How to Use a COM Registry Browser to Inspect Windows Objects
The Component Object Model (COM) is a foundational pillar of the Windows operating system. It enables software components to communicate and interact across different languages and processes. Behind the scenes, the Windows Registry acts as the central database that catalogs every COM object on your system.
When troubleshooting system errors, analyzing malware, or reverse-engineering software, inspecting these objects is crucial. A COM registry browser provides a window into this hidden world. Here is how to use a COM registry browser to inspect Windows objects effectively. Understanding the COM Registry Infrastructure
Before diving into the tools, you must understand how Windows stores COM data. The Windows Registry organizes COM information using unique 128-bit identifiers called GUIDs (Globally Unique Identifiers).
When inspecting COM objects, you will primarily encounter three types of identifiers:
CLSID (Class Identifier): Identifies a specific COM class or object.
IID (Interface Identifier): Identifies a specific interface or contract implemented by an object.
ProgID (Programmatic Identifier): A human-readable text string (e.g., Excel.Application) mapped directly to a CLSID. Most COM data resides in two primary registry locations:
HKEY_LOCAL_MACHINE\Software\Classes (System-wide configurations)
HKEY_CURRENT_USER\Software\Classes (User-specific configurations)
Windows merges these views into a virtualized hive known as HKEY_CLASSES_ROOT (HKCR). Choosing the Right Tool
While the native Windows Registry Editor (regedit.exe) can navigate these keys, it lacks the context and specialized filtering needed for efficient analysis. Instead, professionals use dedicated COM browsers:
OLE/COM Object Viewer (Oleview.exe): Distributed by Microsoft within the Windows SDK. It is the gold standard for viewing interfaces, type libraries, and testing object instantiation.
OleViewDotNet: An advanced, open-source alternative created by security researcher James Forshaw. It is highly optimized for security auditing and hunting for COM vulnerabilities.
RegDllView: A lightweight tool by NirSoft that displays all registered COM DLLs and allows you to unregister them easily. Step-by-Step: Inspecting COM Objects with OleView
Using Microsoft’s OleView, you can easily pull back the curtain on any registered Windows object. Step 1: Launch with Elevated Privileges
Always run your COM browser as an Administrator. Many COM objects are tied to restricted system binaries or services. Without elevation, you will encounter access denied errors and incomplete object lists. Step 2: Browse Categories
When the tool opens, the left pane displays a tree view categorization:
Object Classes: Grouped by type, such as Automation Objects, Controls, or Local Servers.
Type Libraries: Definitions of the methods and properties exposed by COM components.
Interfaces: The absolute list of all registered IIDs on the system.
Expand All Objects to view an alphabetical list of every registered COM class on your machine. Step 3: Analyze Class Details
Select an object from the list to populate the right pane with its registry attributes. Key fields to inspect include:
InprocServer32: Points to the path of the DLL if the COM object runs inside the host process.
LocalServer32: Points to an executable path (EXE) if the COM object runs as an independent process.
ThreadingModel: Indicates how the object handles concurrency (e.g., Apartment, Free, Both). Step 4: Verify Interfaces and Type Libraries
Right-click an object and select View… to attempt instantiation. If successful, OleView will query the object for its supported interfaces.
Double-clicking an interface or entry under Type Libraries opens the ITypeLib viewer. This decodes the binary metadata back into Interface Definition Language (IDL). Reading the IDL allows you to see the exact functions, arguments, and return types the object supports. Practical Use Cases for Security and Troubleshooting 1. Hunting for COM Hijacking
Malware often exploits the way Windows looks up COM objects. Because Windows checks HKEY_CURRENT_USER before HKEY_LOCAL_MACHINE, an attacker can place a malicious DLL path under the user’s hive for a specific CLSID. Using a browser like OleViewDotNet, you can scan for user-mapped CLSIDs that override system defaults—a telltale sign of persistence. 2. Fixing Broken Applications
If a software program crashes with a “Class not registered” or “Interface not supported” error, copy the GUID from the error log. Paste it into your COM registry browser’s search bar. If the GUID is missing, or if the InprocServer32 path points to a file that no longer exists, you have found the root cause of the application failure. Conclusion
A COM registry browser transforms a chaotic maze of registry keys into a structured, readable inventory of system components. Whether you are debugging developer code, fixing broken Windows components, or auditing a system for security anomalies, mastering a COM viewer is an essential skill for any advanced Windows power user.
If you want to dive deeper into Windows internals, let me know if you would like to explore how to spot COM hijacking anomalies, how to register or unregister COM DLLs via the command line, or which Windows SDK tools to download to get started.
Leave a Reply