How can I figure out which object is being hosted in an instance of dllhost?
We saw some time ago that the
dllhost.exe process goes by the name COM Surrogate and is used when a COM object is configured to run in a separate process.
If you have found an instance of the
dllhost.exe process, how can you figure out which COM object is running inside it? For example, maybe you are debugging an out-of-process COM object and you want to find the
dllhost.exe that is hosting it, so you can debug further. Or you’re studying a crash of
dllhost.exe and you want to know what object the crashed
dllhost.exe was working with.
Note that this information is for debugging purposes only.
The information is encoded in the
dllhost.exe command line. From the debugger, you can use the
!peb command to view the command line. You can also ask Task Manager to show the command line by going to the Details page and turning on the Command line column.
From the command line, extract the GUID. That is the AppId of the object loaded into the
dllhost.exe process. You can look up this GUID in the registry under
HKEY_. That will give you some information about what the object is. To obtain the CLSID that corresponds to the AppId, go to
HKEY_ and search for the AppId GUID. It will be a value inside one of the CLSID entries. That’s the object.