Should I worry about “COM Surrogate” aka "dllhost.exe" in my task manager? 5 processes are belonging to not harmful Windows core processes.
First of all, calm down – take a brief in and brief out. Status June 2021, COM Surrogate is not a virus in 99% of cases, and I am going to explain why.
Other articles are claiming the dllhost.exe virus from the first line. But it is a scam! Because the second line will propose paid antivirus… Very clever, but not fair.
For that rest 1%, you will find detailed guidance in this article, which will help you identify if it is a threat and remove the virus within 3 minutes.
Since you are no longer under stress because of an unfamiliar process, I guess your first question is about the other four suspicious but not malicious processes under Windows?
Let us look at it!
📑 Table of Contents
I need to emphasize that all said below is valid only for normal situations, when you are not experiencing any problem with your operating system, can't trace any anomalies in your system's behavior and your defender system, or any third-party antivirus not notifying you about possible threats.
We will cover removing malicious programs and viruses here as well. Still, you should do this carefully, while non-appropriate removal of any above-mentioned files can lead to permanent damage to Windows system and potential recovery needs.
Based on our research in June 2021, we have collected the top 5 Windows processes in task manager with weird names. What one can find in that task manager window can confuse any user:
- dllhost.exe- COM Surrogate
- svchost.exe - Service Host Process
- lsass.exe - Local Security Authentication Service
- dmw.exe - Desktop Window Manager
- rundll32.exe – Windows Host Process
This list could be much longer because in idle Windows are running over 180 processes… and saying honestly, most of them are looking weird for me (I see your smiles Unix guys).
But let's get back to the central target in the topic. This is how it looks like:
We all remember that meme about non-responding apps
Task manager (Not Responding)" – You were supposed to destroy them – not join them.
This is exactly why the COM Surrogate process was developed by Windows. This is a secondary process for a specific task, which runs independent or asynchronous to the primary process (COM-Object). That is why it is called a surrogate.
Windows system process established under analog, but not original subprocess. And this makes our lives much easier, preventing the whole system from freezing. To understand what exactly happened if COM Surrogate has stopped working, here is a small example:
- Windows Explorer starts a COM Surrogate process whenever an image preview (thumbnail) needs to be calculated.
- The COM Surrogate process serves as a host for the COM-Object that calculates the actual image preview. For unknown reasons, this can cause high CPU and RAM memory spikes.
- If the COM-Object crashes because of overloading, only the COM Surrogate process crashes with it too. This generally led to dllhost.exe error.
- But because of the COM Surrogate process, the Windows Explorer is not affected. You can continue using your PC without needing to restart it completely.
So, for me, it sounds like a truly helpful feature.
Cybercriminals often use the name of a legitimate process related to Microsoft Windows in malware campaigns and try to replace the original executable files with malicious ones without the victim's knowledge.
There are three reasons for that:
- COM Surrogate process depends on the dllhost.exe system file, which is critical to Windows functioning. It would be tough to delete it immediately, so malware will have time to perform self-saving actions to get a permanent foothold on the victim's system.
- Suppose hackers have managed to migrate their malicious code in memory through a legitimate COM-Surrogate process. In that case, it will run any function with the highest system privileges, giving the unprecedented advantage for developing the attacking capabilities of hackers.
- There are two versions of dllhost.exe are existing. One of them runs as 64 bits program and the usual one as 32 bits. The interesting fact that I am experiencing during red teaming and security assessments. Build-in Windows Defender reacts immediately on any suspicious program running on 32 bits but will allow some potentially malicious actions for the same program running on 64 bit.
There are many examples of Remote Access Trojans (RATs) delivered under the mask of dllhost.exe recently in 2021. To name a few: JSSLoader RAT, Powerliks RAT, Urnsnif, etc...
The very prominent case study is the ElectroRAT trojan, which successfully cleaned many cryptocurrency wallets of many thousands of people. In this case, the first symptoms of running malware are:
- higher load on CPU;
- increased memory consumption;
- new connections to external resources and lower available bandwidth;
- general system overloading with consequent fan speed increase and higher temperature.
Since this process does not have an icon and the name seems rather unusual, you often think that the system is infected and this process is malicious. But it is not always true.
Follow next steps to check if your COM Surrogate is a rogue program or not:
Open “Task Manager” using one of many existing ways:
- The quickest way is to use the button combination “CTRL+SHIFT+ESCAPE”
- The old-school way is button combination “CTRL+SHIFT+DELETE” and after opening “Task Manager”.
- The alternative way is to click the right mouse button to the Windows icon in the bottom-left corner and then choose “Task Manager”.
Find the COM Surrogate process in the list of running processes in “Task Manager” and click “Properties”.
You should see information about the name of the executable file (1), and it's location (2). They should typically look like this.
You can check it another way. Choose “Open file location” instead of “Properties” from the last step.
Again, as in step 3: filename (1) and location (2) are indicated. This is the normal status of dllhost.exe.
But if you see something like here below, be aware – this is most likely a virus. The file's location is under Windows/Temp folder, which is much easier to use for non-legitimate activities. At the same time, it doesn’t require any special rights (1). The second indicator of compromise (2) in this case is the name of the file. Here should be only dllhost.exe.
You should react appropriately, as shown in the next chapter.
If your antivirus system or you manually have detected this malware, you should try to remove the COM Surrogate virus from the system immediately.
✅ If you follow the previous chapter and already found the location and filename of a virus. You may try to “End task” using “Task Manager” and manually remove the virus file.
✅ Sometimes it is impossible to do manually. Especially if a virus was migrated into memory and trying to block any actions related to ending COM Surrogate task.
In this case, you need a help of an antivirus program.
While you may find many advertisements of “best antiviruses”, I prefer to use Windows Defender for continuous monitoring and antivirus protection. It shows pretty reliable results detecting most viruses if you are using a recent signature update. Go to “Windows Security” and start “Quick scan”. Usually, it is enough. In some cases, you would like to open options and choose the whole hard drive as a scanning scope.
✅ In some cases, Windows Defender can be already evaded, and the victim should take containment and neutralization actions.
- Turn your Internet connection down, physically. It would make sense to disconnect the infected PC from any other networks to stop the virus from spreading and avoid any data loss.
- Before using any utility to clean your system for viruses, you might think about installing an utterly new system. In this case, you are possessing almost no risk of falling victim to the espionage of third parties.
- Use another device to download a free program called “Dr.Web CureIt!” from the official website.
Image source – drweb.com
- Use USB Stick to transfer antivirus program to infected PC. Don't forget that this USB Stick should be cleaned and formatted after this, using Sandbox or a specially prepared Virtual Machine. Otherwise, you are risking getting the same virus for every PC used with that USB Stick.
One basic fact we all need to know:
Suppose somebody with enough knowledge and resources would like to get access to your system. In that case, it is not a question, is it possible at all - they will do this anyway - it is just a matter of time.
No, I am not a pessimist, but I am an educated optimist.
That is why I have prepared a few cyber hygiene rules, which will help you avoid most typical mistakes leading to infection.
- Don’t download any suspicious files. And it is literally means do not even download them because hackers already found many techniques on how to manipulate downloaded files and push starting it even without any click from your side.
- Ensure all available Windows tools and security options are enabled.
- You might migrate to the latest release of Windows products if you still use outdated versions, which are not supported anymore, and don't receive any security updates.
- Even if you are using the most recent version of the software, keep it constantly updated.
Before start panic and clicking "Delete" all around or buying a non-sense antivirus program, it is worth to look at the official documentation and proceed with some standard set of actions to prove that dllhost.exe is not hackers aggressive malware, rather than an important part of your Windows's everyday routine.
Even being a passionate and sometimes paranoid security expert, I personally believe in principle, "It is bad to delete anything running before you prove it is bad".
If you would still like me to put my hands on other processes in the top 5 windows processes list, please, ping me here in the comments below.
Stay tuned and watch around!