Windows 11 Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/windows-11/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Sun, 24 Mar 2024 04:27:14 +0000 en-US hourly 1 https://wordpress.org/?v=98990 200474804 Usermode Font Driver Host (fontdrvhost.exe) https://gridinsoft.com/blogs/usermode-font-driver-host-high-cpu-and-memory/ https://gridinsoft.com/blogs/usermode-font-driver-host-high-cpu-and-memory/#respond Thu, 21 Mar 2024 09:14:41 +0000 https://gridinsoft.com/blogs/?p=20591 The Usermode Font Driver Host process is an important part of the Windows operating system. It may raise questions among users due to its high consumption of resources such as CPU and memory. Let’s find out what this process is and whether you can do without it. What is Usermode Font Driver Host? The Usermode… Continue reading Usermode Font Driver Host (fontdrvhost.exe)

The post Usermode Font Driver Host (fontdrvhost.exe) appeared first on Gridinsoft Blog.

]]>
The Usermode Font Driver Host process is an important part of the Windows operating system. It may raise questions among users due to its high consumption of resources such as CPU and memory. Let’s find out what this process is and whether you can do without it.

What is Usermode Font Driver Host?

The Usermode Font Driver Host process, as its name suggests, is responsible for handling fonts in user mode, which helps the system display text in various applications and interfaces. The running process is usually located in the standard system directory C:\Windows\System32\fontdrvhost.exe. This process also handles requests from applications and programs that require font rendering services. Among the latter is everything from basic text display to complex font formatting in documents and web pages.

Usermode Font Driver Host process Task Manager

In recent Windows updates, when you try to find the fontdrvhost.exe process in Task Manager, you will see that it is running under the user name “UMFD-0”. This is an account for the User Mode Driver Framework, which restricts the process’s access to only working with fonts. This provides the security that recent Windows updates have brought. The UMFD-0 account ensures that the process does not extend to activities other than font manipulation.

Usermode Font Driver Host High CPU and Memory Troubleshooting

High consumption of CPU and memory resources by the Usermode Font Driver Host process may occur in several cases. First one is you are working with graphic editors, designing programs or loading a large number of non-standard fonts.

Alternatively, increased consumption also can be caused by incorrect operation or failure in the Windows font management system. When corrupted or incorrectly created fonts are installed in the system, Usermode Font Driver Host may consume an excessive amount of resources trying to process or fix them.

Problems with Usermode Font Driver Host may be related to a corrupted UMFD-0 image. There are a couple of ways to solve this problem – through running a system files’ scan, or by updating Windows. Let’s start with the least invasive one.

Troubleshooting Step 1: Run System File Checker

Windows carries quite a few system recovery utilities that will be helpful with pretty much any situation. In the case of file corruption, a tool called System File Checker will be on hand.

  • Open a command prompt as administrator:
    Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.

cmd in the search box

  • Type the next command “sfc/scannow” and press Enter.

System File Checker

  • Wait for the scanning process to complete and errors to be corrected.
  • Restart your computer after the scan is complete.

If System File Checker does not solve the problem, it may indicate deeper system irregularities. In such a case, it is recommended to update Windows to replace and update system files, which may fix existing system problems.

Troubleshooting Step 2: Update Windows

Windows Update is an effective solution to the problem of high resource consumption caused by incompatibility or a faulty system module. Each Windows updates contain bug fixes and performance improvements that can solve existing resource consumption problems. Developers constantly analyze user reports and diagnostic data to optimize system performance. To check for updates, press the Windows key + I and choose “Windows Update.” If any updates are available, download and install them.

Windows Update

Troubleshooting Step 3: Removing damaged fonts

As I wrote above, the fontdrvhost.exe may consume an excessive amount of resources to process more corrupted fonts. Therefore, remove fonts that have been installed recently or may be corrupted.

To do this, go to Control Panel > Fonts.

Remove fonts

Then, remove fonts that fall under the following description:

  • The font is not compatible with your encoding language
  • Downloaded from unreliable sources
  • Font is repeated several times
  • Not used for a long time

Can I Stop or Disable Usermode Font Driver Host?

The Usermode Font Driver Host is an essential part of Windows and I do not recommend deleting or disabling it. Removing it can result in errors while running various Windows applications, especially those that depend on the fontdrvhost.exe process. Among them are Microsoft Word, Excel, PowerPoint, email clients, messaging apps, and many more. I will additionally emphasize that Usermode Font Driver Host is not malware and cannot be used by one.

Usermode Font Driver Host (fontdrvhost.exe)

The post Usermode Font Driver Host (fontdrvhost.exe) appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/usermode-font-driver-host-high-cpu-and-memory/feed/ 0 20591
Werfault.exe Error https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/ https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/#respond Thu, 07 Mar 2024 16:28:15 +0000 https://gridinsoft.com/blogs/?p=20206 Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware. What is Werfault.exe? Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for… Continue reading Werfault.exe Error

The post Werfault.exe Error appeared first on Gridinsoft Blog.

]]>
Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware.

What is Werfault.exe?

Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11. The WerFault.exe errors arise when loading WerFault fails, either during starting a Windows application or, in some cases, while the application is running.

Thus, when a program encounters an error, Werfault.exe collects information about it. It includes the program causing the error, the nature of the error, and system information. Next, Werfault offers options for sending this information to Microsoft for analysis. This helps Microsoft to improve the stability and reliability of the Windows operating system (probably). Werfault.exe typically runs in the background and should not usually require user interaction unless prompted by an error.

Werfault.exe Application Error – How to Fix?

If you encounter a Werfault.exe Application Error, it usually means an issue with the Windows Error Reporting process or an application causing it to crash. However, it’s nothing to worry about if it only happens one or two times.

Werfault.exe Application Error screenshot
Werfault.exe Application Error itself

But if the WerFault.exe error occurs repeatedly and causes trouble, or if it takes a relatively high CPU power in Task Manager, you should take action to resolve it. Here are some steps that you can take to try and fix this issue:

Update Windows

Windows constantly improves to enhance its stability and reduce program crashes. To achieve this goal, Microsoft provides regular security updates and bug fixes. If you don’t install these updates, you may encounter security issues and bugs. There were a couple of particular Windows updates that break WerFault, which Microsoft addressed in further patches. To check for updates, press the Windows key + I and click “Windows Update”. If there are any updates available, download and install them.

Windows Update
If you can see this, you’ve done it right.

Run the Windows SFC Scan

The SFC tool repairs corrupt system files that can cause Werfault.exe errors. Press Windows key + R, type “cmd”, and hit Ctrl+Shift+Enter to open Command Prompt as administrator. Next, type or paste in the Command Prompt “sfc /scannow” and press enter.

sfc command

After completing the scan, Windows will attempt to repair any corrupt files. Finally, restart your device and check if the error is corrected. If the scan finds corrupt files, but Windows is unable to repair them, try repairing corrupt system files using repair tools.

Important note! Avoid downloading and copying WerFault.exe to your Windows system directory from third-party sites. Microsoft typically does not release standalone Windows EXE files for download because they are already bundled together inside a software installer. This may cause system instability and stop your program or OS from functioning.

Use Repair Mode

Please restart your PC using the pressed Shift button—this will turn the device into Automatic Repair. Select Advanced options to enter WinRe and choose your language. Next, select the Troubleshoot and Advanced options.

Command promt in the recovery mode

Select Command Prompt, log in with your account and run the below commands.

sfc /scannow
chkdsk X: /f
bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd

Note: If you installed the system update before the system is abnormal, you can use “Uninstall Updates” to uninstall recent updates (which include Quality updates and Feature updates; try both).

Is Werfault.exe virus?

While Werfault.exe is a legit executable file, its activity may be attributed to malicious software. Hackers use >DLL sideloading technique by exploiting the WerFault.exe tool to deploy malware onto compromised systems. This method allows them to infect devices discreetly without triggering antivirus alarms. During this exploitation, you may see the said errors coming from WerFault.exe, as well as the process itself in the Task Manager.

As we can see, malware can sometimes exploit genuine processes in its activity. This can cause program crashes and, in some cases, trigger the werfault.exe error. I recommend GridinSoft Anti-Malware; it is best suited to detect and remove even sophisticated malware. Run it and wait until the first scan is done. Next, run the Full scan and follow the instructions.

Werfault.exe Error

The post Werfault.exe Error appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/werfault-exe-error-troubleshooting/feed/ 0 20206
What is Csrss.exe Process? Troubleshooting Guide https://gridinsoft.com/blogs/csrss-exe-process-troubleshooting/ https://gridinsoft.com/blogs/csrss-exe-process-troubleshooting/#respond Tue, 05 Mar 2024 23:01:01 +0000 https://gridinsoft.com/blogs/?p=20134 Csrss.exe is an important Windows process, which may sometimes consume a lot of system resources and puzzle the users with such behavior. Some people may mistake it for malware and try to terminate it forcefully. So, is csrss.exe dangerous? And how to fix the issues it creates? Let’s find out. What is Csrss.exe? Csrss.exe is… Continue reading What is Csrss.exe Process? Troubleshooting Guide

The post What is Csrss.exe Process? Troubleshooting Guide appeared first on Gridinsoft Blog.

]]>
Csrss.exe is an important Windows process, which may sometimes consume a lot of system resources and puzzle the users with such behavior. Some people may mistake it for malware and try to terminate it forcefully. So, is csrss.exe dangerous? And how to fix the issues it creates? Let’s find out.

What is Csrss.exe?

Csrss.exe is a legitimate Windows process with the full name of Client Server Runtime Process and is critical to the system. This process is present in all modern Windows versions, and it is not uncommon to notice several instances running back to back. Such a phenomenon is normal and is not considered a sign of viruses. The system runs one upon the startup, and terminating it leads to BSoD.

This process in Windows 7, 8, and 10 is responsible for console programs, shutdown processes, starting another vital process – conhost.exe – and other critical system functions. It uses a few resources in normal mode, so there is no reason to terminate it. It is needed for System shutdown, Virtual DOS Machine (VDM) support and other system functions such as Ctrl+C and Ctrl+Break signal processing, user switching, and mounting and unmounting disks. As a legacy function, csrss.exe is responsible for opening the console window, but only to the extent of launching the conhost.exe process.

Csrss.exe BSOD – How to Fix?

Sometimes, after unsuccessful manipulations with the Csrss.exe file or other system files, the Windows may become unstable or not start. The corruption of important Windows system files can cause this. The solution is as follows:

Go to the Troubleshooting menu – Advanced Options – Command Prompt in the recovery environment. At the command prompt that launches, execute the following command:

sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows

After entering the command, press Enter and wait for the process to complete. This may take some time, but be sure to wait until the end, as it is required to finish the system files’ repair. After that, close the command prompt and restart your computer.

Sfc command result for the fix CSRSS.exe problem
Sfc command result

Csrss.exe High CPU & GPU Troubleshooting

If you encounter abnormal GPU and CPU consumption by the csrss.exe process, you should first check the file location. To verify it, right-click on it and select “Open file location“. It should be located at “%SYSTEMROOT%\system32“.

Csrss.exe file in system32 folder screenshot
Csrss file in system32 folder

Next, right-click on the file and select “Properties“, then the “Details” tab. This file’s Product Name should be “Microsoft® Windows® Operating System“. Also, the Copyright section should be “© Microsoft Corporation. All rights reserved.”

csrss.exe file properties
Original csrss file properties

If it is the original csrss.exe file, it may cause a high CPU/GPU load due to incorrect operation of the functions it is responsible for.

The Client Server Runtime Process’s excessive GPU consumption was previously a recognized problem in one of the Windows cumulative updates. However, Microsoft addressed the issue through various updates and hotfixes. You may still be using an older Windows version with this problem. If so, go to the Windows updates section and click “Check for updates“.

Windows Update

The next step is to update your GPU drivers. If you have an Nvidia, open Geforce Experience, and under the “Drivers” tab, click “Check for updates” and follow the instructions. If you have an AMD GPU, check the Radeon software for updates. It is vital to download drivers from official websites. Please avoid using low-trust sites or third-party installers like driver packs.

Nvidia driver update process screenshot
Nvidia driver update process

If the problem persists, run an SFC scan. To do this, run Command Prompt as administrator and paste the “sfc/scannow” command into it.

If the process csrss.exe still loads the device after all the manipulations, you can create a new user profile. To add a new user profile to your PC, go to Settings (gear icon) and select Accounts. Under Family & Other Users, click Add another person to this PC. Choose “I don’t have this person’s sign-in information” and then select “Add a user without a Microsoft account”. Fill in the details and click Next. Remember to grant administrator privileges only to those you trust.

Manage another account

Note: This guide is relevant for users of Windows 10. Windows 11 lacks the option to add a local account and asks you to use a Microsoft account.

Creating an online account in Windows 11 screenshot
Creating an online account in Windows 11

Is СSRSS.exe virus?

First, any claim that the “csrss.exe” file located in “C:\Windows\System32\” is a virus is false. Low user knowledge along with unintelligible process names make system process names an excellent option for hiding malware. Usually, the malware tries to infect or disguise itself as critical system processes of the operating system. Also, many viruses use the name of that process or executable file to disguise itself so as not to make you suspicious. Each session creates a separate process, allowing the simultaneous running of several dozen processes.

Nevertheless, it is a good reason to worry if the csrss.exe high CPU and GPU load is constant. But even in this case, there are two options for abnormal process behavior: malware and user profile corruption. The original executable “csrss.exe” file is stored only in one place – in the “C:\Windows\System32\” directory. If only one OS is installed on the device, substituting or overwriting this file in the standard directory is almost impossible.

That being said, finding the files named “csrss.exe” in other directories on your PC is a sign of malware activity. To remove the threat, launch GridinSoft Anti-Malware and select a full scan. Please wait until it is complete and perform all the suggested actions.

What is Csrss.exe Process? Troubleshooting Guide

The post What is Csrss.exe Process? Troubleshooting Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/csrss-exe-process-troubleshooting/feed/ 0 20134
PUA:Win32/PCMechanic – PC Mechanic Plus Removal Guide https://gridinsoft.com/blogs/pua-win32-pcmechanic-removal-guide/ https://gridinsoft.com/blogs/pua-win32-pcmechanic-removal-guide/#respond Fri, 01 Mar 2024 13:28:13 +0000 https://gridinsoft.com/blogs/?p=20047 PUA:Win32/PCMechanic is a detection associated with the potentially unwanted application. This pseudo system optimizer claims that the user’s system has many problems, and then offers to call the “tech support”. Let’s see why this may appear and how to remove it. What is PUA:Win32/PCMechanic? PUA:Win32/PCMechanic is a Microsoft Defender detection that indicates a PC Mechanic… Continue reading PUA:Win32/PCMechanic – PC Mechanic Plus Removal Guide

The post PUA:Win32/PCMechanic – PC Mechanic Plus Removal Guide appeared first on Gridinsoft Blog.

]]>
PUA:Win32/PCMechanic is a detection associated with the potentially unwanted application. This pseudo system optimizer claims that the user’s system has many problems, and then offers to call the “tech support”. Let’s see why this may appear and how to remove it.

What is PUA:Win32/PCMechanic?

PUA:Win32/PCMechanic is a Microsoft Defender detection that indicates a PC Mechanic Plus program present in the system. PC Mechanic Plus is a potentially undesirable program, more specifically a fake optimization tool. This app in fact borders with scareware – a class of PUA that tries forcing the user to pay for a license to remove non-existent threats.

PC Mechanic Plus screenshot
PC Mechanic Plus interface

After the “scanning”, the program shows the user a list of errors in the system and offers to call the specified phone to solve these problems. All this ends up with verbal requests to buy the license for the PC Mechanic; though, it is not the only danger of calling fake tech support. Aside from obtrusive offerings to call the “specialists”, the app will also overload the system and can potentially block some of the functions.

PUA:Win32/PCMechanic – How Does it Work?

As I’ve said above, PUA:Win32/PCMechanic is a rather unusual example of PUA/scareware. A deeper look into it shows that fake scanning and extorting money for fixing non-existent problems is not the only problem the app introduces. In fact, its excessive telemetrics make its activity rather unpleasant to anyone who values their privacy.

1. Delivery

PC Mechanic Plus does not even try to legitimize itself: there is no official website and no reviews, even paid ones. To spread itself, this app uses dirty methods, for example, through “bundling”. I.e., installers of other freeware or cracked software that include additional programs as “recommended software”. This way of monetizing involves having a checkbox when you install the program. However, unscrupulous developers neglect this and do not allow the user to cancel the installation of additional software during the installation of the main product.

Other ways to get PC Mechanic Plus include advertising sites. This is especially true for fake sites drivers download. Thus, instead of giving you the driver you need, they download a magic program that will install all drivers in one click. Sometimes, such sites use a double file extension trick, such as IRST_Intel.zip.exe. As a result, the user receives a PUA installer instead of a driver archive.

2. Fake Scanning

After installation, PC Mechanic Plus starts the scan forcibly and, obviously, finds a lot of errors. I additionally emphasize that all these errors are fake, and the reason they appear is to convince the user to buy the full version of the program. Additionally, the program asks you to call technical support at the specified number. Fake technical support using social engineering to convince the user to buy the product, effectively making you pay for a piece of junk software.

Scanning process screenshot
Scanning process

3. Info Gathering

In addition to the above, PC Mechanic Plus has a bit of undeclared functionality, more specifically – in the area of telemetrics. According to VirusTotal analysis, it collects some information about the system and user, particularly the detailed system information. Additionally, some of the elements of the app have the functionality of a keylogger. Thus, any text the user enters, including logins, passwords, and other sensitive information, can be gathered. And considering the presence of network activity of this app, this data is not just for internal use or “diagnostics”.

How To Remove PUA:Win32/PCMechanic?

Since this software often comes into the system not alone and makes undesirable changes to the system, it is impractical to try to restore all changes manually. For that reason, I recommend downloading and installing a GridinSoft Anti-Malware. It will effectively dispatch this unwanted program and all things that could have appeared along with it. Run a Standard scan, let it finish and click “Clean Now” to remove all the detected items – it is as easy as this.

PUA:Win32/PCMechanic – PC Mechanic Plus Removal Guide

There is a way to PUA:Win32/PCMechanic manually. Begin with pressing the Start button, then go to Settings.

Start and Settings screenshot

In the left menu, select Apps, then Installed Apps.

Installed apps

Find the PC Mechanic Plus, click the three dots on the right, and select Uninstall. It is worth noting that the app may not necessarily be listed among the installed apps. In that case, the best option is to run GridinSoft Anti-Malware.

Uninstall app

It is essential to understand that after manually uninstalling the application, all the changes it has made to the system will remain. As a result, you will need to restore all Windows settings to their original state manually.

The post PUA:Win32/PCMechanic – PC Mechanic Plus Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pua-win32-pcmechanic-removal-guide/feed/ 0 20047
What is Wave Browser? — How to Uninstall Guide https://gridinsoft.com/blogs/wave-browser-removal-guide/ https://gridinsoft.com/blogs/wave-browser-removal-guide/#respond Fri, 23 Feb 2024 08:52:52 +0000 https://gridinsoft.com/blogs/?p=19911 Wave Browser is an unwanted browser application that tries to look as a yet another Chromium-based project. Although it performs its function, according to users’ reviews, there are more problems than benefits. Now, we will take a closer look at it and determine whether you should use it. What is a Wave Browser? Wave Browser… Continue reading What is Wave Browser? — How to Uninstall Guide

The post What is Wave Browser? — How to Uninstall Guide appeared first on Gridinsoft Blog.

]]>
Wave Browser is an unwanted browser application that tries to look as a yet another Chromium-based project. Although it performs its function, according to users’ reviews, there are more problems than benefits. Now, we will take a closer look at it and determine whether you should use it.

What is a Wave Browser?

Wave Browser is a web browser developed on Chromium core, an open-source variant of the one used in Chrome. This is the last bit of positive information about them – you can barely find more of them. First thing to notice is the way it is distributed – in software bundles. Such a tactic is considered malicious, as the vast majority of software spread in such a way is unwanted.

Wave Browser screenshot
Wave Browser itself

For the functionality of this “effective and privacy oriented browser”, there is nothing really unique. Moreover, it barely meets its own promises – none of the modern security practices are present in Wave Browser. What’s worse, its developer is a subsidiary of a well-known riskware developer, Genimous Technology Co Ltd, that aims at collecting user data and gaining profits from traffic redirection.

What is Wrong With the Wave Browser?

All things said in the previous paragraphs should be enough to be suspicious. After installation, this app changes the system settings, setting itself the default web browser and changing the search engine and homepage. In addition, Wave adds itself to autorun; it is set to run in the background after the window is closed.

Permissions for autorun and running in the background screenshot
Permissions for autorun and running in the background

Another red flag is the installation method. It is often promoted in the form of nasty advertising or installed as recommended software in the bundle along with the other software. Due to these factors, Wave browser falls into a potentially unwanted program (PUP) category. According to the developers, they cooperate with Yahoo and receive a commission from each search. However, the problem is that the search query will be forcibly redirected to Yahoo regardless of the user’s preferences and settings.

Is It Malware?

Potentially unwanted software like this is in the gray zone between legitimate software and malware. All of the above factors, from the distribution to the monetization method, indicate that the browser is untrustworthy. In addition to redirecting search queries, the browser’s primary income source is the display of intrusive ads. They are everywhere, from advertisements in search results to banners on pages.

Besides ads creating inconvenience in web surfing, they also often lead to questionable websites. As a result, the mere attempt to find some regular info may end up with malware downloading. As for more serious risks, it is worth mentioning that Wave Browser can steal confidential information usually stored in the browser, such as cookies.

How to Remove the Wave Browser?

Another sign that this is an unwanted program is its difficulty uninstalling it. You can’t just go to the list of installed programs and uninstall it. Wave browser stays firmly in the system, and to remove it manually, you have to go a long way. Moreover, suppose you did not intentionally install Wave browser, but it is on your system. In that case, it is most likely not the only unwanted software. As I mentioned, such apps are often bundled with other PUAs.

Although Wave browser could be freely distributed in the past, most reputable security tools now mark it as PUP. The situation with removal is the same – previously, to remove this browser, you had to manually delete files in folders on the C drive, registry keys, autorun values, etc. Today, the most effective removal method is to use an anti-malware solution. For example, Gridinsoft Anti-Malware can completely remove the Wave browser. It will find all the “tails” of the browser in fully automatic mode and remove them.

What is Wave Browser? — How to Uninstall Guide

The post What is Wave Browser? — How to Uninstall Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wave-browser-removal-guide/feed/ 0 19911
WinRing0x64.sys Process – What is It? Can I Delete? https://gridinsoft.com/blogs/winring0x64-sys-process/ https://gridinsoft.com/blogs/winring0x64-sys-process/#respond Wed, 21 Feb 2024 09:33:42 +0000 https://gridinsoft.com/blogs/?p=19829 WinRing0x64.sys is a low-level driver that is used by specific applications. The file is not malicious, though, but malware can abuse this driver. Next, we will find out who uses WinRing0x64.sys and why and answer the question of whether it can be removed. WinRing0x64 Overview WinRing0x64.sys is a crucial software component that allows applications to… Continue reading WinRing0x64.sys Process – What is It? Can I Delete?

The post WinRing0x64.sys Process – What is It? Can I Delete? appeared first on Gridinsoft Blog.

]]>
WinRing0x64.sys is a low-level driver that is used by specific applications. The file is not malicious, though, but malware can abuse this driver. Next, we will find out who uses WinRing0x64.sys and why and answer the question of whether it can be removed.

WinRing0x64 Overview

WinRing0x64.sys is a crucial software component that allows applications to gain low-level access to hardware components for system monitoring or overclocking purposes. It bypasses high-level interfaces provided by the operating system to interact directly with the hardware. This makes it essential for applications that require this type of access. Most often, this driver uses software that controls RGB backlighting. As a result, the process will appear in Task Manager.

Legit file properties screenshot
Legit file properties

It is essential to understand that WinRing0x64.sys is not malicious. Although it is generally safe and helpful for specific applications, it can pose potential risks if misused. For example, the ability for direct hardware access is exceptionally beneficial to malicious miners. As it allows access at such a low level, malicious software could exploit it to gain control over hardware components. And since it is a valid Windows driver, such a trick makes the malware more complicated to detect.

WinRing0x64.sys – What Software Uses It?

As I said above, WinRing0x64.sys is most often used by software for backlight control and hardware overclocking. Noriyuki MIYAZAKI, MasterPlus, EVGA Precision, and Intel Processor Diagnostic Tool are the most common programs. Since the algorithm of driver usage is similar to malware, some antivirus solutions erroneously block this driver.

This driver is not mandatory for Windows, so it can be removed. In practice, however, it is deactivated by uninstalling the software that uses the driver. Depending on the software, it may be located in a subfolder of “C:\” or sometimes in a subfolder of the user’s profile folder or the folder with the installed program. Although the driver does not have its window, it may appear in the running processes in Task Manager.

Is WinRing0x64.sys Malware?

Although WinRing0x64.sys is a legitimate driver, it is sometimes detected as a trojan. For example, some users complained about blocking winring0x64.sys by antivirus after installing EVGA Precision Overclocking software for graphics adapters. To understand whether a file is malicious or not, you need to compare some factors, such as how many resources the process consumes, whether any software needs this driver, etc.

Suppose you downloaded video card software from an official website, which is detected as a trojan. This is most likely a false positive. On the other hand, if you have a laptop with Intel HD graphics but there is WinRing0x64.sys in Task Manager, it is a reason to dig deeper. Although WinRing cannot load the system to 100%, it can allow other processes to do this. So, if a suspicious process on your system consumes an abnormal amount of resources and you see WinRing0x64.sys among running processes, this is a red flag. In such a case, I recommend running a full scan with Gridinsoft Anti-Malware.

Suspicious process in the task manager screenshot
Suspicious process in the task manager

WinRing0x64.sys Process – What is It? Can I Delete?

The post WinRing0x64.sys Process – What is It? Can I Delete? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/winring0x64-sys-process/feed/ 0 19829
SearchHost High Memory, CPU & GPU Troubleshooting https://gridinsoft.com/blogs/searchhost-high-memory-cpu-gpu/ https://gridinsoft.com/blogs/searchhost-high-memory-cpu-gpu/#respond Tue, 20 Feb 2024 10:47:05 +0000 https://gridinsoft.com/blogs/?p=19748 SearchHost is a process responsible for indexing the Start menu and Explorer search files in Windows 10/11. It allows you to conveniently search for files on your computer by indexing their contents. However, this process can be spoofed by a coin miner or malware that uses its name to masquerade on your system. How to… Continue reading SearchHost High Memory, CPU & GPU Troubleshooting

The post SearchHost High Memory, CPU & GPU Troubleshooting appeared first on Gridinsoft Blog.

]]>
SearchHost is a process responsible for indexing the Start menu and Explorer search files in Windows 10/11. It allows you to conveniently search for files on your computer by indexing their contents. However, this process can be spoofed by a coin miner or malware that uses its name to masquerade on your system. How to know if this process is a virus? And what should I do in the case of searchhost.exe high memory and GPU usage? Here is our detailed guide.

What is SearchHost.exe?

SearchHost.exe is a process that is part of the Windows Search Indexer service. This service starts automatically at system startup and runs in the background. It scans the files on your computer and creates an index that speeds up searching for files through the start menu and Explorer. You can customize the indexing settings by choosing which folders and file varieties to include or exclude from the index. It is also possible to pause or resume indexing at any time.

Typically SearchHost.exe is located in the C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy folder. This is the default location for this process, and if you find it in a different folder, it could be a sign of a virus. SearchHost.exe is not essential to the operation of the system, but it is useful for the convenience of finding files. If you don’t use search often, you can disable SearchHost.exe the Windows Search Indexer service to save system resources.

High CPU/GPU and memory usage – Why does this happen?

SearchHost is responsible for indexing the Start Menu and Explorer search files in Windows. Typically, this process does not require a lot of computation power, but there are certain situations here when things are different.

SearchHost High CPU Consumption

During the initial indexing process, Searchhost.exe may create quite a load on your CPU, especially on weaker systems. If it is uncomfortable to use the system, you can do the following:

  • Wait for indexing to finish. You can see the indexing progress in the Search and indexing settings. This can take from a few minutes to a few hours, depending on the number and size of files on your computer.
SearchHost.exe indexing progress
Indexing settings
  • Pause the indexing process. You can pause indexing for 15 minutes, 1 hour, or until your computer restarts. To do this, right-click on the search icon in the taskbar and select Suspend Indexing.

Pause the SearchHost indexing process

  • Customize indexing options. You can choose which folders and types of files to include or exclude from the index. To do this, open the search and indexing settings and click the “Advanced”. You can also change the indexing schedule so that it happens at a time that is convenient for you. This way, you may reduce the time required to finish the indexing or decrease the load it creates.
Advanced Options
Advanced Options
  • Disable the Windows Search Indexer service. You can turn off the Windows Search Indexer service if you don’t use search often or don’t need to index files:
    • Open the Services Manager, find the Windows Search service, right-click on it, and select Stop.
    Windows Search Service
    Services Manager
    • Then right-click on it again and select “Properties”.

    Services Manager

    • In the “Startup Type” field, select “Disabled” and click “OK”.

    Stop the service

  • In case you cannot manually disable this service, you can prevent SearchApp.exe from running by following the instructions below:
    • Type cmd in the search box and click Run as administrator to open elevated Command Prompt.

    cmd in the search box

    • In the Command Prompt window, type the command below and press Enter to execute it. This will launch System Applications on your computer.
      cd %windir%\SystemApps\

    Command

    • Then, execute the following command to delete the process.
      taskkill /f /im SearchApp.exe

    Command two

    • After all, execute this last command:
      move Microsoft.Windows.Search_cw5n1h2txyewy Microsoft.Windows.Search_cw5n1h2txyewy.old

    Command three

    SearchHost High GPU Consumption

    The SearchHost.exe process may actively load your discrete video card to index new files and features. This is particularly a thing in Windows 10 past the 2004 update. System uses a GPU to perform the same indexing operations, though it is not always desirable for the user.
    You can disable the service in the same way as in the case with high CPU load – see the instruction above.

    Additionally to completely remove Cortana, run this command in Administrator-level Powershell:
    Get-AppxPackage -all users Microsoft.549981C3F5F10 | Remove-AppxPackage

    Power Shell Command

    SearchHost High Memory Consumption

    If SearchHost.exe is taking up a lot of memory, you can do the following:

    • Run Search and Indexer Troubleshooting. You can run search and indexing troubleshooting, which can fix some errors and problems related to the operation of the Windows Search Indexer service.
      • Open the Search and Indexer settings and click on “Troubleshoot search and indexing”.

      SearchHost Troubleshooting

      • After the verification process, you will be prompted to restart your computer if required.

      Search the problem of SearchHost

    • Run the SFC command. This can check and repair corrupted system files that may be affecting the Windows Search Indexer service.
      • Open a Command Prompt as administrator and type:
        sfc /scannow.

      Command CMD

      • Wait for the scan to finish and restart your computer.
    • Defragment the disk. This will improve speed and performance of your computer. Disk defragmentation merges fragmented files that take up more space and slow down access to them.
      • Open Explorer.
      • Right-click on the disk you want to defragment and select “Properties”.

      Windows Explorer

      • Choose the “Tools” tab and click on “Optimize”.

      Defragment the disk for fix SearchHost crashes

      If you find any inconsistencies, do not rush to delete the file, as it may lead to undesirable consequences. First, check it for viruses. Consider performing a full system scan with a quality antivirus software like Gridinsoft Anti-Malware and remove all detected threats. You can also check the process file for viruses using an online service such as Online Virus Scanner

      SearchHost High Memory, CPU & GPU Troubleshooting

      The post SearchHost High Memory, CPU & GPU Troubleshooting appeared first on Gridinsoft Blog.

      ]]> https://gridinsoft.com/blogs/searchhost-high-memory-cpu-gpu/feed/ 0 19748 What is Sihost.exe? Windows 10/11 Guide https://gridinsoft.com/blogs/what-is-sihost-exe/ https://gridinsoft.com/blogs/what-is-sihost-exe/#respond Mon, 19 Feb 2024 13:14:43 +0000 https://gridinsoft.com/blogs/?p=19693 Sihost.exe is a crucial background process in Windows 11/10 that governs essential features like the context menu and action center. However, it can sometimes malfunction and disrupt system stability. In this article, we unravel the essence of Sihost.exe and equip you to eliminate troubles within your system. Sihost.exe – What is It? Windows has many… Continue reading What is Sihost.exe? Windows 10/11 Guide

      The post What is Sihost.exe? Windows 10/11 Guide appeared first on Gridinsoft Blog.

      ]]>
      Sihost.exe is a crucial background process in Windows 11/10 that governs essential features like the context menu and action center. However, it can sometimes malfunction and disrupt system stability. In this article, we unravel the essence of Sihost.exe and equip you to eliminate troubles within your system.

      Sihost.exe – What is It?

      Windows has many background processes, each of which is responsible for something. The Sihost.exe process (Shell Infrastructure Host file) is a critical executable file that executes various system processes. This file involves the following actions: the Start menu, launching the context menu, action center, Cortana, file explorer, etc.

      It is essential to understand that Sihost.exe is not a virus. It is a legitimate system process, which you should not stop or delete due to its importance to the system’s stability. However, its name nonetheless can be used by malware, to get a better disguise in the system. You can observe this file in Task Manager in the list of Windows processes. To do this, launch Task Manager, go to the “processes” tab, sort them by name, and scroll down to the “Windows processes” section. Then scroll down some more, and you will see “Shell Infrastructure Host,” Sihost.exe. In a normal state, this process does not load the system in any way and uses about 6 MB of RAM and miserable amounts of CPU.

      Sihost.exe screenshot
      Sihost.exe in Task Manager

      Is Sihost.exe Malware?

      As I wrote above, malware sometimes masquerades as a legitimate Windows process, using the name of Sihost.exe in particular situations. However, even a legitimate file may consume more resources in some specific cases.

      Checking Sihost.exe Location & Properties

      To ensure the process is legitimate, let’s review the sihost.exe instance. First, check its properties through the Task Manager. For this, click with the right mouse button and opt for “Properties.”

      Sihost.exe Properties

      There, click on the “Details” tab and ensure it says Microsoft Corporation before copyright.

      Microsoft Corporation before copyright in Sihost.exe properties

      The next step is to look at the sihost.exe location. Close the previous file properties window, right-click on the process, and select “Open File Location.”

      File location in task manager

      By default, the file is located at C:Windows/System32. If the file location differs, there is a change that the name of Sihost is used by malware. We recommend scanning your computer with GridinSoft Anti-Malware.

      Sihost.exe in System32 folder screenshot
      Sihost.exe in System32 folder

      Fix Sihost.exe High CPU Usage

      Suppose your file is legitimate after running the tests but consumes an abnormally high amount of resources. In that case, you can perform the following steps:

      Reboot your PC. This is an obvious and trivial tip, but it solves a lot of problems. If the problem hasn’t gone away after rebooting or reappears after a while, move on to the next step.

      Run the System File Checker tool (SFC.exe). Some user or software actions can adversely affect system files. Restoring important system files should solve such problems. To do this, open Start and write “cmd,” then click “Run as administrator.” Next, paste “DISM.exe /Online /Cleanup-image /Restorehealth” into the command prompt window. If necessary, this action will check your system files and download them from the Windows Update Center.

      System File Checker tool screenshot
      System File Checker tool

      Reinstall Microsoft Redistributable Packages. These packages are necessary for some programs to work, but they can cause the Shell Infrastructure Host to become unstable. To do this, uninstall all installed packages, download the installation file from the Microsoft website, and reinstall it.

      Uninstall apps screenshot

      Reinstall the Photos app. Previously, a memory leak bug caused the excessive resource usage of Sihost. You can follow these steps if you encounter the same problem on your computer. First, uninstall the Photos app from your device. Then, open the Microsoft Store and download the app again. This should resolve the issue.

      Uninstall photos app screenshot
      Uninstall photos app

      If the above steps do not solve the situation, I recommend running a malware scan on your system. To do this, download Gridinsoft Anti-Malware and run the scan.

      What is Sihost.exe? Windows 10/11 Guide

      The post What is Sihost.exe? Windows 10/11 Guide appeared first on Gridinsoft Blog.

      ]]>
      https://gridinsoft.com/blogs/what-is-sihost-exe/feed/ 0 19693
      HxTsr.exe – What is the HxTsr Process? Windows 10/11 Guide https://gridinsoft.com/blogs/what-is-hxtsr-exe/ https://gridinsoft.com/blogs/what-is-hxtsr-exe/#respond Fri, 16 Feb 2024 14:43:58 +0000 https://gridinsoft.com/blogs/?p=19668 The HxTsr.exe process is a part of the Microsoft Outlook Communications component of the Windows 10/11 operating system. This process is responsible for synchronizing mail, contacts and calendar between Outlook and other applications . Typically, it runs in the background and does not attract users’ attention at all. However, in some cases, the HxTsr.exe process… Continue reading HxTsr.exe – What is the HxTsr Process? Windows 10/11 Guide

      The post HxTsr.exe – What is the HxTsr Process? Windows 10/11 Guide appeared first on Gridinsoft Blog.

      ]]>
      The HxTsr.exe process is a part of the Microsoft Outlook Communications component of the Windows 10/11 operating system. This process is responsible for synchronizing mail, contacts and calendar between Outlook and other applications . Typically, it runs in the background and does not attract users’ attention at all.

      However, in some cases, the HxTsr.exe process may be responsible for performance issues, security or system stability. It is possible that this process is tampered or infected with a virus that uses its name to masquerade on the system. Such malware can threaten your privacy, security, and finances, so it’s important to learn how to recognize and eliminate them.

      HxTsr.exe – What is it?

      The HxTsr.exe (Hidden Executable To Sync Remote Servers), is a part of MS Outlook app, the one that orchestrates part of its networking affairs. It has appeared with the introduction of Microsoft Office 2013, and is also a component of built-in Windows 11/10 applications such as Mail, Calendar, and Contacts. It runs in the background and powers the Microsoft Outlook application which uses different types of accounts. HxTsr is also responsible for updating your mail, calendar and contacts data on your computer and in the cloud.

      The HxTsr.exe process is located in the C:\Program Files\WindowsApps\ microsoft.windowscommunicationsapps_…\ folder, where … is the version of the application package. It is not a Windows system file and does not affect the operating system. It can be suspended or closed without affecting Windows, but it may cause the Outlook application or its counterparts to malfunction.

      Can I delete HxTsr?

      As I said, it is possible to close/suspend the HxTsr.exe process, but the question arises – can it be deleted completely?

      Well, it is totally doable, even though there are a couple of drawbacks you will get. If you remove the HxTsr.exe process, it may affect the operation of Microsoft Outlook, Mail, Calendar and other applications that use it to synchronize data with mail servers. You may lose access to your email, contacts, tasks and calendar or get errors while using them. So, if you do not use the “Mail” application, the removal will not make that much of an impact. Here is how you can do it:

      1. Click on Start Menu > Settings > System > Apps and Features.
      2. Wait till the app list is populated.
      3. Click on the Mail & Calendar App.
      4. It will reveal the menu to Move and Uninstall.
      5. Click on the Uninstall button to remove the Mail & Calendar from Windows. This will remove the source programs of HxTsr.exe, removing it as well.

      Is HxTsr.exe virus?

      Although the HxTsr.exe process itself is not a virus or malware, it can be spoofed or used by such programs to disguise their activities. Viruses and malware may create copies of the HxTsr.exe process in other folders or with different names to trick the user or antivirus. They may also masquerade as the HxTsr.exe process to hide their presence. Such malware can threaten your privacy, security, and finances, so it’s important to learn how to recognize and eliminate them.

      Typical malware effects that can mimic the HxTsr.exe process can be as follows:

      • Computer slowdown
      • Appearance of unwanted advertisements
      • Theft of personal information
      • Infection of other computers
      • Breach of security or privacy

      To recognize and remove malware masquerading as the HxTsr.exe process, you can can perform the following steps:

      Step 1: Open Task Manager

      To open Task Manager, press the keyboard shortcut Ctrl+Shift+Esc or right click on an empty spot on the taskbar and select “Task Manager”.

      HxTsr.ece process
      HxTsr process in Task Manager

      Step 2: View the list of processes

      In Task Manager, choose the Processes tab and view a list of all running processes. Find the process named HxTsr.exe.

      Task Manager
      Windows Task Manager

      Step 3: Open the location of the process file

      To open the file location of a process, right-click on the process in Task Manager and choose “Open File Location”. This will open the folder where the process executable is located.
      It is located in the folder C:\Program Files\WindowsApps\ microsoft.windowscommunicationsapps_ (version of the application package)
      Its size is about 30 KB. It usually does not consume more than 1% of CPU and 10 MB of memory.

      HxTsr file location
      HxTsr file in system folder

      If you find any inconsistencies, do not rush to delete the file, as it may lead to undesirable consequences. First, check it for viruses.

      Perform a full system scan with a quality antivirus software like Gridinsoft Anti-Malware and remove all detected threats. You can also check the HxTsr.exe process file for viruses using an online service such as Gridinsoft’s Online Virus Scanner.

      HxTsr.exe – What is the HxTsr Process? Windows 10/11 Guide

      The post HxTsr.exe – What is the HxTsr Process? Windows 10/11 Guide appeared first on Gridinsoft Blog.

      ]]>
      https://gridinsoft.com/blogs/what-is-hxtsr-exe/feed/ 0 19668
      Vmmem High Memory and CPU Usage https://gridinsoft.com/blogs/vmmem-high-memory-and-cpu-solved/ https://gridinsoft.com/blogs/vmmem-high-memory-and-cpu-solved/#respond Fri, 16 Feb 2024 14:29:43 +0000 https://gridinsoft.com/blogs/?p=19648 Vmmem, short for “Virtual Machine Memory,” is a process that indicates the resource utilization by virtual machines on your system. It operates in tandem with virtual machines and remains inactive without any virtual machine activity. However, suppose you observe high CPU and memory consumption by the vmmem process. In that case, your virtual machine is… Continue reading Vmmem High Memory and CPU Usage

      The post Vmmem High Memory and CPU Usage appeared first on Gridinsoft Blog.

      ]]>
      Vmmem, short for “Virtual Machine Memory,” is a process that indicates the resource utilization by virtual machines on your system. It operates in tandem with virtual machines and remains inactive without any virtual machine activity. However, suppose you observe high CPU and memory consumption by the vmmem process. In that case, your virtual machine is not configured correctly.

      Vmmem Process Explained

      Vmmem process is commonly found in Windows 10/11 or Windows Server systems with Hyper-V functionality enabled. The Windows Hypervisor Platform is a feature in Windows that enables virtualization, which allows users to run virtual machines. Vmmem, also known as the Virtual Machine Memory Process, manages the memory usage of virtual machines running on the system. It helps allocate and manage the memory resources the virtual machines require, ensuring efficient utilization of the underlying hardware.

      During the operation of virtual machines, vmmem.exe may consume CPU and memory resources. The amount of system resources allocated by vmmem.exe depends on the number and activity of the virtual machines running on the system. It is important to note that vmmem.exe is a legitimate Windows process, not a virus or malware. However, if you experience high CPU or memory usage attributed to vmmem.exe, it could indicate resource-intensive actions happening on virtual machines, or misconfigurations that need to be addressed.

      How to Resolve Vmmem High Memory and CPU Usage?

      If you are using virtual machines and find the resource usage of vmmem.exe to be excessive, there are several options for you to stick to:

      Restart WSL from Command Prompt

      WSL (Windows Subsystem for Linux) is integral to Windows 10/11, offering virtualization solutions for users. Among other options, it is the most widely used one, so much so the use of Windows built-in virtualization is almost synonymous to WSL. That being said, it can occasionally contribute to the vmmem high usage issue due to improper setup or operational glitches.

      As the most common troubleshooting advice goes, the first step to do in case of any problem is to reboot the thing. Restarting the VM can restore normal operations and fix the excessive memory usage. Here is how you can do it:

      1. Open Command Prompt as an administrator by typing “cmd” in the search bar, right-clicking Command Prompt, and selecting “Run as administrator.

      start and cmd

      2. Execute the following command to shut down WSL:

      wsl --shutdown

      shutdown command

      If the command doesn’t work, navigate to the following location in File Explorer:

      C:\Users\your-username\.wslconfig

      Create a new text file and add the following code:

      [wsl2] guiApplications=false

      4. Save the file and reboot your PC. Monitor vmmem’s RAM usage in Task Manager after the reboot. The actions from above should stop the VM from running, therehence you should not see it pop up again. If you still need to use Linux utilities, you can always start the WSL service back. If the issue persists though, you can run the guide above to stop it.

      1.Search for Windows PowerShell in the start menu, right-click, and select “Run as administrator.”

      Powershell

      2. Execute the following command to restart the WSL service:

      Restart-Service LxssManager

      Restarting WSL service

      Adjust Virtual Machine Memory Allocation

      High CPU and memory usage by vmmem may result from excessive RAM allocation to virtual machines. Adjusting virtual machine settings can help mitigate this issue. To configure RAM for a virtual machine on Hyper-V, please open Hyper-V Manager. In the list of virtual machines, select the desired VM. Then right-click the VM and select “Settings”.

      Hyper V settings

      In the left pane, select “Memory“. Next, in the “RAM” field, enter the desired amount of memory.

      (Optional) Enable dynamic memory:

      Select the “Use dynamic memory” checkbox.

      Hyper V RAM settings

      Enter the minimum and maximum amount of memory and click “OK”.

      Disable Running Virtual Machines

      If previous methods fail to address vmmem high memory usage on Windows 10, consider terminating running virtual machines.

      1. Open Windows PowerShell as an administrator by searching for “powershell” in the search bar and running it as an administrator. Here, execute the following command to display a list of running virtual machines:

      wsl -l -v

      Running vm list

      3. Identify the running virtual machines and terminate them using the following command:

      wsl -t kali-linux

      Note: Replace “kali-linux” with the name of the running virtual machine on your system.

      If you’re not using virtual machines actively but experiencing excessive resource usage from vmmem.exe, you have a few options:

        Stop or suspend virtual machines. You can free up system resources when not using specific virtual machines by stopping or suspending them through virtualization management software or the Hyper-V Manager in Windows.

        Disable Hyper-V. If you aren’t using any virtualization features or virtual machines on your system, consider disabling Hyper-V to prevent vmmem.exe from running and using system resources. This process requires administrative privileges and can be done by accessing the “Turn Windows features on or off” settings.

      It’s essential to consider the impact on virtual machines before reducing or disabling vmmem.exe, as it may affect their functionality or performance. So, assess your specific requirements before making adjustments.

      The post Vmmem High Memory and CPU Usage appeared first on Gridinsoft Blog.

      ]]>
      https://gridinsoft.com/blogs/vmmem-high-memory-and-cpu-solved/feed/ 0 19648