Wednesday, April 13, 2011

What does the csrss.exe process do?

What is the purpose of the csrss.exe (Client/Server Runtime Server Subsystem) on Windows?

Maybe someone could give a good explanation or pointers to documentation? Unfortunately Google results are pretty noisy when searching a core process of Windows.

The reason I'm asking is that I got a BSOD from my service application which seems to be related to the csrss.exe process, at least this is what the analysis of the memory dump shows:

PROCESS_OBJECT: 85eeeb70

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0
MODULE_NAME: csrss
FAULTING_MODULE: 00000000 
PROCESS_NAME:  PreviewService.
BUGCHECK_STR:  0xF4_PreviewService.
DEFAULT_BUCKET_ID:  DRIVER_FAULT
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from 80998221 to 80876b40

STACK_TEXT:  
f5175d00 80998221 000000f4 00000003 85eeeb70 nt!KeBugCheckEx+0x1b
f5175d24 8095b1be 8095b1fa 85eeeb70 85eeecd4 nt!PspCatchCriticalBreak+0x75
f5175d54 8082350b 00000494 ffffffff 051bf114 nt!NtTerminateProcess+0x7a
f5175d54 7c8285ec 00000494 ffffffff 051bf114 nt!KiFastCallEntry+0xf8
051bf114 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

STACK_COMMAND:  kb
FOLLOWUP_NAME:  MachineOwner
FAILURE_BUCKET_ID:  0xF4_PreviewService._IMAGE_csrss.exe
BUCKET_ID:  0xF4_PreviewService._IMAGE_csrss.exe

Followup: MachineOwner

EDIT: Thanks already for the good answers, but I actually don't need help concerning my service, I just would like to get some basic understanding of what the purpose of this service is.

From stackoverflow

  • csrss is the user-mode portion of the Win32 subsystem -- the user-mode analog to the kernel-mode win32.sys. As for what's going on with your particular service, it's hard to say without some better hints about what your service is doing.

  • CSRSS hosts the server side of the Win32 subsystem. It is considered a system critical process, and if it is ever terminated you'll get a blue screen. More data is necessary, but you need to find out if some process is terminating csrss, or if it is crashing due to a bug.

    Windows Internals is a great book for stuff like this. Wikipedia also has an article on CSRSS.

  • One thing it does is provide the default console window for console apps like cmd.exe. At least according to jdeBP:

    http://stackoverflow.com/questions/2807303/on-windows-how-does-console-window-ownership-work/2831185#2831185

    It would appear that when a console app process is created without being passed handles to stdin, stdout and stderr, then some interprocess comms asks csrss to create a console window in a new thread and give its IO handles to the console process.

Posted by Mu Cat at 2:40 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)