is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. Determining whether csrss.exe is malware or a legitimate Windows process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate csrss.exe file is located in the C:\Windows\System32 folder but you may find legitimate copies in other folders such as:
If found running from a different location like C:\Users\Lupita\AppData\Local\Temp, it's usually indicative of malware.
It's not unusual to receive such an error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.
A "Cannot find...
", "Could not run..."
, "Error loading...
or "specific module could not be found
" message is usually related to a malware file that was set to run at startup in the registry but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry
still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message
. You need to remove this registry entry so Windows stops searching for the file when it loads.
Please download Malwarebytes Anti-Malware
and save it to your desktop.
- Double-click on the setup file to install, then follow these instructions for doing a Quick Scan in normal mode.
- Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs
or permit them to allow
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
- After completing the scan, a log report will open in Notepad.
- The log is automatically saved and can be viewed by clicking the Logs tab .
- Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
- Exit Malwarebytes when done.
If Malwarebytes did not find/fix the related registry entry causing the error, do this:
, search for the related entry and then delete it.
- Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there.
Vista/Windows 7 users refer to these instructions.
- Open the folder and double-click on autoruns.exe to launch it.
Vista/Windows 7 users right-click and select Run As Administrator.
- Please be patient as it scans and populates the entries.
- When done scanning, it will say Ready at the bottom.
- Scroll through the list and look for a startup entry related to the csrss.exe file with the C:\Users\Lupita\AppData\Local\Temp path in the error message.
- If found, right-click on the entry and choose delete.
- Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read: