3

On my Windows 10 Home x64 machine, I noticed an unknown instance of dllhost.exe using a high amount of CPU. Upon further inspection, I noticed that it had one thread using most of its CPU time. Here's the thread stack:

A thread stack highlighting mfmkvsrcsnk.dll

Based on some more digging this specific DLL is a microsoft signed DLL called "Media Foundation MKV Media Source and Sink DLL". If I look at the process's file handles, it has an open file handle to a video file in my user directory, specifically a .webm video capture of one of my virtual machines.

enter image description here

Is this some sort of malware hiding behind legitimate Windows DLLs using some kind of COM interfaces? Or is this a legitimate Windows function? If so, what is it doing with my video files?

nanofarad
  • 719
  • 1
  • 9
  • 23

1 Answers1

3

This is the COM Surrogate, maybe Windows Explorer tried to extract thumbnails or other properties for your videos ?

You can learn more about the COM Surrogate here: https://devblogs.microsoft.com/oldnewthing/20090212-00/?p=19173

basically:

Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.

Swisstone
  • 615