How to Remove Csrss Exe

By John Ruiz

CSRSS.EXE is a key system file that serves as the processor controller for Windows. It creates and schedules the smallest pieces of executables, known as threads, for a processor. CSRSS.EXE processes multiple threads to carry out Windows tasks as requested by users. Windows can cause a “Blue Screen of Death” if you terminate this process. This fact explains why certain Trojan applications and spyware disguise themselves as the CSRSS.EXE file so it is more difficult to detect. The Trojan version of the CSRSS.EXE file is used by various keyloggers, such as Beyond Keylogger, as well as variations of lethal worms, including Sober. It does not replace the original CSRSS.EXE file located in the “WINDOWS\\SYSTEM32” path of your Windows drive so you must find the Trojan CSRSS.EXE file and remove it.

Step 1

Configure your Windows to display hidden files and protected operating system files by going to the Control Panel “Folder Options.” Go there by clicking the Start menu and going to “Run” and typing “control folders” without quotes. If you are using Windows Vista or 7, hold the Windows key and press the letter “R” on your keyboard to pop up the “Run” dialog. Click the “View” tab and select the “Show hidden files, folders, and drives” option and uncheck “Hide protected operating system files” checkbox.

Step 2

Hold the Windows key and press the “F” key to load the “Search” dialog, which will help you find the Trojan. Type “csrss.exe” without quotes and press the “Enter” key to search for the location of the file.

Step 3

Wait for Windows to finish the search results and observe the entries. Look for a CSRSS.EXE file that is not located in the “WINDOWS\\SYSTEM32” path. Take note of the path where the fake CSRSS.EXE file is located.

Step 4

Press the “Ctrl,” “Shift,” and “Esc” keys simultaneously to load the Windows Task Manager. Click the “Processes” tab and click the “Image Name” column header to sort the processes by filename. Right-click the “csrss.exe” entry that does not have the “System” user name associated with it and click “End Process.” Confirm the dialog that you wish to kill the process.

Step 5

Go to the path that you obtained in Step 3 and place the CSRSS.EXE file along with any other files in that folder into the “Recycle Bin.” Restart your computer and check the Windows Task Manager again to see if the Trojan is gone.

Tips & Warnings

  • For best results, set the search options to look in “Local Hard Drives” or “My Computer.”
  • If you run into some problems, after restarting, return some of the files inside the “Recycle Bin” to their last location, but do not recover the CSRSS.EXE file. Once your problem is solved, you can empty the “Recycle Bin” to permanently delete the Trojan.