We saw some time ago that the dllhost.exe
process goes by the name COM Surrogate and is used when a COM object is configured to run in a separate process.
If you have found an instance of the dllhost.exe
process, how can you figure out which COM object is running inside it? For example, maybe you are debugging an out-of-process COM object and you want to find the dllhost.exe
that is hosting it, so you can debug further. Or you’re studying a crash of dllhost.exe
and you want to know what object the crashed dllhost.exe
was working with.
Note that this information is for debugging purposes only.
The information is encoded in the dllhost.exe
command line. From the debugger, you can use the !peb
command to view the command line. You can also ask Task Manager to show the command line by going to the Details page and turning on the Command line column.
From the command line, extract the GUID. That is the AppId of the object loaded into the dllhost.exe
process. You can look up this GUID in the registry under HKEY_
. That will give you some information about what the object is. To obtain the CLSID that corresponds to the AppId, go to HKEY_
and search for the AppId GUID. It will be a value inside one of the CLSID entries. That’s the object.
0 comments