How can I figure out which object is being hosted in an instance of dllhost?

We saw some time ago that the dllhost.exe process goes by the name COM Surrogate and is used when a COM object is configured to run in a separate process.

If you have found an instance of the dllhost.exe process, how can you figure out which COM object is running inside it? For example, maybe you are debugging an out-of-process COM object and you want to find the dllhost.exe that is hosting it, so you can debug further. Or you’re studying a crash of dllhost.exe and you want to know what object the crashed dllhost.exe was working with.

Note that this information is for debugging purposes only.

The information is encoded in the dllhost.exe command line. From the debugger, you can use the !peb command to view the command line. You can also ask Task Manager to show the command line by going to the Details page and turning on the Command line column.

From the command line, extract the GUID. That is the AppId of the object loaded into the dllhost.exe process. You can look up this GUID in the registry under HKEY_CLASSES_ROOT\AppId\{Guid}. That will give you some information about what the object is. To obtain the CLSID that corresponds to the AppId, go to HKEY_CLASSES_ROOT\CLSID and search for the AppId GUID. It will be a value inside one of the CLSID entries. That’s the object.