What Is "COM Surrogate" (dllhost.exe)? — Why Is It Running on PC?

In case you decide to inspect your Task Manager¹, there’s a great possibility you’ll encounter one or more “COM Surrogate” processes active on a Windows workstation. Such processes have got the file name “dllhost.exe”, and are components of Windows OS. You’ll notice them on Windows 10, Windows 8, Windows 7, and even previous versions of Windows.

This tutorial is component of our regular sequence of guidelines describing various processes located in Task Manager, such as Runtime Broker, svchost.exe, dwm.exe, AMTEmu, and many others. Aren’t you aware of what those services stand for? Keep reading our articles!

This Article Contains:

What Is COM Surrogate (dllhost.exe)?

COM is alternatively referred to as Component Object Model². This is an interface Microsoft released back in 1993 that lets developers form “COM objects” by means of a set of various programming languages. Their essential feature is the ability to plug into other programs and extend them.
For instance, the Windows file manager applies COM objects for generating thumbnails for images and other files when it opens a certain folder. The COM object is responsible for processing images, videos, and other files for generating the thumbnails. This lets File Explorer be extended with support for new video codecs, for instance.

Nevertheless, this can result in troubles. In case a COM object crashes, it will negatively impact its host process. At a certain point in time, it was typical for these thumbnail-generating COM objects to crash and thus took down the complete Windows Explorer process with them.

To resolve this kind of issue, Microsoft elaborated the COM Surrogate process. The COM Surrogate process operates a COM object beyond the original process that asked for it. If the COM object crashes, it will only result in a crash of the COM Surrogate process, and the original host process won’t be damaged. For instance, Windows Explorer (now referred to as File Explorer) launches a COM Surrogate process whenever it wants to form thumbnail images. The COM Surrogate process hosts the COM object, which performs all important works for this purpose. If the COM object fails to operate, it’s just the dllhost.exe that crashes, and the original File Explorer process will continue functioning.

“In other words”, as stated by the official Microsoft blog The Old New Thing³, “the COM Surrogate implies that I don’t feel good about this code, so I’m going to ask COM to host it in another process. That way, if it crashes, it’s the COM Surrogate sacrificial process that crashes instead of me process.”

Plus, as you might have thought, COM Surrogate is nominated “dllhost.exe” due to the fact that the COM objects it hosts are .dll files.

How Can I Define Which COM Object a COM Surrogate Is Hosting?

The common Windows Task Manager doesn’t provide you with any more data about which COM object or DLL file a COM Surrogate process is hosting. When you want to get more details about it, we suggest Microsoft’s Process Explorer⁴ utility. Download it and you can simply mouse-over a dllhost.exe process in Process Explorer to discover which COM Object or DLL file it’s hosting.

As we can discover in the screenshot below, this specific dllhost.exe process is hosting the CortanaMapiHelper.dll object.

Can I Deactivate It?

You can’t deactivate the COM Surrogate process, since it’s an essential component of Windows. It’s, in fact, simply a container process to run COM objects that other processes would like to run. For instance, Windows Explorer (or File Explorer) permanently creates a dllhost.exe process to generate thumbnails in times you open a folder. Other applications you run may also generate their own COM Surrogate processes. All the dllhost.exe processes on your computer were launched by another application to perform something that the program wants to be accomplished.

Is It a Malware?

The COM Surrogate process itself is not malware and is a common component of Windows. Nevertheless, there are cases when it can be used by malware. For instance, the Trojan.Poweliks malware refers to dllhost.exe processes to perform its malicious activity. If you encounter a great number of dllhost.exe processes active, and they’re eating a considerable portion of CPU, that could be evidence of the COM Surrogate process being abused by malware or another hazardous program.

In case you’re worried whether that malware is abusing the dllhost.exe or COM Surrogate process, you need to perform a scan with your preferred antivirus application to locate and delete any malware available in your system. If your antivirus application indicates everything is well, but you still doubt, consider initiating a scan with another antivirus program to get a second opinion.

Brendan Smith

IT Security Expert

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.