The following guide provides you with information on the Windows process conhost.exe which you may notice on Windows 7 or newer versions of Windows.
I just noticed the process conhost.exe for the first time in Windows 7's task manager. Not sure if it was never there before, or if I did not have the Windows Task Manager open at the time it was running on the operating system.
The properties of the conhost.exe process describe it as the Console Window Host which suggests that it is linked to console windows. The process was created by Microsoft Corporation, and runs under the csrss.exe process.
Please note that you may see one conhost process, or multiple processes in the Windows Task Manager or other process managing tools.
Verify that conhost.exe is legitimate
First thing you may want to do is verify that the conhost.exe process is legitimate, and not some kind of virus.
Fire up the Windows Task Manager using Ctrl-Shift-Esc, and switch to Processes on older versions of Windows, or to Details in newer versions of Windows.
Conhost.exe does not run all the time though, and you may not see it listed by default. I explain what the process is later on in the guide, but you can invoke it by launching a new command prompt window for instance.
But is it safe? If conhost.exe is located in c:\windows\system32 then yes, it is safe.Right-click on the process, and select open file location from the context menu. This should take you directly to the system32 directory of the Windows installation.
If the Task Manager takes you elsewhere, you may have spotted a virus that disguises itself as conhost.exe.
It never fails to check the file for malicious code on the other hand. You can do that for instance on the Virustotal website. Just upload the file to the online service, and wait for the scan results. Again, if it is in system32 it should be safe, if it is not, it is probably not.
The conhost process disappears once the host process that launched it is closed in Windows. If that is the case, it is fair to assume that it is not a virus that is responsible for the launching of the process.
Deeper analysis of conhost.exe
I suggest you use a program like the free Process Explorer to dig deeper. To get started, launch the application with elevated rights (by right-clicking on its executable file and selecting the "run as administrator" option).
Process Explorer is like an advanced version of the Windows Task Manager. It lists a wealth of information that the Task Manager does not list.
Click on the search icon in the main toolbar, and enter conhost to get started. Process Explorer checks all processes, and returns any process, dll, thread or file that is related to conhost.exe.
Among the information that is displayed is the process IDs and path information when files are loaded. This is useful information, as you can quickly check whether conhost.exe is run from the system32 directory, or another location.
You may click on any to jump directly to the entry in the Process Explorer window. I suggest you right-click on the conhost.exe file there and select properties to start the deeper analysis of the process.
Process Explorer may also be used to submit the process directly to Virustotal for checking. You may save yourself a step if you use Process Explorer.
The properties page for conhost.exe highlights several important information. First, the processes path on the local system, and the parent process. On the screenshot above, c:\windows\system32\conhost.exe is the location of the file, and its parent process is cmd.exe. You may see different processes there depending on the programs that you run. It is usually a good idea to verify those as well, especially if they load conhost.exe from a different location than system32.
You may also want to check the TCP/IP tab, just to make sure that nothing fancy is going on there. Conhost.exe should not connect to the network or Internet, and if you see a blank table there, that is another indicator that everything is alright.
After some testing I discovered that conhost.exe always appeared as a process when I played a video in SMPlayer. The process is killed immediately if the video player window is closed.
Conhost.exe will also appear as a process in the Task Manager if a command line prompt is opened in Windows 7. The process is always started if a command line window (hidden or visible) is launched in Windows 7.
The reason for this is simple: Microsoft is using the conhost.exe process as a proxy between the crss process which was responsible for the command line in Windows XP & Windows Vista and the cmd.exe program itself. It ensures that the command line window is fully compatible with the theme of the operating system.
Another feature that it introduces is the ability to drag and drop files from Windows Explorer directly to the command line prompt which XP supported but Vista did not.
So, conhost.exe ensures that the console in Windows uses the operating system's theme, and that drag and drop is supported as well.
To sum it up: If conhost.exe is located in the Windows/system32 folder then everything is likely in order. You can right-click on the program in Windows Explorer and select properties to display additional information about it.