Smss.exe file description |
Smss.exe with description Client Server Runtime Process is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
In total there are 16 launchpoints for this file including "Running processes".
There are 15 different variations of the file in our database and the file is
digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows
What is smss.exe?
Smss.exe is the session manager subsystem. This process is responsible for creating environment variables, starting the Win32 subsystem, creating paging files, establishing DOS device mappings, and initializing the Windows Logon Manager. As such, it is responsible for starting user sessions.
This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling this process otherwise will render your system unbootable. The screenshot below illustrates how it should appear in the task manager:
As you can see in the above screenshot, smss.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.
Dangers of smss
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.
Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to it but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as smss.exe:
- Backdoor.IRC.Flood.F (%SystemRoot%\System32\CatRoot)
- This is a backdoor trojan that includes an IRC bot that allows an attacker to issue remote commands. It connects to a remote IRC server on port 6667.
- W32.Resdoc (%SystemRoot%)
- This is a worm that occasionally attempts to copy itself to the A drive.
- W32.Dalbug.Worm (%SystemRoot%)
- This is a worm that registers itself as a system service called NtLmHosts. Additionally, in order to avoid detection, it removes registry entries pertaining to itself while Regedit is running and restores them afterwards.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.
Common problems
- Windows will not boot due to smss.exe not being found
- If you deleted smss.exe while trying to rid your system of a virus, you may have deleted the wrong one. If you have a backup of it, restore it by connecting the hard drive to another machine or booting into a live CD of an alternative operating system. If you do not have a backup or do not have a way to restore the backup, you should perform a repair installation of Windows.
- This process uses 100% CPU
- This is typically caused by a malware infection.
|
Automatic startup locations |
 |
001 Running Processes |
 |
002 Autorun registry entries local machine |
|
003 Autorun registry entries Current User |
 |
004 All users startup startmenu |
|
005 Current user startup startmenu |
|
007 Roaming Start Menu\Programs\Startup |
|
008 Autorun registry entries Default user |
|
009 Autorun registry entries SYSTEM user |
 |
010 Installed services |
 |
033 Winlogon Userinit |
|
034 Winlogon Shell |
|
035 Active Setup Installed Components |
|
073 %windir%\Tasks |
|
135 Current User Runonce (+ subkeys) |
|
139 Windows\load |
|
167 HKLM Policies\Explorer\Run |
|
File versions in our database |
| |
Company |
Version |
Size |
 |
n/a |
n/a |
4294967295 |
|
n/a |
1.0.0.0 |
4294967295 |
|
Black Internet |
1.0.0.1 |
4294967295 |
|
n/a |
3, 5, 1, 32 |
4294967295 |
|
n/a |
0.0.0.0 |
6242304 |
|
n/a |
n/a |
5055488 |
|
n/a |
n/a |
4988928 |
|
n/a |
3.4.0.2282 |
3428864 |
|
n/a |
n/a |
1941504 |
|
TODO: ?????????? |
3.7.0.8 |
1564672 |
|
n/a |
2.07 |
1368064 |
|
n/a |
2.07 |
1359872 |
|
n/a |
n/a |
1085799 |
|
n/a |
n/a |
761344 |
|
?????????? |
3, 9, 37, 15 |
487424 |
|
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
Microsoft Windows |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Timestamping Service |
|
Microsoft Windows |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows 2000 Publisher |
NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc. |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows 2000 Publisher (Europe) |
VeriSign Time Stamping Service |
|
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
Microsoft Windows Component Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher (Europe) |
VeriSign Time Stamping Service |
|
|
MD5 security rating in our database |
 |
 |
|
140 |
files (Not yet rated
and
not
signed) |
|
|
1 |
files (Not yet rated
and
digitally
signed) |
 |
|
7 |
files (Safe
and
not
signed) |
|
|
228 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to smss.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments for Smss.exe |
There are no comments yet.
|
|
Database statistics
Top process list
