csrss.exe, smss.exe and lsass.exe - gHacks Tech News

csrss.exe, smss.exe and lsass.exe

Whenever I open the Task Manager I see the processes csrss.exe, smss.exe and lsass.exe listed there among others. I guess the same can be said for your version of Windows where those processes are most likely running as well.

To find out if that is the case, use Ctrl-Shift-Esc to bring up the Task Manager. You may need to scroll a bit -- Windows 8 users need to enable the advanced display mode -- before you find the processes, as everything is sorted alphabetically there.

You may also need to select the show processes from all users option before you find them listed here.

So, what are these processes actually doing and are they required to run whenever Windows starts?

Here is the explanation for the three processes csrss.exe, smss.exe and lsass.exe.

smss.exe - Windows Session Manager

smss.exe windows process

The process smss.exe is the Session Manager Subsystem located in C:\Windows\System32. If this file is located somewhere else it is most likely a trojan or virus. It is a critical Windows process that is responsible for the Winlogon and Win32 processes among other things.

To find out if it is located in the right directory, right-click on it and select the open file location option. If it is located in c:\windows\system32, it is in the right location.

The component does a lot of things. It creates environment variables, starts the kernel and user modes of the Win32 subsystem, creates DOS device mappings, virtual memory paging files, and starts winlogon.exe.

csrss.exe - Client Server Runtime Process

csrss.exe client server runtime

Next in the line is the process csrss.exe which is the Windows Client/Server Runtime Server Subsystem. It should be located in C:\Windows\System32 as well. If csrss.exe is located in another location it is most likely a virus or trojan. Like smss.exe csrss.exe is important for Windows to run.

The process is started along with winlogon.exe. If the file is corrupt, Windows will automatically shut down and you will experience a blue screen error with error code 0xc000021a.

The process should not be terminated, as it will lead to system failure if done. If you try to do so under Windows 7 or newer systems, you will receive a warning:

Do you want to end the system process 'csrss.exe'?

Ending this process will shut down the operating system immediately. You will lose all unsaved data. Are you sure you want to continue?

shut-down-csrss-exe

lsass.exe - Local Security Authority Subsystem Service

lsass-exe local security authority process

Last in the line we have lsass.exe which is the Local Security Authentication Server. If lsass.exe is executed from C:\Windows\System32 everything is fine. If it is not it could be a virus or trojan again. All three processes are important Windows system processes and should not be terminated.

This process enforces the security policy on the system. Among other things, it is responsible for user verification, password changes, and the creation of access tokens.

Summary
csrss.exe, smss.exe and lsass.exe
Article Name
csrss.exe, smss.exe and lsass.exe
Description
The guide describes what the three system processes csrss.exe, smss.exe and lsass.exe do on Windows.
Author

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. z0iid said on December 27, 2007 at 8:16 pm
    Reply

    smss.exe is also responsible for running services.exe, which of course in turn, is responsible for all services running on your computer.

  2. M said on December 27, 2007 at 11:44 pm
    Reply

    Sorry dude but this was a totally half-assed post. If you aspire to tell people what these processes are actually doing (even if briefly) then don’t just tell us their full names and repeat the same line (not in system32 = trojan) THREE times in a 10 line post. No point bringing up a topic if you have to end up dodging around it.

  3. Jen said on December 28, 2007 at 8:10 am
    Reply

    To summarize, don’t mess with any of them unless they arent’ located in C:\Windows\System32. :)

  4. Mountain said on January 16, 2008 at 12:19 am
    Reply

    I found this file smss.exe not only in System32 but also found in Windowmedia/Skin or smt like that ! Do u think it would be Trojan or Virus ?

  5. Martin said on January 16, 2008 at 12:36 am
    Reply

    It is most likely a virus or trojan. Try scanning it with virustotal.com or download a virus scanner like AVG or Antivir and check it with them.

  6. TANUJ KUMAR said on February 13, 2008 at 8:22 am
    Reply

    HI , i am found this file smss.exe it is system32 but it is also found system32\dllcache. it would be trojan or virus….

  7. z0iid said on February 14, 2008 at 4:26 pm
    Reply

    system32\dllcache is used to store system copies/backups of windows dll’s. sfc (System File Checker) uses this to replace system dll’s that get corrupted, deleted, renamed, or otherwise removed. If you suspect your system files have been tampered with – at the cmd prompt, type: sfc /scannow

  8. yogesh said on May 31, 2008 at 2:20 pm
    Reply

    hello,i am getting problem with the smss.exe,crss.exe and winlogon.exe it is located in my system32 directory i can’t do anything, every time i delete the file windows notify denied. please send me your update. thank you.

  9. urborn2die said on November 14, 2008 at 6:52 pm
    Reply

    Yogesh:
    If those are inside the system32 folder do NOT erase them. they are needed to run windows and you wont be able to erase them.

    One thing that must be said is that even with a file being in the system32 dir does not mean its NOT a virus. Make suer your antivirus scanner AND a anti malware/spyware program are updated and running. AVG internet program is great since it covers both virus and malware protection.

  10. sam the tech said on May 2, 2009 at 7:42 am
    Reply

    well guess what.

    to me its a frigin virus with fancy names.

    cause i gon on my comp wich is fine and any other well runing comp and i never say any of those 3 process.

    a process that is exe runned under a username.(not local or system) that pretend to be undeletable is a trojan, virus to me.

    the way it work is you can not delete a single one
    you need to delete all at the same time
    dont’ forget one or lese your comp wont boot
    not completly
    . cheers

  11. Matthias said on December 30, 2011 at 3:49 pm
    Reply

    Martin, you’re dumb. (and dangerous)

    Those 3 files are ESSENTIAL to Windows NT !!! It’s maybe its BASIS.

    SMSS manages the NT sessions with SERVICES.EXE and WINLOGON.EXE.
    Plus CSRSS manages the windows and graphics.
    LSASS is to connect to NT sessions !!

    In addition, Winlogon follows the session’s process, and services.exe manages the running services between the sessions (as TELNET service, the antivirus’ scanner service, DDE network service, etc.)

    1. Martin Brinkmann said on December 30, 2011 at 6:17 pm
      Reply

      I’m dumb because? Did not get the reason for your impoliteness.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.