What is conhost.exe?

The genuine conhost.exe file is a software component of Microsoft Windows/Microsoft Server by Microsoft Corporation.
At least two "conhost.exe" programs exist, one an essential Microsoft Windows system process and one a Trojan. The Microsoft Console Host program resides in "C:\Windows\System32" and should not be removed. It was created for Windows 7 and Windows Server 2008 R2 to thwart malware exploitation. In WinXP, "console applications" without GUI's, run with parameters from the command prompt, used a kernel call to send messages to "CSRSS.exe" for processing. "CSRSS.exe" has local system account privileges, which some malware exploited. "Conhost.exe" is a step before "CSRSS.exe" which has only the application's privileges and frustrates such exploits. The older Trojan "conhost.exe" predates Microsoft's. It is a crypto-currency miner, in a temporary folder, using up to 100% of the CPU to find Bitcoin or Monero crypto-currency units on other computers and send them elsewhere. It may mean the dangerous TDSS botnet virus is present, which Kaspersky's free tool removes.

ConHost stands for Console Application Host

The .exe extension on a filename indicates an executable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the conhost.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.

Click to Run a Free Scan for conhost.exe related errors

Conhost.exe file information

Windows Task Manager with conhost — Conhost.exe process in Windows Task Manager

The process known as Console Window Host or bitcoin-miner or Boot Acceptance Application for Registry or Windows Service Pack or Host Process for Windows Services or Windows System Service Pack belongs to software Microsoft Windows Operating System or Bitcoin Miner or Host Process for Windows Services or Hotfix for Microsoft Visual Studio (version 2007) by Microsoft (www.microsoft.com) or Ufasoft (www.ufasoft.com).

Description: Conhost.exe is not essential for Windows and will often cause problems. The conhost.exe file is located in a subfolder of the user's profile folder or sometimes in the Windows folder for temporary files (usually C:\Users\USERNAME\AppData\Roaming\Microsoft\ or C:\Users\USERNAME\Anwendungsdaten\Microsoft\). Known file sizes on Windows 10/8/7/XP are 169,984 bytes (5% of all occurrences), 169,472 bytes and 72 more variants.
It is a file with no information about its developer. The program is not visible. The file is not a Windows core file. The process is loaded during the Windows boot process (see Registry key: MACHINE\Run, Run, User Shell Folders, TaskScheduler, RunOnce, MACHINE\RunOnce, MACHINE\User Shell Folders, Shell Folders, win.ini, DEFAULT\User Shell Folders). Conhost.exe is able to monitor applications. Therefore the technical security rating is 67% dangerous; but you should also compare this rating with the user reviews.

Recommended: Identify conhost.exe related errors

If conhost.exe is located in the C:\Windows\System32 folder, the security rating is 4% dangerous. The file size is 271,360 bytes (80% of all occurrences), 46,592 bytes and 6 more variants. It is a Windows core system file. The program has no visible window. The file is a Microsoft signed file. Conhost.exe is able to record keyboard and mouse inputs.
If conhost.exe is located in a subfolder of "C:\Program Files", the security rating is 68% dangerous. The file size is 547,840 bytes (5% of all occurrences), 125,440 bytes and 32 more variants. There is no file information. The program is not visible. The file is not a Windows core file. The program is loaded during the Windows boot process (see Registry key: MACHINE\Run, Run, User Shell Folders, TaskScheduler, RunOnce, MACHINE\RunOnce, MACHINE\User Shell Folders, Shell Folders, win.ini, DEFAULT\User Shell Folders). Conhost.exe is able to monitor applications.
Uninstalling this variant: In case you experience problems using conhost.exe, you can also do the following:
1) safely remove the program using the uninstall program of Hotfix for Microsoft Visual Studio 2007 (Control Panel ⇒ Uninstall a Program)
2) visit the www.microsoft.com support page.
If conhost.exe is located in a subfolder of C:\Windows, the security rating is 62% dangerous. The file size is 267,776 bytes (60% of all occurrences), 219,648 bytes, 657,920 bytes, 338,432 bytes or 2,445,824 bytes.
If conhost.exe is located in a subfolder of C:\, the security rating is 76% dangerous. The file size is 5,714,944 bytes (75% of all occurrences) or 267,776 bytes.
If conhost.exe is located in the C:\Windows folder, the security rating is 80% dangerous. The file size is 1,231,360 bytes.
If conhost.exe is located in a subfolder of Windows folder for temporary files, the security rating is 42% dangerous. The file size is 152,064 bytes.

Important: Some malware camouflages itself as conhost.exe, for example Backdoor:Win32/Cycbot.B (detected by Microsoft), and Backdoor.Win32.Gbot.bs or Trojan-Downloader.Win32.FraudLoad.yaws (detected by Kaspersky). Therefore, you should check the conhost.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.

Score

User Comments

Console Window Host from Microsoft Windows Operating System (www.microsoft.com)

conhost.exe is a Console Window Host, part of Microsoft Windows Operating System
Mike (further information)

Virus
Der kleine Held

When Windows 7 was released, conhost.exe (Console Window Host) was born and it solved everything with the groovy side effect of making the system much more stable. This process is a critical system file and should never be deleted.
Pete J

It's properties say it was created on the computer days ago but I never authorized it. Computer has been acting crazy all week and Anti-virus program is not working right but flags it.
Superbyte

One is a required file, the other is a trojan.
Mike (further information)

some AntiVirus tools marked it as trojan

it's part of windows

I know I have four of these and I dont think it´s normal.

There are two versions. One is a necessary and required file while the other is a virus. If more than one is found, you need to check which one/s is/are the virus.

