File description |
Dllhost.exe with description COM Surrogate is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is
digitally signed from Microsoft Windows - Microsoft Time-Stamp Service
We do not recommend removing digitally signed files from Microsoft Windows
What is dllhost.exe?
Dllhost.exe is the Windows DCOM DLL Host Process. It executes COM+ DLLs and controls processes in the Internet Information Services (IIS). As such, is utilized by many different applications, including Visual Basic and .NET applications.
This process is a system process that is essential to the system's proper operation. Despite this, it is generally safe to kill a misbehaved dllhost.exe, as it will only terminate the particular COM+ DLL that is being run. Removing the executable altogether, however, will render your system unable to execute COM+ DLLs and thus render significant parts of the system unusable.
Dangers of dllhost
As this is a critical system process that runs on every Windows machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine dllhost.exe.
Some malicious files will have the same name as this process but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to it but has slight differences in spelling or with appended or removed digits. The following malware is known to disguise itself as dllhost.exe:
- W32/Lovelet-Y (%SystemRoot%\dllhost.com, %SystemRoot%\System32\dllhost.com)
- This is a worm that copies itself to several different locations on your hard drive (22 to be exact), making it very difficult to eliminate.
- W32/Nachi-A (%SystemRoot%\Wins)
- This is a worm that spreads via the RPC DCOM vulnerability in Windows XP.
- W32/Rungbu-B (%SystemRoot%\setup\dllhost.com, %SystemRoot%\System32\dllhost.com)
- This is a worm that infects .DOC files and spreads to all email addresses in your address book.
- Troj/Sivion-A (%SystemRoot%\System32\System\dllhost.exe)
- W32/Lovelet-DR (%SystemRoot%\System32\dllhost.dll)
There can be any number of instances of this process running at a given time. The presence of multiple instances is a not an indicator of a malware infection. Beware, though: dllhost allows any COM+ DLL to be executed, which means a malicious DLL could be running as the genuine dllhost.exe. If this process is exhibiting suspicious behavior, be sure to look deeper.
Common problems
- Dllhost uses excessive memory with IIS
- This is a bug in IIS. Restarting IIS should free up the memory.
- Dllhost.exe uses 100% CPU time
- Because dllhost.exe allows any COM+ DLL to be executed, and as such the executing DLL will appear as dllhost.exe, any misbehaved COM+ DLL could cause dllhost.exe to use 100% CPU time. Kill the offending dllhost.exe instance to try to determine the cause.
|
Automatic startup locations |
 |
001 Running Processes |
 |
002 Autorun registry entries local machine |
|
003 Autorun registry entries Current User |
 |
010 Installed services |
 |
034 Winlogon Shell |
|
035 Active Setup Installed Components |
|
038 Winlogon Taskman |
|
065 Image File Execution Options (debugger) |
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
Microsoft Windows |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Timestamping Service |
|
Microsoft Windows |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
Microsoft Windows Component Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher (Europe) |
VeriSign Time Stamping Service |
|
|
MD5 security rating in our database |
 |
 |
|
685 |
files (Not yet rated
and
not
signed) |
|
|
1 |
files (Not yet rated
and
digitally
signed) |
 |
|
4 |
files (Safe
and
not
signed) |
|
|
173 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to dllhost.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments. |
There are no comments yet.
|
|
Database statistics
Top process list
