Conhost.exe, or Console Windows Host, is a legitimate part of the Windows Operating System and, normally, should not be removed. However malware writers often try to disguise viruses and trojans with this file name (eg the Conhost Miner) and so file should be checked to ensure it is the legitimate Microsoft process.
What is Console Window Host (conhost.exe)?
It’s quite common to see this process running in Task Manager.
The full name of this .exe file is Console Windows Host, an essential Windows process related to the ClientServer Runtime System Service or csrss.exe. and cmd.exe.
Together these files work the Command Prompt, used by system administrators – and many programs – to manage Windows. Here’s what it looks like:
Conhost.exe is needed to by Command Prompt to interface accurately with Windows Explorer.
Both the processes are interdependent. One of its primary duties is to offer users to drag and drop files in the Command Prompt.
Apart from regular users, even third-party programs can use this process of they require access to the command line. It starts whenever you start Command Prompt.
If any program utilizes this command line tool, the process will automatically start in the background even if you don’t see it running.
Is conhost.exe A Virus, Malware Or Trojan?
Finding an unrecognizable process running in the background is unsettling. You never know if it is a malware, virus, or Trojan existing in the computer, and especially for how long.
In most cases, conhost.exe is not a virus. However, as with many other files we have profiled malware writers often try to disguise viruses and trojans with this file name.
Indeed there is a common trojan, Conhost Miner, that does this. Disguised as its legitimate cousin, this uses infected computers to mien bitcoins on behalf of the trojan writer.
How To Check Whether Your Computer Is Infected
You can still check if it is a malware, or just an essential process running to operate Command Prompt. Here’s what you need to do:
• Press Ctrl + Alt + Del on your keyboard to open the Task Manager. You will find various tabs on top, such as Processes, Performance, App History, etc.
• Click on Processes. You will notice the process running in the background. The CPU and RAM usage will also indicate the memory it is using. Right click on entry. You will get various options among which you have to select Open file location.
• If you are redirected to C:WindowsSystem32, and it points towards conhost.exe process, it means that your computer is safe. You can be assured that this process is not a virus.
• You can also double-check by right-clicking on it to go to its properties. Find the Details tab to read more about this process. You will see that it is a Microsoft Windows OS file.
However, the problem arises if the file is located in any other location or folder apart from C:\\Windows\System32. This may mean that the process is malware.
How To Check A File’s Location
a. Press ctrl-alt-del
b. Click on the ‘Details Tab’ as below:
c. Highlight the conhost.exe file as above
d. Right click and click ‘Properties’ to get the following screen:
e. Note the location (circled)
If that is the case, you should run a full scan on your computer -through your antivirus software to identify and delete the virus.
Deleting The Virus
If you suspect that the process is a virus, you shouldn’t waste time to get rid of it. You can use various free tools to delete the virus from your computer and make sure it doesn’t come back. But, it is essential to shut the parent process down that is using the process in the first place. This will offer two benefits:
• It will be unable to run the malicious code anymore.
• It makes it easier for the user to delete the virus.
Steps to delete the virus
Deleting the virus is easy if you follow the steps below:
• Download a program called Process Explorer. It is easily available and can remove this virus quickly.
• Once the download is complete, double click on the application file for it to run. After installing the program, double click on the conhost.exe fill that you want to delete.
• An image tab will appear as soon as you select the files to remove. Select Kill Process, and confirm it by clicking on OK.
Sometimes, users also come across an error message mentioning that the process can’t shut down. You get a confirmation dialog box with OK. Click on it to exit the properties window. This deletes the .exe file attached to the parent program that initially started it. Now, you also need to remove the fake .exe file. Ideally, you should restart your computer after every following step:
• Open the folder where the process file exists. Press Shift + Delete to delete the file permanently. If you manage to delete the file, it means that the programming running it will not recreate the virus file again.
• Install reliable antivirus software on your computer and run a full scan. This will also locate the file virus if it exists in any other folder. Some of the bootable antivirus tools perform a quick check on the whole computer even before the operating system starts up. This gives an idea about the programs that usually run this process when they are used.
One of the complaints that users often have with this process is it consumes high resources and often uses too much RAM and CPU memory. There are a few ways to control this as well.
• If there are multiple command line interface windows opened simultaneously, close all of them one by one.
• Go to Task Manager to check if any of the existing applications are using the command line to execute a task.
• Cross-check your scheduled tasks to see if any applications are running in the background.
• Quickly run a malware check to locate the presence of a virus in the folders.
• Run a system file checker to replace files damaged in the process.
The conhost.exe process is usually safe when working in tandem with Windows Command Prompt. But, if it exists in the form of a virus, you better remove it as soon as possible by following the steps mentioned above.