How To Fix Dllhost.exe
Yufei Labbe
If your Windows PC uses DLLs (dynamic linked libraries), and yours most certainly does, then (COM Surrogate) dllhost.exe is a safe process to find running in your Windows Task Manager. In fact, I just checked my own PC as I'm writing this and dllhost.exe is running right now, two times!
I've also checked the different PCs here in our SpyShelter cybersecurity lab in Austin, Texas, and I see this dllhost.exe process running on all of them. So, what does the COM Surrogate do exactly?
dllhost.exe serves as a host for DLL (Dynamic Link Library) files. These files contain code and data that can be used by multiple programs at the same time.
The dllhost.exe process allows these shared DLLs to be executed and accessed by applications running on the Windows. This helps to improve system efficiency and reduce memory usage by allowing multiple programs to use the same resources. However, it's important to note that some malware may attempt to disguise themselves as dllhost.exe, so it's important to verify the legitimacy of the .exe.
You can verify if dllhost.exe is safe by checking to see if it's signed with the Windows Task Manager, or use our free SpyShelter Antispyware app!
How do we know? Our SpyShelter cybersecurity labs focuses on monitoring different types of Windows PC executables and their behaviors for our popular SpyShelter Antispyware software. Learn more about us, and how our cybersecurity team studies Windows PC executables/processes.
The publisher of an executable is the entity responsible for its distribution and authenticity. Most processes/executables on your PC should be signed. The signature on the executable should have been verified through a third party whose job it is to make sure the entity is who it says it is. Find an unsigned executable? You should consider scanning any completely unsigned .exe on your PC.
On my Windows 10 Home x64 machine, I noticed an unknown instance of dllhost.exe using a high amount of CPU. Upon further inspection, I noticed that it had one thread using most of its CPU time. Here's the thread stack:
Based on some more digging this specific DLL is a microsoft signed DLL called "Media Foundation MKV Media Source and Sink DLL". If I look at the process's file handles, it has an open file handle to a video file in my user directory, specifically a .webm video capture of one of my virtual machines.
Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.
I was curious about COM Surrogate in my task manager. I looked up the file, I saw and saw the word virus repeated multiple times which caused me to quickly permanently remove dllhost.exe from my PC. Now, I discovered that the file was actually made by Microsoft and now my PC is acting funny.
When I start up my computer, I can run for a few minutes without any issue. However, after a little while, I see multiple instances of dllhost.exe start in my task manager, and from there, everything falls apart. The slowdowns and other issues make the computer nearly unusable (So much so that I have to use someone else's computer to post this.). I have tried running Herd Protect and MalwareBytes, and neither worked. It happens randomly, and it seems to happen more often when I start a web browser. Regardless of if the browser is open, it opens web pages I cannot see. When I end those processes (iexplorer.exe), they come back, and they multiply. They go to various ad websites for incredibly random things. But I can't see any of this if the task manager isn't there. There are no internet explorer windows open for me to see this in. My computer just grinds to a halt.
Posting my farbar log files in my next post, and they are attached at the end of this message as well.
One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.
Hello,
I have been encountering an issue where my dllhost.exe will crash during test playback. I have been getting help from Tech Support for a few weeks on this and its still an issue. I'm wondering if anyone has encountered this issue, or maybe there is a really simple solution that we're overlooking.
The dllhost.exe will crash during test play back when TC opens Acrobat DC or another program called Excel Compare. Essentially, the crash will occur when TC is accessing other software during test playback. Now the crash is not catastrophic, playback with continue performing playback. Interestingly, When Acrobat crashes, it will be logged in the windows event log and a adobe module will be identified as the faulting module. However, when Excel Compare (the other software tool being used) crashes, it will not be logged in Windows events. I contacted Adobe Acrobat and they maintain that nothing is wrong on their end. Note that either Acrobat crashes, or Excel compare, but never both during test playback.
Unfortunately, I cannot replicate the crash while using SmartBear's Report Generator Tool.
One idea is to reproduce the issue by involving another application that uses hooks and loads them into other processes when running. Essentially, see if I can recreate the crash using software that works similar to Test Complete. Apparently, Spy++ in message trace mode behaves in this manner. However, I have found any useful documentation to help guide me through the process.
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
COM+ consists of building block components that are self-defining and play well with others. The usefulness in this comes from the design of components being shared and reused by multiple applications. Not only does this design lower the demand for system resources, but it also improves initialization speed. The components object models are not written in any specific programming language, however, there are separate classes for each one depending on the programming language intended. On the enterprise level, this provides the advantage of mass deployment with a GUI tool Microsoft created called DCOM.
A DLL (dynamic link library) is essentially a size-unspecific block of code stored in a single file. This code can be the makeup of an application, service, or just an add-on for a graphical user interface. Dllhost.exe, similar to svchost.exe, is a required Windows service for any COM+ oriented programming code. A sample of what dllhost.exe runs is shown below using Process Monitor, which includes both .dll and .exe file types.
One possible security flaw in the design of the COM+ system is that it allows any DLL stored on the system to run, assuming that the trigger initiating it the required permissions. This means that when you see a high CPU usage for dllhost.exe it is probably not the host process causing the problem, but rather a loaded DLL running through the host. You can use a program such as Process Explorer to investigate further.
If this file does become Defective, could it be replaced with an operational version? If so, where could someone find this operational file? If not, what could be done to open created word documents and other apps?
64591212e2