Question Is it normal for dllhost.exe to be located in C:\Windows\SysWOW64?

[Nova23145]

Basically when I open task manager and go to details two dllhost.exe applications run at the same time, One of them is located in C:\Windows\System32 and the other one is located in C:\Windows\SysWOW64. When looking on the internet to find an answer to my question I get conflicting results, some say its normal and some say it should only be located in C:\Windows\System32 and if located anywhere else its a virus. My Pc hasn't been acting up in any way and Malwarebytes hasn't detected anything, so at this point I just want to confirm if this is something I need to worry about.

 

[Darkbreeze]

If it is running anywhere other than System32 then it is an imposter and you have an infection. I would highly recommend a CLEAN install of Windows because while you CAN possibly eliminate the infection using traditional virus and malware removal methods the types of infections that tend to imitate legitimate dllhost.exe processes are generally unusually difficult to eliminate and there's no guarantees of success eliminating something that the system thinks is legitimate.

There is no other place this file should reside or be running from AND there is no reason it would need to as dllhost.exe can run in multiple instances directly from it's sole location in System32.

 

[Colif]

its normal to have multiple DLhosts now...

https://answers.microsoft.com/en-us...-manager/cce88666-65fc-4b54-8b35-540b5e1d47d5

reinstalling windows will just result in same thing.

 

[Darkbreeze]

The question isn't about having multiple DLL hosts. The question is about WHERE they are, and they are NEVER anywhere other than System32 unless they are imposters. You can have ten instances of dllhosts.exe but they will ALL be running out of System32. If not, they are an infection.

 

[gardenman]

There is a legitimate version of dllhost.exe in both folders.
- system32 is used for 32-bit applications. [VirusTotal Results]
- syswow64 allows 32-bit to run on 64-bit [VirusTotal Results]
So we can assume there are two versions.

Their usage may be safe, may not be safe.

Download Process Explorer, right click on procexp64.exe and choose Run as Admin. Go to the DLLHOST processes, right click and go to Properties. In the Command line, you should see a ProcessID which is a long string of numbers/letters surrounded by brackets.

For example: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

We need the {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} part.

Open regedit and copy/paste this into the "address" bar:
Computer\HKEY_CLASSES_ROOT\CLSID\
Press Enter to open that key.

Now look for that ProcessID. Expand the registry key. On the right it should give you a bit more info about what is using it.
For me, I see:
(Default) - REG_SZ - C:\Windows\System32\thumbcache.dll
ThreadModel - REG_SZ - Apartment

Do the same for:
Computer\HKEY_CLASSES_ROOT\AppId\
I see:
"Thumbnail Cache Out of Proc Server"

I could search the web for more info on this. But I'll assume that the dllhost.exe is running something to do with Explorer thumbail cache.
I could grab the thumbcache.dll file and upload it to VirusTotal also.

Reference:
https://devblogs.microsoft.com/oldnewthing/20210802-00/?p=105510

 

[Darkbreeze]

Seems strange to me, because every legitimate site including Microsoft's own site, says it should ONLY be located in System32. So, IDK on that, but maybe. I'll have to look at it a little further but that's the way it's always been in the past. I don't know why they'd change it or why they'd need multiple locations since any legitimate need for it can call an instance from the System32 folder IIRC.

 

[gardenman]

It could be outdated info, I'm not sure. If you look at both of the files on your own system, go to their properties, both are signed by Microsoft. I have both files on my 2 systems that I looked at. I can only assume they are legitimate, and that I'm not infected. And VirusTotal didn't find anything.

I only seen the one running from system32 on my system. But that doesn't mean that if it runs from syswow64 that it's not legitimate either, because that's a legitimate rundll.exe in that folder, signed by Microsoft. I'm no expert, I've never used rundll.exe for anything myself. I'm only looking at the actual rundll.exe files in both folders, and both seems legitimate.

 

[Darkbreeze]

rundll.exe is not the file in question though. dllhost.exe is.

 

[gardenman]

Yes, typo. I meant dllhost.exe.

 

[Colif]

The dllhost.exe process goes by the name COM Surrogate.

COM stands for Component Object Model.

Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder.

C:\Windows\System32\dllhost.exe for 32-bit systems
C:\Windows\SysWOW64\dllhost.exe for 64-bit systems

They are the system folders for 32 & 64bit programs.
We have 2 Program file folders, these are the two DLL folders.
there has to be a 32bit version of dllhost.exe out there somewhere for the 32bit programs to talk to or they would break, right?

Almost every page showing how to fix an error relating to com surrogate shows both locations. - https://www.thewindowsclub.com/fix-program-exee-has-stopped-working

WOW64 is thex86 emulator that allows 32-bit Windows-based applications to run on 64-bit Windows but x86 applications are re-directed to the x86 \syswow64 when seeking the x64 \system32. The C:\Windows\System32 folder still exists in the 64-bit version of Windows but it is used as a repository for 64-bit .dll files.

SysWOW64 equates to "Windows 32-bit on Windows 64-bit". This folder contains all the 32-bit .dll files required for compatibility which run on top of the 64-bit version of Windows.

https://answers.microsoft.com/en-us/windows/forum/all/syswow64/f09e9cf7-1f9d-44b8-b71b-c2fc61479307

WoW64 - Wikipedia

en.wikipedia.org

Despite the names, System32 is full of 64-bit files and SysWOW64 is full of 32-bit files.

What's the Difference Between the "System32" and "SysWOW64" Folders in Windows?

On 64-bit versions of Windows, you have two separate Program Files folders.

www.howtogeek.com

the naming scheme is actually the result of a lot of drivers hard coding system32 as driver location, even in 64bit drivers. Easier to change how windows reacts to them than break a bunch of programs.

So to answer ops question, yes its normal. Anyone on 64bit windows will have it in both places.

 

[Darkbreeze]

Fair enough. And yes, now that I look manually myself, they are definitely in both those folders on my system too so I guess you learn something new, or at least learn that it has changed at some point, if not every day, at least every week around here. LOL.

 

[Nova23145]

Thanks everyone for the help I really appreciate it.

 

[Colif]

Fair enough. And yes, now that I look manually myself, they are definitely in both those folders on my system too so I guess you learn something new, or at least learn that it has changed at some point, if not every day, at least every week around here. LOL.

It takes time for people to stop using the old knowledge and adjust to new, so it was right when we only had 32bit windows, but the changes made were not shared widely enough so there are still probably sites out there saying the old way is right without realising its changed.

Since Windows is the thing that makes the decision on where a dll file goes, no one really needs to know as to them it hasn't changed. Making it easier for programmers means no one ever had to learn the differences. I am sure there are some people who do.