What Is “COM Surrogate” (dllhost.exe) and Why Is It Running on My PC?

If you poke around in your Task Manager, there’s a good chance you’ll see one or more “COM Surrogate” processes running on a Windows PC. These processes have the file name “dllhost.exe”, and are part of the Windows operating system. You’ll see them on Windows 10, Windows 8, Windows 7, and even earlier versions of Windows.

This article is part of our ongoing series explaining various processes found in Task Manager, like Runtime Brokersvchost.exedwm.exectfmon.exerundll32.exeAdobe_Updater.exe, and many others. Don’t know what those services are? Better start reading!

What Is COM Surrogate (dllhost.exe)?

COM stands for Component Object Model. This is an interface Microsoft introduced back in 1993 that allows developers to create “COM objects” using a variety of different programming languages. Essentially, these COM objects plug into other applications and extend them.

For example, the Windows file manager uses COM objects to create thumbnail images of images and other files when it opens a folder. The COM object handles processing images, videos, and other files to generate the thumbnails. This allows File Explorer to be extended with support for new video codecs, for example.

However, this can lead to problems. If a COM object crashes, it will take down its host process. At one point, it was common for these thumbnail-generating COM objects to crash and take down the entire Windows Explorer process with them.

To fix this sort of problem, Microsoft created the COM Surrogate process. The COM Surrogate process runs a COM object outside the original process that requested it. If the COM object crashes, it will only take down the COM Surrogate process and the original host process won’t crash. For example, Windows Explorer (now known as File Explorer) starts a COM Surrogate process whenever it needs to generate thumbnail images. The COM Surrogate process hosts the COM object which does the work. If the COM object crashes, only the COM Surrogate crashes and the original File Explorer process will keep on trucking.

“In other words”, as official Microsoft blog The Old New Thing puts it, “the COM Surrogate is the I don’t feel good about this code, so I’m going to ask COM to host it in another process. That way, if it crashes, it’s the COM Surrogate sacrificial process that crashes instead of me process.”

And, as you might have guessed, COM Surrogate is named “dllhost.exe” because the COM objects it hosts are .dll files.

How Can I Tell Which COM Object a COM Surrogate Is Hosting?

The standard Windows Task Manager doesn’t give you any more information about which COM object or DLL file a COM Surrogate process is hosting. If you want to see this information, we recommend Microsoft’s Process Explorer tool. Download it and you can just mouse-over a dllhost.exe process in Process Explorer to see which COM Object or DLL file it’s hosting.

As we can see in the screenshot below, this particular dllhost.exe process is hosting the  CortanaMapiHelper.dll object.

Can I Disable It?

You can’t disable the COM Surrogate process, as it’s a necessary part of Windows. It’s really just a container process that’s used to run COM objects that other processes want to run. For example, Windows Explorer (or File Explorer) regularly creates a COM Surrogate process to generate thumbnails when you open a folder. Other programs you use may also create their own COM Surrogate processes. All the dllhost.exe processes on your system were started by another program to do something that program wants done.

Is It a Virus?

The COM Surrogate process itself is not a virus, and is a normal part of Windows. However, it can be used by malware. For example, the Trojan.Poweliks malware uses dllhost.exe processes to do its dirty work. If you see a large number of dllhost.exe processes running and they’re using a noticeable amount of CPU, that could indicate the COM Surrogate process is being abused by a virus or other malicious application.

If you’re concerned that malware is abusing the dllhost.exe or COM Surrogate process, you should run a scan with your preferred antivirus program to find and remove any malware present on your system. If your antivirus program of choice says everything is fine but you’re suspicious, run a scan with another antivirus tool to get a second opinion.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.