When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may also encounter a rundll32.exe error at every startup or during shutdown. Many users are wondering if rundll32.exe is a virus. If not, what exactly does rundll32.exe do in the system?
What is rundll32.exe? Is it a virus?
Rundll32.exe, the one located in the
Windows\System32 folder is a legitimate Windows system file. It’s not a virus!
But, if you have the file located in any folder outside your
Windows\System32 directory, then it may be a fake file or could even be malware.
What does rundll32.exe do?
Rundll32.exe is a system file which executes a DLL. A DLL can optionally specify an entry-point function. To execute the DLL that specifies an entry-point, rundll32.exe is used. The command line syntax for Rundll32 is as follows:
rundll32.exe <dllname>,<entrypoint> <optional arguments>
Why do multiple rundll32.exe entries show up in Task Manager?
Each rundll32.exe entry you see in Task Manager may be running a different program (DLL).
Let’s say you open a Control Panel applet – e.g., Indexing Options. When you open Indexing Options classic Control Panel applet, Windows actually runs this command behind the hood:
rundll32.exe C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\srchadmin.dll
Likewise, there may be other applets running, which uses rundll32.exe.
Another example would be the Sound applet in the Control Panel. The full command-line to open Sound applet is:
rundll32.exe C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\mmsys.cpl
For Time and Date Control Panel applet, here is the rundll32.exe command-line used:
rundll32.exe Shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl"
How to know which file the Rundll32.exe process is running?
You can see the full command-line of each Rundll32.exe process using Task Manager. You can configure Task Manager to show Command-line and Image Path name columns in the Processes as well as the Details view.
Note: The Task Manager, with its default settings, shows only the process names, their ID and other stuff, but but not the full command-line arguments of each process.
You may see an entry like below, without a DLL file name in the arguments. Some users have indicated that it’s related to Groove Music in Windows 10.
"C:\Windows\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
To view the list of rundll32.exe processes along with the command-line and Process ID, run this command in a Command Prompt window:
WMIC PROCESS WHERE Name="rundll32.exe" get Caption,Commandline,Processid /format:list
To view processes running under administrator token, run the above command from admin Command Prompt.
Caption=rundll32.exe CommandLine="C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\srchadmin.dll , ProcessId=11404 Caption=rundll32.exe CommandLine="C:\WINDOWS\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl" ProcessId=10580
List of modules used by RunDll32.exe process
To view the list of modules that are being used by each instance of
rundll32.exe, open a Command Prompt window and run this command:
tasklist /m /fi "IMAGENAME eq rundll32.exe"
You’ll see an output like this:
Caveats regarding Rundll32.exe
You should be suspicious about the following things on your system:
- If the file Rundll32.exe the file name is found in any other location outside the Windows directory, it could be a virus.
- Be aware of what a Rundll32.exe process is executing, by inspecting the Task Manager. In compromised systems, you will most likely see one or multiple Rundll32.exe processes running rogue malware DLL files, probably launched as startup entries.
In short, make a note of the command-line arguments of Rundll32.exe entries in Task Manager — i.e., the DLL which is being executed by Rundll32.exe.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.