COM question, how to corelate a COM server(EXE) created by a client request. RRS feed

  • Question

  • I have a COM server(EXE) and when I access the object first time using CoCreateInstance/Ex the EXE starts running. However the parent for this process seems to be svchost.exe , not the client application that asked for the Object Activation. I verified with ProcExplorer of sysinternal utils. Even the through ETW and WMI I see similar correlation about parent process.

    How can I correlate to my original client application with the COM exe?

    Any help is highly appreciated.


    Monday, November 23, 2020 1:30 PM

All replies

  • Take a look at this thread in the Q&A forums - https://docs.microsoft.com/en-us/answers/questions/106316/how-to-create-components-with-caller-information.html

    What are you really trying to accomplish?

    Monday, November 23, 2020 5:48 PM
  • Thanks for the forum link, so when the COM server is not of mine there seem to be no way to find who the caller is to COM server. Right?
    Monday, November 23, 2020 7:14 PM
  • Thanks for the forum link, so when the COM server is not of mine there seem to be no way to find who the caller is to COM server. Right?

    There is no direct link between a process that calls CoCreateInstance/Ex to instantiate a COM object and the out-of-of-process COM server that hosts that COM object.  However, as noted in the thread, a running COM Server can generally identify the process that is associated with an incoming call.

    Again, what are you trying to achieve?

    Monday, November 23, 2020 7:24 PM
  • Thanks for the reply. I am trying build a correlation where windows COM server is involved .

    In following code snippet(VBA) the EXCEL/WORD application is creating notepad process using WMI moniker "winmgmts:Win32_process".

    Set obj = GetObject("winmgmts:Win32_process")
    np = obj.Create("notepad.exe", Null, Null)

    Through procexplore(Sysinternal util) if we look it seems parent of Notepad.exe is WMIPrvSE.exe. So there seems no way I can traceback such activation request is from EXCEL/WORD. This is something most malware abuse the WMI to hide their detection.

    Do u think there can be some way to corelate such things that involves COM server like WMI.

    Tuesday, November 24, 2020 3:44 AM
    This Visual C# forum mainly discusses and asks questions about the C# programming language, IDE, libraries, samples, and tools.
    For questions about VBA, it is recommended to ask the question on the Visual Basic for Applications forum and you can get more professional answer.
    Thank you for your understanding.
    Best Regards,
    Daniel Zhang

    "Visual c#" forum will be migrating to a new home on Microsoft Q&A ! We invite you to post new questions in the "Developing Universal Windows apps" forum’s new home on Microsoft Q&A ! For more information, please refer to the sticky post.

    Tuesday, November 24, 2020 6:40 AM
  • Hello Daniel Zhang,

    It is a question on COM server. Not VBA question. However would be glad to know if do you have any answer to my query.



    Tuesday, November 24, 2020 6:50 AM