Conhost.exe is required to run in order for Command Prompt to interface with File Explorer. One of its duties is to provide the ability to drag and drop files/folders directly into Command Prompt. Even third-party programs can use conhost.exe if they need access to the command line. In most circumstances, it’s entirely safe and does not need to be deleted or scanned for viruses. It’s even normal for this process to be running several times simultaneously (you’ll often see multiple instances of conhost.exe in Task Manager). However, there are situations where a virus could be masquerading as the conhost EXE file. One sign that it’s malicious or fake is if it’s using up lots of memory.
Software That Use Conhost.exe
The conhost.exe process is started with each instance of Command Prompt and with any program that utilizes this command-line tool, even if you don’t see the program running (like if it’s running in the background). Here are some processes known to start conhost.exe:
Dell’s “DFS.Common.Agent.exe” NVIDIA’s “NVIDIA Web Helper.exe”Plex’s “PlexScriptHost.exe”Adobe Creative Cloud’s “node.exe”
Is Conhost.exe a Virus?
Most of the time, there’s no reason to assume conhost.exe is a virus or that it needs to be deleted. However, there are some things you can check if you’re not sure. For starters, if you see it running in Windows Vista or XP, then it most certainly is a virus, or at least an unwanted program, because those versions of Windows don’t use this file. If you see conhost.exe in either of those Windows versions, skip down to the very bottom of this page to see what you need to do. Another indicator that it might be fake or malicious is if it’s stored in the wrong folder. The real conhost.exe file runs from a very specific folder and from that folder only. The easiest way to learn whether the process is dangerous or not is to use Task Manager to do two things: a) verify its description, and b) check the folder that it’s running from. This is the real location of the non-harmful process: If this is the folder where conhost.exe is being stored and running from, there’s a really good chance that you’re not dealing with a dangerous file. Remember that this is an official file from Microsoft that has a real purpose to be on your computer, but only if it exists in that folder. However, if the folder that opens at Step 4 is not the System32 folder, or if it’s using a ton of memory and you suspect that it shouldn’t need that much, keep reading to learn more about what’s happening and how you can remove the conhost.exe virus.
Why Is Conhost.exe Using So Much Memory?
A normal computer running conhost.exe without any malware might see the file use around several hundred kilobytes (e.g., 500 KB) of RAM, but likely no more than 10 MB even when you’re using the program that launched conhost.exe. If conhost.exe is using a lot more memory than that, and Task Manager shows that the process is utilizing a significant portion of the CPU, there’s a good chance the file is fake. This is especially true if the steps above lead you to a folder that isn’t C:\Windows\System32. There’s a particular conhost.exe virus called Conhost Miner that stores itself in this folder, and possibly others: This virus attempts to run a Bitcoin or other cryptocoin mining operation without you knowing, which can be very demanding of the memory and processor.
How to Remove a Conhost.exe Virus
If you confirm or even suspect that conhost.exe is a virus, it should be fairly straightforward to get rid of it. There are lots of free tools available that you can use to delete the conhost.exe virus from your computer, and others to help make sure it doesn’t come back. However, your first attempt should be to shut down the parent process that’s using the file so it will no longer be running its malicious code, and to make it easier to delete. Now that the file is no longer attached to the parent program that started it, it’s time to remove the fake conhost.exe file: