In case you decide to inspect your Task Manager1, there’s a great possibility you’ll encounter one or more “COM Surrogate” processes active on a Windows workstation. Such processes have got the file name “dllhost.exe”, and are components of Windows OS. You’ll notice them on Windows 10, Windows 8, Windows 7, and even previous versions of Windows.
This tutorial is component of our regular sequence of guidelines describing various processes located in Task Manager, such as Runtime Broker, svchost.exe, dwm.exe, AMTEmu, and many others. Aren’t you aware of what those services stand for? Keep reading our articles!
What Is COM Surrogate (dllhost.exe)?
COM is alternatively referred to as Component Object Model2. This is an interface Microsoft released back in 1993 that lets developers form “COM objects” by means of a set of various programming languages. Their essential feature is the ability to plug into other programs and extend them.
For instance, the Windows file manager applies COM objects for generating thumbnails for images and other files in times when it opens a certain folder. The COM object is responsible for processing images, videos, and other files for generating the thumbnails. This lets File Explorer be extended with support for new video codecs, for instance.
Nevertheless, this can result in troubles. In case a COM object crashes, it will negatively impact its host process. At a certain point in time, it was typical for these thumbnail-generating COM objects to crash and thus take down the complete Windows Explorer process with them.
To resolve this kind of issue, Microsoft elaborated the COM Surrogate process. The COM Surrogate process operates a COM object beyond the original process that asked for it. In case the COM object crashes, it will only result in a crash of the COM Surrogate process and the original host process won’t be damaged. For instance, Windows Explorer (now referred to as File Explorer) launches a COM Surrogate process whenever it wants to form thumbnail images. The COM Surrogate process hosts the COM object which performs all important works for this purpose. In case the COM object fails to operate, it’s just the dllhost.exe that crashes and the original File Explorer process will continue functioning.
“In other words”, as stated by the official Microsoft blog The Old New Thing3, “the COM Surrogate implies that I don’t feel good about this code, so I’m going to ask COM to host it in another process. That way, if it crashes, it’s the COM Surrogate sacrificial process that crashes instead of me process.”
Plus, as you might have thought, COM Surrogate is nominated “dllhost.exe” due to the fact that the COM objects it hosts are .dll files.
How Can I Define Which COM Object a COM Surrogate Is Hosting?
The common Windows Task Manager doesn’t provide you with any more data about which COM object or DLL file a COM Surrogate process is hosting. When you want to get more details about it, we suggest Microsoft’s Process Explorer4 utility. Download it and you can simply mouse-over a dllhost.exe process in Process Explorer to discover which COM Object or DLL file it’s hosting.
As we can discover in the screenshot below, this specific dllhost.exe process is hosting the CortanaMapiHelper.dll object.
Can I Deactivate It?
You can’t deactivate the COM Surrogate process, since it’s an essential component of Windows. It’s in fact simply a container process for the purpose of running COM objects that other processes would like to run. For instance, Windows Explorer (or File Explorer) permanently creates a dllhost.exe process for the purpose of generating thumbnails in times you open a folder. Other applications you run may also generate their own COM Surrogate processes. All the dllhost.exe processes on your computer were launched by another application to perform something that the program wants to be accomplished.
Is It a Malware?
The COM Surrogate process itself is not malware and is a common component of Windows. Nevertheless, there are cases when it can be used by malware. For instance, the Trojan.Poweliks malware refers to dllhost.exe processes to perform its malicious activity. In case you encounter a great number of dllhost.exe processes active and they’re eating a considerable portion of CPU, that could be the evidence of the COM Surrogate process to be abused by malware or another hazardous program.
In case you’re worried whether that malware is abusing the dllhost.exe or COM Surrogate process, you need to perform a scan with your preferred antivirus application to locate and delete any malware available in your system. In case your antivirus application indicates everything is well but you still doubt, consider initiating a scan with another antivirus program for getting a second opinion.
User Review( votes)
- Task Manager (Windows): https://en.wikipedia.org/wiki/Task_Manager_(Windows)
- The Component Object Model: https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363(v=vs.85).aspx
- The Old New Thing: https://blogs.msdn.microsoft.com/oldnewthing/20090212-00/?p=19173
- Process Explorer: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer