Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

TCC and dllhost.exe (COM surrogate)

May
12,845
164
On my home computer, "type http://www.google.com" (for example) causes an instance of dllhost.exe (COM Surrogate) to start (if there are none running already). On my work computer, it does not. What's the difference?
 
I'd guess it has to do with installed BHO's. Run Autoruns from SysInternals and compare the outputs.
 
Off-topic... nice round numbers :)
Screenshot - 2014-07-01 , 14_39_29.png
 
What happens on the two machines is very different. On the home machine (where the COM surrogate is started) these DLLs are added to the TCC process when I execute the "TYPE http..." command.
Code:
0x6fb00000  0x4000  C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
0x75fd0000  0x4000  C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
0x77760000  0x124000  C:\Windows\system32\urlmon.dll
0x75760000  0x3c000  C:\Windows\system32\mswsock.dll
0x75750000  0x6000  C:\Windows\System32\wship6.dll
0x735f0000  0x4000  C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
0x752a0000  0x5000  C:\Windows\System32\wshtcpip.dll
0x73d30000  0xd000  C:\Windows\system32\dhcpcsvc6.DLL
0x73cb0000  0x12000  C:\Windows\system32\dhcpcsvc.DLL
0x72b40000  0x5a000  C:\Windows\System32\netprofm.dll
0x74120000  0x10000  C:\Windows\System32\nlaapi.dll
0x72dc0000  0x6000  C:\Windows\system32\rasadhlp.dll
0x75d00000  0xe000  C:\Windows\system32\RpcRtRemote.dll
0x71170000  0x8000  C:\Windows\System32\npmproxy.dll
0x72e00000  0x10000  C:\Windows\system32\napinsp.dll
0x72de0000  0x12000  C:\Windows\system32\pnrpnsp.dll
0x72dd0000  0x8000  C:\Windows\System32\winrnr.dll
0x73d50000  0x38000  C:\Windows\System32\fwpuclnt.dll

On the work machine (no COM surrogate started), these are added.

Code:
0x77390000  0x3000  C:\Windows\system32\Normaliz.dll
0x74850000  0x21000  C:\Windows\system32\ntmarta.dll
0x76a10000  0x45000  C:\Windows\system32\WLDAP32.dll
0x74880000  0x9000  C:\Windows\system32\VERSION.dll
0x73480000  0x52000  C:\Windows\system32\RASAPI32.dll
0x73460000  0x15000  C:\Windows\system32\rasman.dll
0x73450000  0xd000  C:\Windows\system32\rtutils.dll
0x6df60000  0x6000  C:\Windows\system32\sensapi.dll
0x73a40000  0x10000  C:\Windows\system32\NLAapi.dll
0x6ee60000  0x6000  C:\Windows\system32\rasadhlp.dll
0x6f270000  0x10000  C:\Windows\system32\napinsp.dll
0x6f250000  0x12000  C:\Windows\system32\pnrpnsp.dll
0x74e10000  0x3c000  C:\Windows\System32\mswsock.dll
0x6f240000  0x8000  C:\Windows\System32\winrnr.dll
0x74910000  0x5000  C:\Windows\System32\wshtcpip.dll
0x74f50000  0x6000  C:\Windows\System32\wship6.dll
0x737b0000  0x38000  C:\Windows\System32\fwpuclnt.dll
 
The COM object being hosted by this "surrogate" is a "Wininet Cache task object". Such an object does not exist on my work computer. Nor does the "WinInetCacheServer" class. I suppose the difference is in the IE version ... 11 at home, 8 at work. My only objection to it is that the process (dllhost.exe) never terminates. I don't use IE and I'm not paticularly interested in TCC's HTTP GET's being cached (or in a useless extra process running). Does anyone know how to thwart this feature?
 

Similar threads

Back
Top