Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have 4 conhost.exe processes for some reason


  • Please log in to reply
3 replies to this topic

#1 applesauce10189

applesauce10189

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 20 June 2015 - 10:14 PM

For some reason in task manager I see 4 conhost.exe processes, I felt that's a little weird so I did some research, long story short I heard a good way to verify if they're legit would be to open their file location, if it's in system32 that's a step in the right direction, next thing to check would be digital signature, only one of the four processes actually opened to the file location, and it didn't have a digital signature, and one of the processes was actually lacking a description in task manager, here's some screen shots showing what I'm talking about:

 

Processes in task manager

 

Properties of conhost.exe as found via "Open file location" in task manager (If my little research is correct, if it has a digital signature there should be a digital signature tab there, which there isn't)

 

I tried ending the conhost that didn't have a description, yet for some reason I don't have access. Side note: I'm on the administrator account.

 

From what I've read, conhost is entirely harmless and intended to fix a problem that was on Vista related to dragging/dropping to console, yet the fact one of them has no description and is above Administrator privileges, and the only seemingly legit one is lacking a digital signature, just feels a bit odd.

 

EDIT: Okay did some searching in system32 to see if any of the .exe files had the digital signature tab, and none of the ones I checked have it, which is leading me to believe what I read was probably outdated and no longer correct. Checking in details, from the looks of it, it has a Microsoft copyright,


Edited by applesauce10189, 20 June 2015 - 10:22 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 20 June 2015 - 10:36 PM

Hi applesauce10189 :)

Conhost.exe is a legitimate Windows system executable and process. It's also normal for you to have more than one instance of it in your Task Manager and not being able to "kill" these processes. Before I go on, when you open the Task Manager, do you have the Show processes from all users option checked/enabled or not? If you don't, you won't be able to kill some processes. I also suggest you to not try to kill processes that are vital to the Windows system, or you'll end up with a Blue Screen of Death (BSOD). Oh, and some processes also requires you to have this option enabled in order to use the Open file location option on them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 applesauce10189

applesauce10189
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 21 June 2015 - 12:23 AM

Thanks for clearing that up for me!



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 21 June 2015 - 09:04 AM

No problem :) Also, if you click on View, then Select columns and enable Command line, you'll see from where the processes are launched and with what arguments :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users