What is Rundll32.exe process? Is it a Malware?

When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may also encounter a rundll32.exe error at every startup or during shutdown. Many users are wondering if rundll32.exe is a virus. If not, what exactly does rundll32.exe do in the system?

rundll32 entry in task manager

What is rundll32.exe? Is it a virus?

Rundll32.exe, the one located in the Windows\System32 folder is a legitimate Windows system file. It’s not a virus!

But, if you have the file located in any folder outside your Windows\System32 directory, then it may be a fake file or could even be malware.

What does rundll32.exe do?

Rundll32.exe is a system file which executes a DLL. A DLL can optionally specify an entry-point function. To execute the DLL that specifies an entry-point, rundll32.exe is used. The command line syntax for Rundll32 is as follows:

rundll32.exe <dllname>,<entrypoint> <optional arguments>

Why do multiple rundll32.exe entries show up in Task Manager?

Each rundll32.exe entry you see in Task Manager may be running a different program (DLL).

rundll32 multiple entries in task manager

Let’s say you open a Control Panel applet – e.g., Indexing Options. When you open Indexing Options classic Control Panel applet, Windows actually runs this command behind the hood:

rundll32.exe C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\srchadmin.dll

Likewise, there may be other applets running, which uses rundll32.exe.

Another example would be the Sound applet in the Control Panel. The full command-line to open Sound applet is:

rundll32.exe C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\mmsys.cpl

For Time and Date Control Panel applet, here is the rundll32.exe command-line used:

rundll32.exe Shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl"

How to know which file the Rundll32.exe process is running?

You can see the full command-line of each Rundll32.exe process using Task Manager. You can configure Task Manager to show Command-line and Image Path name columns in the Processes as well as the Details view.

task manager show command line



Note: The Task Manager, with its default settings, shows only the process names, their ID and other stuff, but but not the full command-line arguments of each process.

You may see an entry like below, without a DLL file name in the arguments. Some users have indicated that it’s related to Groove Music in Windows 10.

"C:\Windows\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617

Using Command-line

To view the list of rundll32.exe processes along with the command-line and Process ID, run this command in a Command Prompt window:

WMIC PROCESS WHERE Name="rundll32.exe" get Caption,Commandline,Processid /format:list

To view processes running under administrator token, run the above command from admin Command Prompt.

Sample Output

Caption=rundll32.exe
CommandLine="C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\srchadmin.dll ,
ProcessId=11404

Caption=rundll32.exe
CommandLine="C:\WINDOWS\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl"
ProcessId=10580

List of modules used by RunDll32.exe process

To view the list of modules that are being used by each instance of rundll32.exe, open a Command Prompt window and run this command:

tasklist /m /fi "IMAGENAME eq rundll32.exe"

You’ll see an output like this:

rundll32 modules list tasklist

Caveats regarding Rundll32.exe

You should be suspicious about the following things on your system:

  • If the file Rundll32.exe the file name is found in any other location outside the Windows directory, it could be a virus.
  • Be aware of what a Rundll32.exe process is executing, by inspecting the Task Manager. In compromised systems, you will most likely see one or multiple Rundll32.exe processes running rogue malware DLL files, probably launched as startup entries.

    In short, make a note of the command-line arguments of Rundll32.exe entries in Task Manager — i.e., the DLL which is being executed by Rundll32.exe.

RELATED: How to Fix Rundll32 or RunDll Errors at Startup?


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right here. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

Leave a Comment