Client/Server Runtime Subsystem, or csrss.exe, is an essential component of the Windows NT™ family of operating systems. It provides the user mode side of the Win32 subsystem and is included in Windows 2000 and later, while Win32.sys is the kernel-mode portion of the Win32 Subsystem.
Since Windows NT 4, most of the Win32 subsystem operations have been moved to kernel mode drivers. So CSRSS is mainly responsible for Win32 console handling and GUI shutdown.
CSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel. Window manager and GDI services are instead handled by a kernel mode driver (win32k.sys).
CSRSS is called along with winlogon.exe at Windows startup. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the startup process with a BSOD displaying error 0xc000021a. This is caused by a failure to move out of kernel mode and into user mode.
Vista and Windows 7 both run two instances of csrss.exe.
Starting with Windows 7, instead of drawing console windows itself, CSRSS spawns conhost.exe subprocesses to draw console windows for command line programs with the permissions of that user.
Commit history (Source code can be found in:
Notes and references
- "Detailed implementation of a system service in Windows NT". Undocumented Windows NT. Retrieved 2017-06-11.
- Russinovich, Mark (2009). Windows Internals, 5th Edition Microsoft Press. p. 54.
- "Inside the Windows Vista Kernel – Startup Processes". Inside the Windows Vista Kernel – Startup Processes. Microsoft. Retrieved 2010-10-01.