: 00100001	
119	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\	NOT FOUND	Options: Open Directory  Access: 00100001	
120	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.2600.5512_en-US_1e6a00cc.Manifest	NOT FOUND	Attributes: Error	
121	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.2600.5512_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	Attributes: Error	
122	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en-US\Microsoft.Windows.Common-Controls.mui.DLL	NOT FOUND	Attributes: Error	
123	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en-US\Microsoft.Windows.Common-Controls.mui.MANIFEST	NOT FOUND	Attributes: Error	
124	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en-US\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	Attributes: Error	
125	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\System32\en-US\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.MANIFEST	PATH NOT FOUND	Attributes: Error	
126	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_272036d3\	NOT FOUND	Options: Open Directory  Access: 00100001	
127	3:57 am	csrss.exe:804	OPEN	C:\WINDOWS2\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\	NOT FOUND	Options: Open Directory  Access: 00100001	
128	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.2600.5512_en_8486b4a5.Manifest	NOT FOUND	Attributes: Error	
129	3:57 am	csrss.exe:804	QUERY INFORMATION	C:\WINDOWS2\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.2600.5512_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	Attributes: Error	
* Longer file is attached *

Is this normal? It doesn't stop. It keeps checking/running/etc items from the windows WinSxS folder. What is that and why is it happening?

The only major thing i have done today is switch from IDE mode to AHCI mode following various guides online so that my SATA hard drives run in AHCI mode. Is that what could have caused this? Or is this totally normal (doesn't stop executing stuff from that folder)? I noticed it more because i switched hard drives and the hard drives slightly louder it seems and it makes noise continuously because it's constantly checking the WinSxS folder.

Attached Files


Edited by xad, 26 October 2010 - 10:20 PM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:23 PM

Posted 27 October 2010 - 06:10 AM

Hi -
According to Microsoft ......
Csrss.exe - You cannot end this process from Task Manager.
This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
Unless this item is infected it will run at all times - switch from IDE mode to AHCI - This may have caused the upset (do you have any older records) -
Why did you actually do this change , just playing , or required for some reason ?? You may have also caused some damage or not followed the guides 100% -
First run your Antivirus (as this item can get infected) and then run Malwarebytes or SUPERAntiSpyWare (both free) to check for infections also -

Thank You -

#3 xad

xad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 27 October 2010 - 04:02 PM

I did the switch over from IDE to AHCI as i just moved my operating system from my IDE drive to my 1tb SATA drive (both seagates) and i read that AHCI is more efficient due to NCQ. I put my old IDE drive back in which has everything on it without any modifications to anything and i think this csrss.exe thing running constantly is normal? Whenever i open a file, or view website that downloads a file, image etc, that runs and it does some kind of check with WinSxS. I also noticed a lot of calls via wuauclt.exe to C:\WINDOWS2\SoftwareDistribution\DataStore\DataStore.edb :trumpet:

I think it might be normal for it to run constantly? I think i noticed it more because my hard drive is slightly louder now with the seek noise, even with it set to a lower AAM setting via DOS software (had barely any affect where as my Samsung F2 drive had a very noticeable change in sound and is quiter). Surprising as i would have thought the 1tb seagate SATA would have been quieter than the old 320gb seagate IDE. Definitely a little too fussed by these sounds i know, i'd take constant fan noise over random chhh chhh chhhh sounds any day :flowers: , but once SSD's come down in price a little more, i think i'll make the jump and then i'll have no hard drive noise when my operating system is doing it's thing :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users