Are dllhost and svchost safe?

As I understand them, they are used as processes that execute dlls, for situations that some routine is better as or must not be a process itself.

So, any kind of software may be run by them. I setup my CIS services to notify me of any and all access so I can manuyally handle its rights. But I’m concerned and not sure how I should config these 2 files. When they try to do something, IDK what specific software is doing it, so IDK if it’s safe or if it rly needs to do it.

The protection that CIS offers is that they are protected objects and they cannot be started without notification nor can related registry keys be changed without notification by unknown (untrusted) applications.

For me that is enough protection.