Medium RiskWindowsLegitimateCommonly Abused
dllhost.exeSYSTEM PROCESSdllhost.exe - COM Surrogate Security Analysis
dllhost.exe (COM Surrogate) hosts COM objects out-of-process. Multiple instances are normal. Malware may inject into dllhost.exe or masquerade as it.
Risk Summary
MEDIUM priority. Monitor for: dllhost.exe spawning interpreters, unusual network activity, and instances outside System32.
Overview
What is dllhost.exe?
dllhost.exe is the COM Surrogate, hosting out-of-process COM objects.
Security Significance
- Multiple Instances: Normal behavior
- Injection Target: Often targeted for injection
- Masquerading: Common impersonation target
Normal Behavior
Normal Behavior
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\dllhost.exe |
| Parent | svchost.exe |
| User | Varies by COM object |
Common Locations
C:\Windows\System32\dllhost.exeSuspicious Indicators
Suspicious Indicators
| Indicator | Risk |
|---|---|
| Path not System32 | CRITICAL |
| Spawning interpreters | HIGH |
| High network activity | MEDIUM |
Abuse Techniques
Attack Techniques
Process Injection
Injecting code into dllhost.exe for persistence.
COM Hijacking
Registering malicious COM objects loaded by dllhost.exe.
Detection Guidance
Detection
dllhost.exe path != System32 → ALERT
dllhost.exe spawning cmd/PowerShell → ALERT
Remediation Steps
- Verify path is System32
- Check for COM hijacking
- Review loaded DLLs
Investigation Checklist
- Verify path is System32
- Check parent is svchost.exe
- Review child processes
- Check for COM hijacking
MITRE ATT&CK Techniques
Last verified: January 18, 2026