Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

csrss.exe issue


  • Please log in to reply
17 replies to this topic

#16 PatL

PatL
  • Topic Starter

  •  Avatar image
  • Members
  • 355 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 02 April 2021 - 10:01 PM

This is the csrss.exe

 

https://www.virustotal.com/gui/file/39525caad5d0a379fc906e359fac9983e43459bf69dc878f934376e61dc6057b/detection



BC AdBot (Login to Remove)

 


#17 cknoettg

cknoettg

  •  Avatar image
  • BC Advisor
  • 1,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delray Beach, FL
  • Local time:12:53 AM

Posted 03 April 2021 - 07:38 AM

This is just my opinion, but until software developers and management (and other stakeholders) get on board with making sure that security certificates are kept up-to-date, and implemented in a consistent fashion, we will always have this problem. (Or maybe they are on board, but do not have the time. I don't know).

 

Even for big companies like Microsoft and Dell (or maybe, ESPECIALLY for big companies?), sometimes the certificates are up-to-date, sometimes they're not. Sometimes applications are signed, sometimes they are not. Even within the same company. I see it every single day.

 

If you type 'certmgr' into the Windows 10 search bar, and open Manage Computer Certificates, what do you see listed for Untrusted Certificates?

Even a "clean" version of csrss.exe may have the same issue. 

 

Because I am a glutton for punishment, I'm going to delete csrss.exe on my working machine, see what happens and report back.

 

Edit 1: Better yet: if you right-click csrss.exe, go to Properties, and select Digital Certificates, what does it list for certificate. Mine is currently dated 9-2020, with an expiration date of 1-22-2021 (i.e.: "in the past," "already expired"....smh), and yet no warnings would probably ever be generated, because, by dog it, it is signed from Microsoft, a Trusted Publisher.

 

Edit 2: What does Details tab say when you right-click csrss.exe? What does Version History say?

 

Edit 3: Let me preface this by saying that one does not simply delete a major system file like csrss.exe. It is not a right-click and delete operation.

But the result was as expected: I deleted it, rebooted the computer, and Windows automatically recreated it - exact same version/date, exact same certificate.

 

High-level steps for deleting it (which likely won't solve your problem):

Change ownership of file from TrustedInstaller to yourself

Reboot into the Advanced Windows Boot Options Menu (or whatever they call it nowadays) - Shift -> Restart is my favorite way of getting there from inside of Windows

Select the Command Prompt option, and delete it via command prompt ( del /f csrss.exe)

Reboot

 

My desktop icons were gone for a second while it was busy recreating the file, but no ill effects that I can tell.


Edited by cknoettg, 03 April 2021 - 08:17 AM.

Microsoft MCE, CASP+, Linux+, Server+, Cloud+, Certified Forensic Computer Examiner


#18 PatL

PatL
  • Topic Starter

  •  Avatar image
  • Members
  • 355 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 03 April 2021 - 01:57 PM

Details & digital signature here mine says Microsoft Windows Publisher

Attached Files






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users