# How to add entry to Registry to load CSRSS.EXE



## archp2008 (Dec 30, 2008)

Hello,

I did a complete virus system scan of my computer using Avast and the file csrss.exe from users\username\AppData\Local|temp in Vista 32 was identified as infected and quarantined. When I rebooted this OS it came up with a message to delete the entry in the registry for csrss.exe. I followed this advice blindly, not thinking of the consequences or knowing that I was doing. Worse yet this OS had no restore points or registry backups. All I was able to do was to restore the file(infected?) from quarantine. Can someone please tell me how to re-enter the deleted registry key that tells Windows to load CSRSS.EXE from System32. The problem I'm having (which I assume is related) is that I can't browse with my browser now with this OS. My Email works ok though. Firefox says it is set up to use a proxy server. Google just says site not found. This sounds like a virus problem I've had and fixed before, but I never caused myself extra grief by deleting a registry entry before. I don't know if there is another work-around or if re-adding this registry key will fix the issue. I only know the Internet was working before the file was deleted.


----------



## A1tecice (Jun 1, 2010)

There is a problem with just rewriting the registry key for CSRSS.exe, because its not just in one place its basically all over your registry but i will take a guess at the one you deleted.

Its located in:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystem

There should be a key in there called "Windows" if there is not create one with the data:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

If that fails then the only option you have left really is a clean install of windows


----------



## Will Watts (Jun 18, 2008)

I suggest you post up a set of logs. Even if there is not still an active infection on-board, it's easier to fix like this with a full set of logs. There will also be a reason that Avast identified the key as infected.

Please don't make changes to the registry unless you are sure you know what you're doing.

For malware removal assistance....

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through *all *the steps, please post the requested logs in the Virus/Trojan/Spyware Help  forum, *not here.*

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.


----------



## archp2008 (Dec 30, 2008)

First of all, thank you very much for the replies. This is a partially batched-up but functioning triple boot system. Actually there are two working versions of Vista on this machine, the one affected being the 32-bit version. I don't think there is anything on there that I would lose if I reformatted that partition. The only problem being that I would likely mess up the boot loader (Vista/Win7) and later have to reinstall the Windows 7 just to get it back. I use the Vista and Win7 mainly for watching tv on the computer (tv-tuner card). It might be simpler to just forget that the Vista 32 is there. I still use the XP most of the time and could use the Win7 for watching tv, etc. I was hoping that the fix might be simpler. You do know it's Vista 32. Would it help to know that the deleted entry was the first occurrence of CSRSS.EXE that was found when I did the search inside Regedit. Also the first word in the leftmost side of the registry entry that I deleted was the word LOAD. All I can remember was the word Load.....CSRSS.Exe. Can't recall anything else. This will be the last registry edit I do without doing a backup first. As far as the virus(es) were concerned (there were actually three on this Vista 32 partition), it appears that they were named with the same name as the system files but they were all located in the AppData folder. CSRSS.Exe was in the \Local\Temp section of the AppData folder. Two other affected files dwm.exe and conhost.exe were in the \Roaming and \Roaming\Microsoft folders respectively. I re-scanned the Appdata folder using AVG from XP and the same three files were removed again, so that makes it more likely that they are in fact trojans. They are re-quarantined now. This time on AVG on XP. I'll await any further comment from you before proceeding with your other suggestions or before starting a more complex analysis under Someguy's assistance. I am thinking that the Internet problem is a result of what the attack did to the browser settings. I'm thinking the attack may also have de-activated the System-Restore as it still seems to think it's turned off even though I subsequently turned it back on and did a test restore point.


----------



## Will Watts (Jun 18, 2008)

Hi,

I'm struggling to understand exactly which partitions were infected.

Am I right in thinking that the 32bit Vista partition was infected, and subsequently where you quarantined CSRSS.exe? 

You then scanned the 32bit Vista App Data folder from XP - and the same files were removed from the same location?

Have you had any symptoms or quarantined files on the other partitions?

It sounds like you still have an active infection onboard. Please follow the instructions given in my previous post, the Virus/Trojan/Spyware Help forum is the only place where we offer malware removal support.


----------



## FitzHugh (Jun 20, 2011)

I have a near-identical issue. I thoughtlessly overreacted when a trojan ATTEMPTED to create startup links to 3 malicious files, a fake csrss.exe among them. And although I removed all the bad files I also inadvertently deleted the keys in each control-set which would invoke the real csrss.exe. So I believe I have been left with no way to invoke a restore-point.

I can't start Windows ; I get a recurring BSOD. I can get to setup/repair mode. But the reg command doesn't appear to be part of the limited command set available, there.

If I can somehow get it to execute then my question would be if there are any spaces or linebreaks in that command to restore the key.

Is there any way to proceed short of formatting, for me? 

Many TIA.


----------



## Will Watts (Jun 18, 2008)

Hi,

What version of Windows do you have?

Assuming you have XP SP3 as listed:

Restart your computer and boot into *Safe Mode* by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

If you are able to boot into safe mode, please then follow the instructions given in our First Steps. 

You might also want to try *Last Known Good Configuration*. This should appear on the boot menu after pressing F8. If you are able to get your computer to boot, either using this or Safe Mode, please then follow our First Steps: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

As stated, Malware Removal support will only be given in the Virus/Trojan/Spyware Help forum. I also don't encourage users to perform manual registry edits unless they fully understand the keys they are editing.


----------



## archp2008 (Dec 30, 2008)

Thank you for all the further comments. I am not surprised that there is confusion about all the partitions and operating systems I have on this machine. To be honest, I don't have my own head fully wrapped around what is there. On a positive note, the major problem, the Internet being knocked out when into Vista 32 is now working. All I had to do was to change my connections to automatic and uncheck use a proxy. As I suspected, those trojans had set up a system for connecting me to some proxy server somewhere. Hopefully, now that the viruses are removed and the connection settings restored to auto instead of a proxy, things will be ok. I am going to try safe mode in that partition now to see if it still doesn't show any restore points. Meanwhile, I'm thinking that Windows may have fixed the registry deletion by itself. I will have another look into the registry to see if that "Load csrss.exe" entry is still gone.


----------



## FitzHugh (Jun 20, 2011)

someguy201 said:


> Hi,
> 
> What version of Windows do you have?
> 
> ...


Hi,

Thanks very much for the response!

I might have been unclear; the malware injection-attempt was not my problem but, rather, how to get to System Restore when I could not boot Windows, at all, after inadvertently removing the requisite registry keys which would invoke the CSRSS executable.

I solved it, evidently, by booting from the CD as described here:
http://pcsupport.about.com/od/operatingsystems/ss/instxprep

A few settings were lost because my previous restore points got deleted during the Repair/Setup process.

But I think I'd have been otherwise unable to get back to Windows and all my data.

Thanks again.


----------



## archp2008 (Dec 30, 2008)

I went into Safe Mode but there were still no restore points shown, but I returned into normal mode and went into system restore again and have it working now with a single initial restore point here. I looked into the registry and that line that I deleted named LOAD with csrss.exe being the file referenced is still gone. When I look into task manager processes there are two instances of csrss.exe running, though, so I'm thinking (perhaps wishfully) that the line I deleted was not vital. If it was vital, I'm thinking I would be looking at blue screens. There are no other apparent issues with this Vista installation at this time. I don't know if any further action on my part is needed or not. I'm certainly not going to try to fix it if it ain't broke.


----------

