Click Options tab in Process Explorer and select VirusTotal.com > Check VirusTotal.com for analyses.
~bhringer
Suspicious Conhost.exe
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Hello Everyone.
I was looking into process explorer when I found a new instance of conhost.exe that has no parent and runs with SYSTEM permissions.
I inspect my PC with Process explorer every now and then and I had never seen a solo instance of conhost let alone one with no parent.
As far as I can tell it does not do anything but I am afraid that it could be a Remote Access Tool in disguise.
I have a minidump of this process but I do not know how to attach it to this message.
Neither Windows Defender nor MBAM detect this as malware.
I was wondering if any specialists could explain why this solo process would be running, stopping and killing the process does not affect the system in any way I can tell. Description of the process in itself does not show anything remarkable.
I hope anyone can help me with this issue, thank you in advance for your assistance.
Best Regards - Kenny.
Windows for home | Windows 10 | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
7 answers
Sort by: Most helpful
-
_AW_ 67,256 Reputation points Volunteer Moderator2021-09-25T23:15:11+00:00 That SafeBoot\AlternateShell entry is needed for the rare occasion that you may want to boot Safe Mode with Command Prompt.
-
Anonymous
2021-09-19T02:23:38+00:00 Hi.
VirusTotal says it is fine.
However the problem is that this is a working process with no parent.
No idea what spawned it or what is it doing.
I normally look into my pc for anomalies and I had never seen a lone conhost.exe without a parent. Especially because it is not spawned along other processes.
-
Anonymous
2021-09-25T19:44:28+00:00 Antimalware finds nothing so perhaps it is an initial process for a service that it is not well configured.
Gonna check out those other forums.
Thank you for your reply bhringer.
Best Regards - Kenny
-
bhringer-9380 4,350 Reputation points Volunteer Moderator2021-09-21T13:18:25+00:00 Hi Kenny,
Apologies for late response. Have been looking at a couple of my own machines for comparison. I don't have any idea either why you have an instance of conhost.exe without a parent. I only have a single conhost.exe running under laptop touch-pad driver and it seems well behaved.
There's always a possibility of it being associated with something malicious, but If it's residing in Windows/System32, not consuming resources and VT results are clean I wouldn't consider it suspect.
Here's a related thread in this community that may be helpful https://answers.microsoft.com/en-us/protect/forum/all/what-is-conhostexe/38a69fb8-ded2-4f35-85c5-4d69cb8d016b
Your question is somewhat outside the technical scope of this community and might be better addressed in another forum (possibly Bleeepingcomputer.com) or the following Microsoft Q&A resource: https://docs.microsoft.com/en-us/answers/products/
Sorry I couldn't be more helpful.
~bhringer