What is Smss.exe

Windows Session Manager - Microsoft® Windows® Operating System - Microsoft Corporation

File description

Smss.exe with description Windows Session Manager is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows

What is smss.exe?
Smss.exe is the session manager subsystem. This process is responsible for creating environment variables, starting the Win32 subsystem, creating paging files, establishing DOS device mappings, and initializing the Windows Logon Manager. As such, it is responsible for starting user sessions.

This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling this process otherwise will render your system unbootable. The screenshot below illustrates how it should appear in the task manager:

As you can see in the above screenshot, smss.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.

Dangers of smss
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to it but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as smss.exe:
  • Backdoor.IRC.Flood.F (%SystemRoot%\System32\CatRoot)
    • This is a backdoor trojan that includes an IRC bot that allows an attacker to issue remote commands. It connects to a remote IRC server on port 6667.
  • W32.Resdoc (%SystemRoot%)
    • This is a worm that occasionally attempts to copy itself to the A drive.
  • W32.Dalbug.Worm (%SystemRoot%)
    • This is a worm that registers itself as a system service called NtLmHosts. Additionally, in order to avoid detection, it removes registry entries pertaining to itself while Regedit is running and restores them afterwards.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.

Common problems
  • Windows will not boot due to smss.exe not being found
    • If you deleted smss.exe while trying to rid your system of a virus, you may have deleted the wrong one. If you have a backup of it, restore it by connecting the hard drive to another machine or booting into a live CD of an alternative operating system. If you do not have a backup or do not have a way to restore the backup, you should perform a repair installation of Windows.
  • This process uses 100% CPU
    • This is typically caused by a malware infection.

Automatic startup locations

001 Running Processes
002 Autorun registry entries local machine
003 Autorun registry entries Current User
004 All users startup startmenu
005 Current user startup startmenu
006 Start Menu\Programs\Startup
007 Roaming Start Menu\Programs\Startup
008 Autorun registry entries Default user
009 Autorun registry entries SYSTEM user
010 Installed services
033 Winlogon Userinit
034 Winlogon Shell
035 Active Setup Installed Components
073 %windir%\Tasks
135 Current User Runonce (+ subkeys)
139 Windows\load
166 HKCU Policies\Explorer\Run
167 HKLM Policies\Explorer\Run
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Digital signatures found for this file

143 Microsoft Windows - Microsoft Time-Stamp Service
64 Microsoft Windows Component Publisher - Microsoft Timestamping Service
41 Microsoft Windows Publisher - VeriSign Time Stamping Services Signer
26 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Service
22 Microsoft Windows XP Publisher - VeriSign Time Stamping Service
10 Microsoft Windows - Microsoft Timestamping Service
5 Microsoft Windows Publisher - VeriSign Time Stamping Service
5 Microsoft Windows XP Publisher (Europe) - VeriSign Time Stamping Service
3 Microsoft Windows - VeriSign Time Stamping Services Signer
3 Karmasis Ltd. Inc. - COMODO Time Stamping Signer
3 Microsoft Windows Component Publisher - VeriSign Time Stamping Services Signer
2 Tera information Technology co.Ltd - Symantec Time Stamping Services Signer - G4
2 Microsoft Windows 2000 Publisher (Europe) - VeriSign Time Stamping Service
1 Microsoft Windows 2000 Publisher (Europe) - VeriSign Time Stamping Service CA SW1
1 NICSTECH CO.,LTD. - Symantec Time Stamping Services Signer - G4

MD5 security rating in our database

240 files (Not yet rated and not signed)
107 files (Not yet rated and digitally signed)
5 files (Safe and not signed)
258 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to smss.exe. Always make sure that your file is from a verified publisher.

User ratings for this file

File rating: Average rating of smss.exe: by 610 files and users.

Application errors

Fix smss.exe application error:  Run a FREE registry scan

User comments

smss.exe must run in order for windows to function correctly. If it is terminated in any way, you will be blue screened with "CRITICAL_OBJECT_TERMINATION"

Please add your comments if you have more information about this file or if you know how to solve smss.exe application errors.

File safety :

File security rating :

Are you human? How much is 4+15:

Like this page?

Please support this free service by giving us a Google+1

Browse files by letter


More system processes

smssas.exe smsscheduler.exe smsse.exe
smsserveru.exe smsservice.exe smss-le.service.exe
smssm.exe smssni.exe smssqlbkup.exe
smsssoax.dll smsstarter.exe smssvc.exe

Lansweeper computer inventory From the creator of Runscanner:

is an automated IT asset management tool. It can quickly scan your computers and has over 250 default reports available.

There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality.