What Is “COM Surrogate” (dllhost.exe) and Why Is It Running on My PC?

If you do a trick in your task manager there is a good chance that you will see one or more Surrogate COM processes running on a Windows PC. These processes have the file name "dllhost.exe", and are part of the Windows operating system. You will see them on Windows 10, Windows 8, Windows 7 and even earlier versions of Windows.

This article is part of our current series explaining various processes found in Task Manager, such as Runtime Broker svchost.exe . rundll32.exe Adobe_Updater.exe and many others . I do not know what these services are? Better to start reading!

What is COM Surrogate (dllhost.exe)?

COM is the abbreviation for Component Object Model . This is an interface that Microsoft introduced in 1993 and that allows developers to create "COM objects" using a variety of different programming languages. Essentially, these COM objects connect to and extend other applications.

For example, the Windows File Manager uses COM objects to create thumbnail images of images and other files when it opens a folder. The COM object handles the processing of images, videos, and other files to generate thumbnails. This extends the file browser with support for new video codecs, for example.

However, this can cause problems. If a COM object hangs, it will remove its host process. At one point it was common that these COM objects generating thumbnails crash and stop the whole process of Windows Explorer with them

To solve this kind of problem, Microsoft created the Surrogate COM process. The COM Surrogate process runs a COM object outside of the original process that has requested it. If the COM object crashes, it will only take the Surrogate COM process and the original host process will not hang. For example, Windows Explorer (now called File Explorer) starts a Surrogate COM process whenever it needs to generate thumbnail images. The COM Surrogate process hosts the COM object that performs the job. If the COM object hangs, only the Surrogate COM will crash and the original file explorer process will continue to truck.

"In other words," as an official Microsoft blog The Old New Thing The Surrogate COM is the I do not feel good with this code, so I will ask COM to accommodate it in another process. This way, if it crashes, it is the sacrificial COM surrogate process that hangs instead of me process. "

And as you guessed, COM Surrogate calls itself "dllhost.exe" because the COM objects it hosts are .dll files.

How to know what COM object a COM subscriber is hosted

Standard Windows Task Manager does not give you more information about the COM object or the DLL file than a Surrogate COM process hosts. If you would like to view this information, we recommend the Process Explorer tool from Microsoft. Download it and you can simply mouse over a dllhost.exe process in Process Explorer to see which COM object or DLL file it hosts

As we can see in the screenshot below, this particular dllhost.exe process hosts the CortanaMapiHelper.dll object.

Can I turn it off?

You can not disable the Surrogate COM process because it is a necessary part of Windows. This is really just a container process that is used to run COM objects that other processes want to run. For example, Windows Explorer (or File Explorer) periodically creates a Surrogate COM process to generate thumbnails when you open a folder. Other programs you use can also create their own Surrogate COM processes. All the dllhost.exe processes on your system were started by another program to do something that the program wants to do.

Is this a virus?

The COM Surrogate process itself is not a virus and is a normal part of Windows. However, it can be used by malicious software. For example, the malicious program Trojan.Poweliks uses dllhost.exe processes to do its dirty work. If you see a lot of running dllhost.exe processes and they use a notable amount of CPU, this could indicate that the Surrogate COM process is being misused by a virus or other malicious application .

If you suspect malware is abusing the dllhost.exe or COM Surrogate process, you should perform a scan with your favorite antivirus program to find and remove the malware that is present on your system. If your favorite antivirus program tells you everything is fine, but you're suspicious, run a scan with another antivirus for a second opinion

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.