The other day, my PC spawned a lot of instances of conhost.exe and I was wondering what I could do about it to decrease the number of instances and avoid the high CPU load that goes along with it.
About Conhost Executable
Conhost stands for console windows host. A host program that can contain other non-GUI services like cmd.exe and will spawn 1 instance for each new command prompt/non-GUI program.
You may be familiar with a related executable called svchost, where each instance of svchost.exe for example can host a multitude of Windows services. Conhost is very similar in that regard and will span multiple instances every time you run a program that is not a GUI program.
Examples of non-GUI programs that launch conhost include:
- The command prompt cmd.exe
- powershell, any *.ps script
- Any *.py script
Any non-GUI script including Python may launch Conhost instances.
How does this protect my PC from malware?
In previous versions Windows XP and Vista an executable called CSRSS.exe was responsible for handling console input (non-GUI). The problem was that CSRSS.exe would not run under a user account and could be used to gain full system privileges and made it easy for malware exploits to take over a remote machine. This is no longer possible in Windows 7 and Windows 8 because console programs and their respective streams are handled via a new process called ConHost (Console Host) in order to avoid giving malware elevated rights over your machine.
In essence, ConHost is protecting you from malware mitigating the risk of exploits that would allow a 3rd-party to take control over your machine.
High CPU Usage Causes
Similar to other host services, ConHost is launching a new instance every time you or something in the background opens a console program. So, if you have recently installed programs that make extensive use of cmd.exe or you have some batch files running backups or similar things in the background, it may put a strain on your system resources. That and memory leaks may cause your CPU to go up to 100 percent.
How To Fix CPU Load And Stop Conhost From Spawning
In order to fix your issues, you need to first analyze what program is spawning them.
1. Step Download a copy of ProcessExplorer
2. Step Open the ProcessExplorer and locate any conhost.exe instances. Look out for the black C:\ icon:
3. Step Also look for uncommon uses of conhost. For example SiberSystem’s Roboform makes use of conhost to integrate itself into Google Chrome using a rf-chrome-nm-host.exe, apparently another host service to load data from a secure database into Google Chrome.
4. Step What you can try is killing the conhost and see if it breaks anything. A simple restart of the program will be sufficient to make it launch conhost.exe again
5. Step Next, after we have identified what is causing conhost to launch so many instances, you have multiple options: Remove the program that is causing it and re-install it. Secondly, make sure you don’t have any malware on your PC. One common cause for conhost to be at 100% is an infected PC. Malware may use batch files and other sneaky things that run in the background of your computer and will consequently spawn the conhost executable. So, in order to avoid that, we are going to download a program called Malwarebytes Anti-Malware (read the guide for more instructions)
6. Step Ok, so far we have analyzed what is spawning the instances, we have removed Malware from our PC and also re-installed programs that caused issues.
What’s next? Depending on your use of the computer, it’s possible that conhost only becomes active while you’re doing something (not idle). So, use your computer like you normally would and keep a close eye on the ProcessExplorer we downloaded in step 2.
For example, Python programmers or PowerShell users will most likely see that their scripts may launch Conhost instances. If you frequently play video games such as MMO’s (Phantasy Star Online or any NCSoft games) it is entirely possible that GameGuard or other anti-cheating programs will make use of a non-GUI program to monitor your console streams in order to avoid sophisticated game hacks. I play some NC games occasionally, so I will look into this and update this article should I find anything suspicious.
7. Step Next, open the Windows Task Scheduler and look for any tasks that run batch files or that you are sure are not internal Windows tasks
8. Step Disable the tasks that you believe may cause issue. Make sure to remember them or write the names down in the case that you want to re-enable them later on
9. Step One possibility is that your Master Boot Records are infected. A tool called mbrcheck.exe may help you to check your MBR for viruses.
Last, But Not Least: Analyze ConHost Location
Ok, let me sum it up for you: We have analyzed possible causes, used anti-malware software to remove malware and made sure our Master Boot Record is not infected. We also verified that our own behaviour is not causing any issues. The last thing we can try and check if any of the currently running ConHost instances are in a location where they are not supposed to be.
1. Step By default, Conhost.exe will be located in C:\Windows\System32\conhost.exe
2. Step Open ProcessExplorer and right-click on every conhost.exe that you can find and select Properties
3. Step On the properties popup you will see a path at the top. It absolutely always has to read: C:\Windows\System32\conhost.exe
If the path is different, click on Explore and use your Anti-virus to put the file into quarantine. Then restart and run any anti-virus software you can find, including a full system check using Malwarebytes Anti-Malware, ESET Anti-Virus and Spybot from safter-networking.org
As you can see, there are a number of reasons why ConHost may spawn so many instances and why it is causing such a high CPU load on your machine. The most common problems are infections, but you should carefully analyze your behaviour and PC usage to better understand what is triggering the high CPU load.
In a nutshell, tools like ProcessExplorer are invaluable when it comes to analyzing your machine and finding possible bottlenecks.