Microsoft says it's part of the OS.
tanstaafl (further information)

conhost.exe is a Windows core file. Though malware does like to disguise itself as conhost...
(further information)

there are several of them running 1.964K and 2.096K memory

Appears to be part of command prompt. Opens when I open 'cmd' from start menu.
wes

If located in C:\Windows\System32 then it is normal and required. It is part of windows.
Zenvidia (further information)

While Conhost may be a Windows system file, it does not appear in task manager on machines in our office. Seeing conhost.exe running in the task manager is a sign for me that the user has malware running on their system. 90% of time, I can rid the system of the running malware, and when I do, conhost.exe no longer appears.
WinTech

I have four (4) conhost.exe in my system. Three (3) of which are located in C:\Windows\WinSxS\amd64_microsoft-windows-consolehost... and the other on is located in C:\Windows\System32 2 files are unsigned (48 208 bytes)(w/o app info), while 2 are signed (367 616 bytes)
Bubblegum

The file is in the system32 folder, but when I check the properties, it says Created: Thursday, September 19, 2013, and Modified: Thursday, august 1, 2013. How is it possible to modify a file before it was created?
Gary

I have Windows 8.1. Norton 360 Firewall does not seem to like it. I wanted to "End Task" it but it threatened to shut down my computer if I did.
Michael Hill

all I know is that my win 7 has slowed down to a pitiful speed. When I invetigated I found it was the only program I could not delete from my startup menu. I want to delete it even if it is not the slow down problem. jerry
Jarl Plottner

Gotta love it when people chime in but don't know about this. conhost.exe IS a MS file, BUT, it can also be used as a Trojan, and with this name, most people will just think "It's a Windows File.
JW

Sometimes, viruses disguise themselves as conhost.exe. I have experienced it 2 months ago, what it does is that it removes explorer.exe from startup. If you are good at computers, you can easily bypass it, but removing it can get you at risk. So you can use an antivirus program like avast(which i used to remove it), kaspersky, etc.
Alvaro

If conhost.exe isn't being displayed in Task Manager as being in the System32 folder, it is a backdoor trojan, and darn near impossible to get rid of. I don't even know where it is in the file system.
wcanon

The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop. It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Scanning your computer for viruses is never a bad idea, though.
Hiro Protago

What I read at http://stackoverflow.com/questions/1313195/why-is-conhost-exe-being-launched & at "Link 4 More Info"
John Dough

Yo Gary, my main man. Files that are downloaded from the internet (or copied from an external source such as a CD) show the date on which it was last modified on the previous system it resided on. So when you download it, the creation date will naturally be more recent. This is also the case with many of Windows' and other programs' files, which you usually install from an external source (Win CD, OEM pre-installed version, downloaded patches etc.)
Ash

It opens as a process when a command prompt window in Windows 7 is opened, if terminated it kills the console/cmd window. Pretty sure it's a system file... as, uh, Windows "claims" it is. It was actually added on Win7 to secure the command prompt against exploitation/privilege escalation: "This exposure was addressed in Windows 7 and Windows Server 2008 R2 by running the console messaging code in the context of a new process, ConHost.exe. ConHost (Console Host) runs in the same security context as its associated console application. Instead of issuing an LPC request to CSRSS for message-handling, the request goes to ConHost. As a result, any attempts to exploit the message-handing code of the application will not result in an automatic escalation of privileges"
B.A. Rose (further information)

It is not harmless at all, each conhost.exe process has about 3000 context switches per second (thus reducing performance of the PC and contributing to the global warming). But there's no official way to disable it: https://blogs.technet.microsoft.com/askperf/2009/10/05/windows-7-windows-server-2008-r2-console-host/ So, it is a security patch for a design fault aka. bug. Microsoft would call it a (security) feature. Also, conhost applies themes and enables dragging commands toe the CMD. Useless for me, if not unwanted anyway.
M

47,104 bytes size on my computer

Just that in task manager there are three variants running most all the time on my Alienware 17 R4.
MarkE R

I have almost dozens of conhost.exe process running on my machine. all are pointing to same application which is resides in System32 folder. What should I do? Should I keep only 1 and delete other 11 or keep it as it is. Each process is consuming 0.5MB CPU Memory
Kushal Pardeshi

TrustedInstaller and camera software is source of active conhost often. Unpleasant
spread

I have blocked mine with Kaspersky because even though it's in the Windows\System 32 directory, Kaspersky Total Security tells me it is trying to affect the registry as well as install code injections. It is listed as a suspicious file.
Susan

Some times malware can fake conhost.exe. You can know more about it.
Steven (further information)

Show all user comments

Summary: Average user rating of conhost.exe: based on 63 votes with 34 user comments. 21 users think conhost.exe is essential for Windows or an installed application. 13 users think it's probably harmless. 4 users think it's neither essential nor dangerous. 13 users suspect danger. 12 users think conhost.exe is dangerous and recommend removing it. 9 users don't grade conhost.exe ("not sure about it").

Best practices for resolving conhost issues

A clean and tidy computer is the key requirement for avoiding problems with conhost. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.

Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.

To help you analyze the conhost.exe process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. BMalwarebytes Anti-Malware detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.

Other processes

mccicmservice.exe smax4pnp.exe lmanager.exe conhost.exe ccsvchst.exe wpdshserviceobj.dll wshelper.exe wlidsvc.exe mailruupdater.exe avgnt.exe hwdeviceservice64.exe [all]

	Do you have additional information?
What do you know about conhost.exe:
How would you rate it:
Link for more info:
Your Name: