Under Windows 2008 and Windows 7 a new process has appeared in task manager which did not exist before. This process is the Console Windows Host, %SystemRoot%\system32\conhost.exe.
Some history first.
In previous versions of Windows (i.e. Windows 2003, Windows XP), during Windows startup, the first process to be run is SMSS.EXE, which is charge of session management and is the parent process for:
- winlogon.exe, which is the Windows logon manager
- CSRSS, which provides the user mode side of the Win32 subsystem.
On top of the CSRSS process runs all the GUI activity on behalf of non-GUI applications such as NSLOOKUP and TELNET. These child non-GUI applications run with the privileges of the current user account.
So, to resume, in Windows 2003 and in Windows XP the process hierarchy looks something like this:
- SMSS.EXE
- Winlogon.exe
- CSRSS.exe (runs under Local System)
- Nslookup (runs with current user account privilege)
- Telnet (runs with current user account privilege)
Today Microsoft has solved this problem in new version of Windows by making a new process run between end-user-non-GUI programs and CSRSS: Conhost.exe.
ConHost.exe runs in the very same security context as its associated console application. Instead of issuing an LPC request to CSRSS for message-handling, the request goes to ConHost.exe. As a result, any attempts to exploit the message-handing code of the application will not result in an automatic escalation of privileges.
Furthermore, starting with Windows Vista and Windows 2008, Microsoft has adopted a new isolation mechanism which consists in moving user sessions away from Session 0, separating this way the message loop of a logged-in user's session from high-privilege system services, which are loaded into Session 0.
So, while in Windows 2003 and XP we have non-GUI programs only...
Thanks for this post! It helped me a lot!
ReplyDeleteSuze
Thanks!!!!!!!!
ReplyDeleteI keep seeing up to 8 instances of conhost.exe open on my Windows 2008 R2 Webserver. The path looks legit enough but wonder why they keep showing up? I think someone (illegitimate) is trying to log in or otherwise access the machine and this is as far as they get.
ReplyDeleteHave you checked your system with an antivirus and then with an antispyware? It's the first step.
DeleteThe second step is to dump netstat information and check that you know all the incoming IP addresses.
Post also information about the paths for conhost.exe otherwise it is hard to tell.
Carlo