# csrss.exe (Client Server Runtime Subsystem)

* **Function:** A critical, core Windows process responsible for managing console windows (like Command Prompt), creating and deleting threads, and handling parts of the graphical subsystem. Due to its low-level operations, its memory often contains **logged paths** of executed files (`.exe`) and loaded libraries (`.dll`).
* **Accessibility Issues:** As a protected system process, accessing `csrss.exe` memory often requires **administrator privileges** and the **Kernel Mode Driver** enabled in System Informer. Antivirus software can sometimes interfere, and access might be restricted on heavily locked-down systems or specific Windows builds. There are typically two instances of `csrss.exe` running.
* **Filtering Logic (Multiple Instances):** When analyzing the two `csrss.exe` instances:
  * For finding executed **`.exe` files (with standard extensions)**, focus analysis on the instance with **fewer** private bytes.
  * For finding **loaded/injected `.dll` files** OR **`.exe` files with spoofed/changed extensions**, focus analysis on the instance with **more** private bytes.
* **Common Search Patterns (Regex, case-insensitive):**
  * `^[A-Z]:\\.+.exe$`: Finds full paths ending specifically in `.exe`. Primarily used on the instance with *fewer* private bytes.
  * `^[A-Z]:\\.+.dll$`: Finds full paths ending specifically in `.dll`. Primarily used on the instance with *more* private bytes. **Crucial for detecting standard DLL injections.** Pay close attention to *unsigned* DLLs found with this pattern.
  * `^(?:\\\\\?\\)?[A-Za-z]:\\.+$`: A broader pattern to find full paths with *any* or *no* extension. Useful on the instance with *more* private bytes when searching for executables disguised with fake extensions (e.g., `.tmp`, `.png`) or extensionless files launched via specific methods. Can also help find DLLs.