question

GHANASHYAMSATPATHY-0273 avatar image
0 Votes"
GHANASHYAMSATPATHY-0273 asked RLWA32-6355 commented

COM question, how to corelate a COM server(EXE) created by a client request.

I have a COM server(EXE) and when I access the object first time using CoCreateInstance/Ex the EXE starts running. However the parent for this process seems to be svchost.exe , not the client application that asked for the Object Activation. I verified with ProcExplorer of sysinternal utils. Even through ETW and WMI I see similar correlation about parent process.

How can I correlate to my original client application with the COM exe?

Any help is highly appreciated.

Thanks.

windows-sysinternals-procexp
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

mariora avatar image
0 Votes"
mariora answered RLWA32-6355 commented

There is no way in PE to get that correlation.. because of COM working you will always get a system man-in-the-middle object..
If you need that information you need windbg.. in windbg there are extensions to see the COM correlation ID, so attaching a WIndbg session to every object will show you the correlation ID.

HTH
-mario

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The OP wanted to programmatically link the process calling CoCreateInstance(Ex) with the instantiated the COM server. To add some perspective to the above, have a look at this thread - com-question-how-to-corelate-a-com-serverexe-creat-1.html


0 Votes 0 ·