What process is conhost.exe?

conhost.exe is the host process of the command line program. The full name of conhost is Console Host Process; conhost.exe is a new console application process introduced by Microsoft in Windows 7 and Windows Server 2008 for security reasons. mechanism.

#The operating environment of this tutorial: Windows 7 system, Dell G3 computer.

What process is conhost.exe?

The host process of the command line program.

The full name is Console Host Process, which is the host process of the command line program. Simply put, it is a new console application processing mechanism introduced by Microsoft in Windows 7 and Windows Server 2008 for security reasons.

Origin and function

Originally, the host program before win7 was completed by csrss.exe, and all command line processes used the session's only csrss.exe process. In win7, each command line process has an independent conhost as the host. This of course has many benefits, such as the processes will not affect each other, nor will it affect csrss. After all, csrss has other more important tasks to do. Of course, the most important thing is security considerations, because csrss runs under the local system account. If you want to process Windows messages, you have to bear many threats, such as the famous Windows Message Shatter Attack. If you use conhost with user rights to handle it, even if there is an attack, only the low-privilege host process will be affected.

In fact, whether as ordinary users or enterprise administrators, we will use console applications more or less in our daily Windows applications and operation and maintenance processes. The console application has no user interface. We need to perform input and output operations on it through the command prompt (CMD, this is not DOS, many people are confused). The console applications that come with Windows typically include cmd.exe, nslookup.exe, and telnet.exe.

Relationship with Csrss.exe

In earlier versions of Windows, all applications that represented non-GUI activities (i.e., console applications) had to When running on the desktop, they are coordinated through the system process Csrss.exe. When a console application needs to receive characters, it calls a small "console APIs" in Kernel32.dll to let Kernel32 generate LPC to call CSRSS. At this time, CSRSS will check and verify the input queue of the console window, and return the character mode results to the console application through Kernel32 for association.

Such a processing mechanism has created a problem: even if a console application is executed in the context of a normal user, Csrss.exe always runs under the permissions of the local system account. Therefore, in some cases, malware developed by "bad guys" may gain more privileges through Csrss.exe executed with local system account permissions. This attack mode is called Shatter Attack.

In the win7 and Windows Server 2008 R2 era, all console applications are placed in a new context process ConHost.exe for execution, and ConHost (console host) and console programs run in In the context of the same security level, instead of sending an LPC message request to CSRSS for processing, a request is made to ConHost. Therefore, any application attempt to exploit a message request to cause automatic elevation of privilege will not succeed.

conhost is not a virus...

The full name of conhost is console host process, which is the host process of the command line program. Everyone knows what the command line program is, such as ipconfig.exe and so on , since the command line program itself does not have code to display the UI, the content of the command line window we usually see is completed by the host process, including the display of the window, the processing of window messages, etc.

More For more related knowledge, please visit the FAQ column!

The above is the detailed content of What process is conhost.exe?. For more information, please follow other related articles on the PHP Chinese website!