Dale Preston's Web Log
  
Saturday, March 24, 2007
 

What is COM Surrogate?

With the release of Windows Vista and Windows Live One Care, there seems to be a big increase in the number of questions from Windows users in the Microsoft newsgroups asking what is a COM surrogate. Apparently, as is with any newly released software, there are a bunch of new bugs in Windows Vista. It appears that some number of these bugs (or maybe only one bug) are related to the COM surrogate, dllhost.exe. Whether it is related, the cause of the bug, or just reporting the use of the COM surrogate, it appears that Windows Live One Care plays a part - perhaps just because it is doing its job in reporting requests by the COM surrogate to access the Internet.

On my own Vista PC, I get routine crash reports stating that the COM surrogate must be shut down. I also get occasional requests from my Windows Live One Care firewall to authorize the COM surrogate for accessing information on the Internet - which I always select to not allow the access and to ask me later because I want to know about each request as a reminder that I need to find out exactly which application is making the request. Which brings us to exactly what this post is about.

This post is intended for non-developer users of Microsoft Windows so I am just touching the technological surface of the technologies here.

What is COM

COM stands for Component Object Model. It is a technology used in Windows development for creating objects. For instance, if I am writing a program that manages news reports, a NewsItem object describes a news report within my program. But what if I have several programs that work together with NewsItems? Rather than write NewsItem code in each program, I may write a single DLL or application that knows about NewsItems and each other program will access the NewsItems in my NewsItem DLL or program. That is basically what COM is and does. It allows objects who live in one program to be accessed and used by other programs.

COM is used in a lot of ways within Windows. Programs may use COM to access Word or Excel documents. Or to access Windows Media Player. Or to access components used within a specific field of endeavors, such as news publishing programs that might access a NewsItem using COM.

What is a COM surrogate?

Often times, COM objects are defined in DLLs. A DLL is a Dynamically Linked Library and not exactly a program - even though it contains programming code. DLLs are generally designed to be loaded when needed by a program and the code within the singly loaded instance can be shared across other programs. The difference is, when comparing a standard DLL to a COM DLL is that each program would, in the case of a NewsItem in a standard DLL, own their own copy of the NewsItem. With COM, each program can share the same copy of the NewsItem.

The only problem is, DLLs are not, as I stated, exactly executable programs. You cannot double-click a DLL and run it like you can a program. DLLs have to be loaded and started by a program.

Microsoft has provided a program from which a COM DLL can be loaded without the developer having to write the program to load the DLL. This program is called dllhost.exe. Dllhost.exe is also called the COM surrogate. The COM surrogate can load a DLL and make the objects created by the code in that DLL available to other programs on your PC and, if your firewall permits it and the COM DLL was written to do so, to programs on your local network, or even to programs running anywhere on the Internet.

What's wrong with Dllhost?

There are serious risks
in doing this and Microsoft should abandon the practice immediately. I
really had hoped they would do so given their stated interests in improving
security with Windows Vista. When you allow access through your firewall to
dllhost.exe, you open your firewall to every single dllhost.exe instance in
your PC:

http://blogs.msdn.com/robgruen/archive/2004/08/18/216685.aspx

Dllhost and two related applications, rundll32 and svchost, while
having legitimate system uses, can all be used to hide the process that is
really running on your PC. They each host DLLs, allowing the DLLs to be run
as applications. But when you use TaskManager to view running applications,
the actual DLL's running are not listed, only the hosts are listed. Each of
them fail to display the real name or file location of the processes that
they hide. And the risks outlined in the link above apply equally to
runndll32, svchost, and dllhost, though the article only refers to dllhost.

While there are tools by which you can determine what applications these
three hosts are hiding from you, those tools are generally considered
advanced tools. That means that, for most users, all three of those hosts
are effective means of hiding programs.

Like I said, I wish Microsoft would drop all three of these tools
immediately. There is no reason for an application to be built in a DLL
rather than in a real executable.



Comments:
How else would you elevate a COM server other than hosting it in a surrogate process?
 
AMEN. From the huge amount of discussion and response, your plea may have fallen on deaf ears. But, you are 100% correct - these programs are a real security hole; they allow a malicous DLL to hide from users and also get through a typical firewall. If Microsoft insists on keeping rundll, svchost, and dllhost around, they should do two things:

1) Make the default task manager show exactly which DLLs are loaded into the host (not User32 and other system DLLs, but the top-level DLL(s) that rundll, dllhost, etc. were asked to load in order to perform the desired action).

2) Allow the firewall to have fine enough control to enable/disable based on the loaded DLL within rundll, dllhost, svchost, etc.

Note the same issues apply to other areas such as the Java Runtime environment and even the Windows Explorer. The Windows Explorer is allowed to access the Internet so that search functionality works, but I've seen spambots load themselves into the Windows Explorer in order to be allowed to do their dirty work. Do I want my Java Runtime to allow any and all Java programs to do as they please? NO!
 
Hey Dale, thanks for the explanation of the COM surrogate. I keep getting the following error each day:

[Window Title]
Microsoft Windows

[Main Instruction]
Windows Media Center Store Update Manager stopped working and was closed

[Content]
A problem caused the application to stop working correctly. Windows will notify you if a solution is available.

[Close]

How do I resolve this error? I appreciate any help you can provide.

Thanks,
Brett
supadat@yahoo.com
 
WARNING

COM Surrogate is currently being distributed to systems other than Vista via third party users. Altho
native to Vista it is being put into
other versions of MS Windows, during
updates.
 
Hey Dale, Thank you for your reply about the Com Surrogate. Now understanding what it means and how it works gives me more insight to just what Microsoft really wants for its users. Key tools for more problems allowing MS to generate or so called generate solutions for their f ups. Its thier way of generating some kind of business. Vista is starting to look worse than any of their other operating systems then all in the past. the security issues are so rotton and cause so many problems that they need to come up with a better program for they users. I'm still feeling my systems is being invaded by someone out there through some program but i just can't seem to figure it out. I'm runnung about 85 apps on vista and couldn't begin to start with where to look. But however I'm thinking of wacking and reloading from scratch. however the security issues are so f'd up that someone would get through again sooner or later. So many people are invaded and don't even know it. Now i more question? The system32 folder what would I look for if I were being invaded and I say system32 folder because this I believe would be the invaders first step to taking over (takeown) dos command as you probably know this would I look for to see if there were someone that had taken control of some or part of my system. Would there be simple dos files such as the takeown or matbe some others that might be in the system32 folder that wasn't installed with the vista premium installation? wher would I look and what again should I look for? Thank you for your support and hope to hear from you soon. Mickeyg469@gmail.com.
 
hi dale,

please help in my problem, how can i resolved this error 'Com surrogate stop working please close the program' im hoping for your answer. thanks

MARVIN
marvin_marangga@yahoo.com
 
I don't get an error but my computer will get sluggish. I check TM to to see where the glut is and more often than not it is the dllhost.exe chewing up alot of memory. I simply stop the process and allow it to restart, which it does automatically, and immediately the sluggishness is gone. I have not noticed any adverse effects from this. I am running Vista.
 
Once upon a time, there was a software company that thought of itself as real clever, and for good reason, since they held a near-monopoly on the home and office OS market.

They added fluff in their code to prevent people from reverse-engineering what they created, and even though over 20 years have passed and it still takes the average PC 5 minutes to boot, they thought they were clever anyways...

They homogenized their product line to avoid having to be expensively creative, and even though it also made for a more vulnerable network infrastructure, they thought they were clever anyways....

Then the vulnerabilities started piling up, and it was clear to all that DLL's were a hole too big for safety. It may have been time to fix the breach, but just as the call was made to do so, the clever corporation cried out WAIT!!! HOLD ON A MINUTE!!!!! If I patch these holes up right and proper, How will I be able to poke my dick in other people's business? How can monitor and report web history, or the content in their hard drives? How will my well-paying partners be able to spam my hapless clients directly from their desktops? After all, there's more money in prolonged and ineffective treatments than there will ever be in simple and final cures? Aren't we in the business of being clever?

And so it goes...the clever software company lives on, getting paid to take a dump on our PC's and getting paid again from short term fixes that do a poor job at cleaning up the mess....
 
Thanks for the post I'm using win 7 64 bit and com surrogate is still running strong according to my zone alarm I deny it every time but never want to reject it permanently for fear of "breaking" something. I understand it better now but I still don't know if it's detrimental to my sys to block it all the time

Thanks again S.
 
rajuncajun, I don't have any dllhost running on my W7-64 so yours is probably the result of some other program you have installed. Finally, in both Vista and W7, you can at least see the command line passed to these program-hiding tools.

In Task Manager, select the View menu and then Select Columns. Scroll down on the column list and choose Image Path Name, and Command Line. This will let you verify that the rundll (or other host) is actually the Windows installed version and not some malware of the same name and to determine what DLL is being run by that host. Next you can Google the command line options to see if there's any real threat in there.
 
Post a Comment

<< Home

Powered by Blogger