RayRider
asked on
dllhost.exe has too many process instances
I began to notice my Windows 7 64b machine running a bit sluggish. I launched Task Manager and viewed processes (checked all users) to see that I had about 50 dllhost.exe processes running. I tried to shutdown machine, but it would not shutdown. I checked option to shutdown without waiting for background processes to end. It still would not go down. I had to press power button for 4 seconds.
I ran virus scan with Windows Security Essentials. I ran superantispyware scan. I ran malwarebytes scan. So far, nothing has been found other than a couple of tracking cookies. This problem is somewhat intermittent. The previous evening after restart, no dllhost.exe processes were observed. This morning I saw about 15. I killed them all with Task Manager. Currently, there will 1 or 2 running. The second one comes and goes.
QUESTION: Do I actually have a virus or malware? What is dllhost.exe used for? How do I get rid of it?
I ran virus scan with Windows Security Essentials. I ran superantispyware scan. I ran malwarebytes scan. So far, nothing has been found other than a couple of tracking cookies. This problem is somewhat intermittent. The previous evening after restart, no dllhost.exe processes were observed. This morning I saw about 15. I killed them all with Task Manager. Currently, there will 1 or 2 running. The second one comes and goes.
QUESTION: Do I actually have a virus or malware? What is dllhost.exe used for? How do I get rid of it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One additional comment, I have noticed that the dllhost.exe processes are growing and do not end. As the day goes, the number of processes grow. They are not terminating when finished launching a dll file. Isn't dllhost.exe similar to rundll and svchost whose function is to launch a dll since a dll cannot be directly executed like an .exe?
I am trying to find out information about how dllhost.exe works so I can determine if I have some malware creating this problem, or if this is normal behavor. Something tells me these dllhost.exe processes should terminate at some point.
I am trying to find out information about how dllhost.exe works so I can determine if I have some malware creating this problem, or if this is normal behavor. Something tells me these dllhost.exe processes should terminate at some point.
Did you updated the Windows recently? Was there any .Net updates involved?
Further would it be possible for you to post the screenshot of the process hacker showing dllhost.exe?
Further would it be possible for you to post the screenshot of the process hacker showing dllhost.exe?
ASKER
There was an automatic windows update on 4/11, Security Update for Microsoft .NET Framework 4 Client Profile, then one for Microsoft Office 2010 on the same date.
ProcessHacker.jpg
ProcessHacker.jpg
ASKER
My dllhost.exe processes have grown to 34 since last evening when I terminated them all. I have noticed from Process Hacker that all these dllhost.exe have a parent of svchost.exe, which in turn is a parent of services.exe, and services.exe has wininit.exe as its parent.
should I maybe do a system restore to see if I can find a clean system? Problem is that I don't know what date to go back to. I just noticed this problem yesterday. No telling how long it has been going on.
should I maybe do a system restore to see if I can find a clean system? Problem is that I don't know what date to go back to. I just noticed this problem yesterday. No telling how long it has been going on.
@RayRider,
From Process Hacker Right click on the svchost.exe and click on its properties, then click on the Services Tab and let us know what all services are listed.
Further there is more to dllhost.exe and Com surrogate. As per these articles Thumbnails could be the cause of this+ some buggy codecs.
http://www.overclock.net/t/817913/dllhost-exe-com-surrogate-high-cpu-load
http://blogs.msdn.com/b/oldnewthing/archive/2009/02/12/9413816.aspx
From Process Hacker Right click on the svchost.exe and click on its properties, then click on the Services Tab and let us know what all services are listed.
Further there is more to dllhost.exe and Com surrogate. As per these articles Thumbnails could be the cause of this+ some buggy codecs.
http://www.overclock.net/t/817913/dllhost-exe-com-surrogate-high-cpu-load
http://blogs.msdn.com/b/oldnewthing/archive/2009/02/12/9413816.aspx
ASKER
And, more observations leading up to this problem discovery. I first noticed that either the system would NOT shutdown, or took a very long time such as 10 minutes to shutdown. I also noticed that when I plugged in a USB flash drive, I hear the sound immediately. However, it takes a very long time for the Windows Explorer to recognize the drive letter, or for the Autoplay window to launch, asking me what to do with this device. Then lastly, when I "selected eject" on the flash drive, I got a warning that files were in use.
