One of system services reports in his log that it has loaded some object. In the log mentioned also the CLSID of loaded object (value is 1CECAF7C-B7A0-4B81-912D-78F202E3F0EA, see also the screenshot:
Of course, first of all I searched this value in registry (I have readed also this Stack Overflow question). But I cannot find it, probably this value does not exist in registry at all. Strange...
Please explain how this is possible? And how can I find DLL in which this object implemented.
How is this possible? Simple: the DLL simply was never registered.
Of course, that means you cannot find the DLL from the registry, but you may know for some other reason which DLL you need. E.g. because you wrote the DLL yourself!
In this case it's quite possible that Microsoft knows about Microsoft Terminal Service DLLs. Also, they will know when they change the CLSID. You know neither, so don't make assumptions here.
I'll throw in my 2 cents even though this has already been answered. It is possible, or even likely, that it is using registration free COM. In that case, the type library information is stored in manifests.
If you know the process you are looking for, you can then use procexp to examine the DLLs that are loaded into the process. Once you have the DLL list, you can examine the manifests of suspicious or likely candidates to try and find the ProgIds and CLSIDs.