Does any of this help? These problems lead me to think I had some sort of malware, or virus.
Does any of this help? These problems lead me to think I had some sort of malware, or virus.
Removable flashdrive issues are not the same issue. The flashdrive is most likely using readyboost and increasing your ram compacity. No worries there.
To get a better idea of what is using those CLSID's. If you search for each one in the registry it should give you atleast 10 entries in a x64 and 5 in x86 per ID.
Each COM application that is used is given a unique CLSID to be better identified by the system for usage and conflict avoidance.
For instance. A Single AppID.
If your running a lot of DLLHost.exe executables in memory, its because a activex component is being used. Examples of these are: Codecs, browser toolbars, add-ins, extensions. Anything that is designed to interface with the IUNKNOWN interface module.
I would say you either have a conflict in some media application or (if this is a server) its users looking or searching through media. This will make your CPU spike as well. The better you know your system the easier it is get a handle on these issues.
To get a better idea of what is using those CLSID's. If you search for each one in the registry it should give you atleast 10 entries in a x64 and 5 in x86 per ID.
Each COM application that is used is given a unique CLSID to be better identified by the system for usage and conflict avoidance.
For instance. A Single AppID.
HKEY_CLASSES_ROOT\AppID\{30d49246-d217-465f-b00b-ac9ddd652eb7} <- Processid = Identity store
HKEY_CLASSES_ROOT\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_CLASSES_ROOT\Wow6432Node\AppID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{30d49246-d217-465f-b00b-ac9ddd652eb7}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}If your running a lot of DLLHost.exe executables in memory, its because a activex component is being used. Examples of these are: Codecs, browser toolbars, add-ins, extensions. Anything that is designed to interface with the IUNKNOWN interface module.
I would say you either have a conflict in some media application or (if this is a server) its users looking or searching through media. This will make your CPU spike as well. The better you know your system the easier it is get a handle on these issues.
ASKER
@ssharma
From Process Hacker, I right clicked on svchost.exe, chose properties, then Services tab. What is see here is:
DcomLaunch
PlugPlay
Power
I'll digest the links you provided.
From Process Hacker, I right clicked on svchost.exe, chose properties, then Services tab. What is see here is:
DcomLaunch
PlugPlay
Power
I'll digest the links you provided.
ASKER
Nothing I have tried has stopped the dllhost.exe processes from growing. With the machine just sitting, the dllhost.exe count increases higher and higher. Most of the time, I see no ill effects. However, eventually, I will notice one of these processes will begin to consume half or more % of CPU usage. I kill that process. Then, another one will take up the usage.
This sounds like a Trojan to me! I have run Wireshark to look at traffic. I don't see any obvious traffic to indicate that much CPU usage. So, I don't know what the hell this process is doing.
Something has to be a clue here. When I run Process Monitor, there are so many processes being executed that I cannot look at them as I cannot keep the scroll bar at the bottom to look at the newer ones. in just a short time, I will have almost a million events.
This sounds like a Trojan to me! I have run Wireshark to look at traffic. I don't see any obvious traffic to indicate that much CPU usage. So, I don't know what the hell this process is doing.
Something has to be a clue here. When I run Process Monitor, there are so many processes being executed that I cannot look at them as I cannot keep the scroll bar at the bottom to look at the newer ones. in just a short time, I will have almost a million events.
What does the registry tell you when you search for "BB389984-A9DD-43BC-A878-6
ASKER
@Russell_Venable:
I didn't find your choices. I found two keys that contain the following:
Default=not set
AccessPermission=<large binary number>
DllSurrogate=<nul>
LaunchPermissions=<large binary number>
RunAs=Interactive User
I didn't find your choices. I found two keys that contain the following:
Default=not set
AccessPermission=<large binary number>
DllSurrogate=<nul>
LaunchPermissions=<large binary number>
RunAs=Interactive User
ASKER
To all:
Today, after letting the system run for a couple of days, I now have 70 dllhost.exe processes running. None of them at this time are consuming large amounts of CPU usage, although in the past I have seen them consume as much as 50% CPU. When I saw this high usage, killing the offender only caused another seemingly dormant dllhost.exe to pickup up this high usage. As I killed each one, each one in turn took over with high CPU usage until I had killed them all.
At this point, no "expert's" suggestions have led me to a solution. The good news (so far) is that my machine is serviceable as long as I watch the CPU usage and kill the bad guys. Also, fortunately, the high CPU "take over" doesn't happen often. However, I worry that I have some type of "malware" going on, or at the very least, some sort of Windows bug that so far a solution is not a hand.
I have ran all the spyware/virus scanners that I trust. I have seen some from a Goggle search that honestly I do not trust as so many "out there" is not trustworthy, but maybe a virus itself.
I have Microsoft Security Essentials as my virus scanner. I have the Pro version of SuperAntiSpyware. I have installed and ran the free version of MalwareBytes.
Since I feel this is a problem with a Trojan, etc., what other software could I trust to buy online that may possibly find this problem?
Today, after letting the system run for a couple of days, I now have 70 dllhost.exe processes running. None of them at this time are consuming large amounts of CPU usage, although in the past I have seen them consume as much as 50% CPU. When I saw this high usage, killing the offender only caused another seemingly dormant dllhost.exe to pickup up this high usage. As I killed each one, each one in turn took over with high CPU usage until I had killed them all.
At this point, no "expert's" suggestions have led me to a solution. The good news (so far) is that my machine is serviceable as long as I watch the CPU usage and kill the bad guys. Also, fortunately, the high CPU "take over" doesn't happen often. However, I worry that I have some type of "malware" going on, or at the very least, some sort of Windows bug that so far a solution is not a hand.
I have ran all the spyware/virus scanners that I trust. I have seen some from a Goggle search that honestly I do not trust as so many "out there" is not trustworthy, but maybe a virus itself.
I have Microsoft Security Essentials as my virus scanner. I have the Pro version of SuperAntiSpyware. I have installed and ran the free version of MalwareBytes.
Since I feel this is a problem with a Trojan, etc., what other software could I trust to buy online that may possibly find this problem?
ASKER
To All "Experts" Monitoring My Question:
Why should I continue to be a member of "Experts Exchange"? I pay $120/yr. for very few questions I rarely ask, most of which I never get a solid answer, maybe sometimes a suggestion. This current question has been sitting here since 4/21/2012 without me receiving a solution.
Therefore, should I become an "Expert" myself? It appears that I have found the problem. I kept wondering why process "wsftpsi.dll" was always running. I know WS_FTP Pro is a FTP client I have used for years by IPSWITCH. But, why was it running since I haven't launched and used it for months. I uninstalled this program. wsftpsi.dll has also disappeared. AND, this constant growth of the dllhost.exe process seems to have stopped. I'll know for 100% certainty by tomorrow if I don't have 70-100 copies of this running as I usually see each day.
Currently, after hours, I only have 4 instances of dllhost.exe running. I have another Windows 7 system to compare. It has 3 instances of dllhost.exe. Typically, before getting rid of wsftpsi.dll, after a hour I would see at least 10-15 dllhost.exe spawned on my process list without touching the system.
I received advice from @Ssharma who reminded me of a couple of utilities I used to trace the details of my processes (Process Hacker, ProcMon). These were a great help. I am awarding the points to @Ssharma and re-evaluating whether I continue to pay $9.95/mo. to stay on Experts Exchange.
Why should I continue to be a member of "Experts Exchange"? I pay $120/yr. for very few questions I rarely ask, most of which I never get a solid answer, maybe sometimes a suggestion. This current question has been sitting here since 4/21/2012 without me receiving a solution.
Therefore, should I become an "Expert" myself? It appears that I have found the problem. I kept wondering why process "wsftpsi.dll" was always running. I know WS_FTP Pro is a FTP client I have used for years by IPSWITCH. But, why was it running since I haven't launched and used it for months. I uninstalled this program. wsftpsi.dll has also disappeared. AND, this constant growth of the dllhost.exe process seems to have stopped. I'll know for 100% certainty by tomorrow if I don't have 70-100 copies of this running as I usually see each day.
Currently, after hours, I only have 4 instances of dllhost.exe running. I have another Windows 7 system to compare. It has 3 instances of dllhost.exe. Typically, before getting rid of wsftpsi.dll, after a hour I would see at least 10-15 dllhost.exe spawned on my process list without touching the system.
I received advice from @Ssharma who reminded me of a couple of utilities I used to trace the details of my processes (Process Hacker, ProcMon). These were a great help. I am awarding the points to @Ssharma and re-evaluating whether I continue to pay $9.95/mo. to stay on Experts Exchange.
ASKER
These are the tools I used to find this problem. ProcMon was especially helpful in seeing the "trail" of processes. Process Hacker was better than Task Manager.
Excuse me? Just from looking at your previous "rare" question history. I can safely assume your still new to this. I just got back from a very important trip that took all of my time to see this rude conclusion.
1.) Was my question direct and to the point with little room for confusion?
2.) Did my question convey enough information to warrant a response?
3.) Is this question more of a complaint(Rant) or sincere request for help(Informative)?
4.) Is this question in the right topic area?
5.) Is there enough keywords tied to this question. Experts filter to what they want to participate in based on this filtering.
A few points to point out about experts here.
#1 We DONT get paid! Complaining to us is useless. Complain to customer support or request attention from a moderator so they can get you the attention you need.
#2 The time given to help you is out of OUR free time.
#3 Some experts here allow you to hire them to help solve your specific problems in a more personal and direct way.
#4 If you don't get answers to your question. Hit "Request Attention". If that still doesn't work for you. Delete your question stating no answers acceptable.
#5 If your not utilizing and constantly striving to improve how your questions are perceived and still don't get any responses. Why are you still paying for something your not really into?
I could have shoved you off to a process inspection tool like Ssharma did or even allowed you to download my own. Instead, I was going to sit with you to get a specific answer to your exact problem. You closed this question for another "Partial answer". Who's fault is that?
A big problem can be that whatever is running under dllhost.exe is not optimized to run on a x64 as it is currently running as a x86 dll. That is why you see it under sysWOW64 folder and not system32. Another point is there was no information given to point that this was a server and there was more 1 one user active on that machine or even if there was scheduled tasks being told to run at the time you where using process hacker to "trace" the process tree or even had a external devices attached to the machine in question.
Heck! DcomLaunch, PlugPlay and Power where listed under the services for that supposed problematic svchost process. It could even be caused by a plugged-in printer giving you all this hype. Its hard to give you a exact answer when all the details given are Operating system, Antivirus, and System Architecture.
You see here. The better you explain your situation and participate in your own questions the better the responses for your questions will be. If a question is like what I like to call a "Fire-and-Forget" question where someone asks a question with little or no direct interaction or information it has a good chance of being ignored or overlooked due to confusing or incomplete statements. There is a reason for the rating system here. If you look at the profile of the "expert" you can tell what there experience is in. If your not getting responses from someone with the kind of experience your expecting. Ask for help. That is partially why your paying for services is it not? How can these kinds of questions be smartly answered when the user does not understand that system properly enough to utilize it?
Why should I continue to be a member of "Experts Exchange"? I pay $120/yr. for very few questions I rarely ask, most of which I never get a solid answer, maybe sometimes a suggestionThat's a very good question! Why are you asking us? Your pouring emotion into something that you haven't thought out properly. If your having problems specifically with not getting enough answers to your "Question". Then think about a few different approaches.
1.) Was my question direct and to the point with little room for confusion?
2.) Did my question convey enough information to warrant a response?
3.) Is this question more of a complaint(Rant) or sincere request for help(Informative)?
4.) Is this question in the right topic area?
5.) Is there enough keywords tied to this question. Experts filter to what they want to participate in based on this filtering.
A few points to point out about experts here.
#1 We DONT get paid! Complaining to us is useless. Complain to customer support or request attention from a moderator so they can get you the attention you need.
#2 The time given to help you is out of OUR free time.
#3 Some experts here allow you to hire them to help solve your specific problems in a more personal and direct way.
#4 If you don't get answers to your question. Hit "Request Attention". If that still doesn't work for you. Delete your question stating no answers acceptable.
#5 If your not utilizing and constantly striving to improve how your questions are perceived and still don't get any responses. Why are you still paying for something your not really into?
I could have shoved you off to a process inspection tool like Ssharma did or even allowed you to download my own. Instead, I was going to sit with you to get a specific answer to your exact problem. You closed this question for another "Partial answer". Who's fault is that?
A big problem can be that whatever is running under dllhost.exe is not optimized to run on a x64 as it is currently running as a x86 dll. That is why you see it under sysWOW64 folder and not system32. Another point is there was no information given to point that this was a server and there was more 1 one user active on that machine or even if there was scheduled tasks being told to run at the time you where using process hacker to "trace" the process tree or even had a external devices attached to the machine in question.
Heck! DcomLaunch, PlugPlay and Power where listed under the services for that supposed problematic svchost process. It could even be caused by a plugged-in printer giving you all this hype. Its hard to give you a exact answer when all the details given are Operating system, Antivirus, and System Architecture.
You see here. The better you explain your situation and participate in your own questions the better the responses for your questions will be. If a question is like what I like to call a "Fire-and-Forget" question where someone asks a question with little or no direct interaction or information it has a good chance of being ignored or overlooked due to confusing or incomplete statements. There is a reason for the rating system here. If you look at the profile of the "expert" you can tell what there experience is in. If your not getting responses from someone with the kind of experience your expecting. Ask for help. That is partially why your paying for services is it not? How can these kinds of questions be smartly answered when the user does not understand that system properly enough to utilize it?
ASKER
I don't want to get into a verbal battle over this question. I assure you I am not being "emotional" over my problem. Granted, maybe I don't completely understand how Experts Exchange works. I never inquired into who is paid what, or if they are paid at all.
I disagree with your conclusion that I have not supplied enough information. I explained exactly what I observed. Remember, I an NOT the expert, but do know a bit about these sort of things. However, I do hope for some help from those who know more than I do. Otherwise, why would I bother to even belong to this support group? I did a search for this problem. I tried fairly well to post into the groups I was allowed by the system to pick.
I am not trying to be personal to attach anyone. However, I feel a bit "attached" by you from your long post over what seems to be a feeling of being offended because I didn't follow the process you think I should have. Okay!! I confess I was being a bit acrimonious because I have spent hours looking for a cause. I felt a bit "proud" because I found the answer myself. This was not directed to any individual as I said previously, it is NOT PERSONAL. I simply am looking for answers. If you took me as being arrogant, I ask for forgiveness due to my weakness in English composition; I am a tech guy, not an English major.
We all should be grateful for anyone who will offer their help. And, yes! I would have paid for help to free me up from the hours trying to find this problem. I wasn't aware that paid support was a feature of Experts Exchange.
Good day to you!
I disagree with your conclusion that I have not supplied enough information. I explained exactly what I observed. Remember, I an NOT the expert, but do know a bit about these sort of things. However, I do hope for some help from those who know more than I do. Otherwise, why would I bother to even belong to this support group? I did a search for this problem. I tried fairly well to post into the groups I was allowed by the system to pick.
I am not trying to be personal to attach anyone. However, I feel a bit "attached" by you from your long post over what seems to be a feeling of being offended because I didn't follow the process you think I should have. Okay!! I confess I was being a bit acrimonious because I have spent hours looking for a cause. I felt a bit "proud" because I found the answer myself. This was not directed to any individual as I said previously, it is NOT PERSONAL. I simply am looking for answers. If you took me as being arrogant, I ask for forgiveness due to my weakness in English composition; I am a tech guy, not an English major.
We all should be grateful for anyone who will offer their help. And, yes! I would have paid for help to free me up from the hours trying to find this problem. I wasn't aware that paid support was a feature of Experts Exchange.
Good day to you!
ASKER
Command Line: C:\Windows\SysWOW64\DllHos
Current Directory: C:\Windows\system32\
Parent: svchost.exe (120)
All 11 instances basically contain the same above parameters.
Is this normal to have 11 running?