{"id":8852,"date":"2019-04-25T11:04:17","date_gmt":"2019-04-25T05:34:17","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=8852"},"modified":"2023-07-31T18:56:49","modified_gmt":"2023-07-31T13:26:49","slug":"what-is-rundll32-exe-is-it-malware","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/what-is-rundll32-exe-is-it-malware\/","title":{"rendered":"What is Rundll32.exe process? Is it a Malware?"},"content":{"rendered":"

When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may also encounter a rundll32.exe error at every startup<\/a> or during shutdown. Many users are wondering if rundll32.exe is a virus. If not, what exactly does rundll32.exe do in the system?<\/p>\n

\"rundll32<\/p>\n

<\/p>\n

What is rundll32.exe? Is it a virus?<\/h2>\n

Rundll32.exe, the one located in the Windows\\System32<\/code> folder is a legitimate Windows system file. It’s not a virus!<\/p>\n

But, if you have the file located in any folder outside your Windows\\System32<\/code> directory, then it may be a fake file or could even be malware.<\/p>\n

What does rundll32.exe do?<\/h2>\n

Rundll32.exe is a system file which executes a DLL. A DLL can optionally specify an entry-point function. To execute the DLL that specifies an entry-point, rundll32.exe is used. The command line syntax for Rundll32 is as follows:<\/p>\n

rundll32.exe <dllname>,<entrypoint> <optional arguments><\/pre>\n
Why do multiple rundll32.exe entries show up in Task Manager?<\/h2>\n
Each rundll32.exe entry you see in Task Manager may be running a different program (DLL).<\/p>\n
\"rundll32<\/p>\n
Let’s say you open a Control Panel applet – e.g., Indexing Options. When you open Indexing Options classic Control Panel applet, Windows actually runs this command behind the hood:<\/p>\n
rundll32.exe C:\\WINDOWS\\system32\\shell32.dll,Control_RunDLL C:\\WINDOWS\\System32\\srchadmin.dll<\/pre>\n
Likewise, there may be other applets running, which uses rundll32.exe.<\/p>\n
Another example would be the Sound applet in the Control Panel. The full command-line to open Sound applet is:<\/p>\n
rundll32.exe C:\\WINDOWS\\System32\\shell32.dll,Control_RunDLL C:\\WINDOWS\\System32\\mmsys.cpl<\/pre>\n
For Time and Date Control Panel applet, here is the rundll32.exe command-line used:<\/p>\n
rundll32.exe Shell32.dll,Control_RunDLL \"C:\\WINDOWS\\system32\\timedate.cpl\"<\/pre>\n
How to know which file the Rundll32.exe process is running?<\/h2>\n
You can see the full command-line of each Rundll32.exe process using Task Manager.\u00a0You can configure Task Manager to show Command-line and Image Path name columns<\/a> in the Processes as well as the Details view.<\/p>\n
\"task<\/p>\n
Note:<\/strong> The Task Manager, with its default settings, shows only the process names, their ID and other stuff, but but not the full command-line arguments of each process.<\/em><\/p>\n
You may see an entry like below, without a DLL file name in the arguments. Some users have indicated that it’s related to Groove Music<\/strong> in Windows 10.<\/p>\n
\"C:\\Windows\\system32\\rundll32.exe\" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617<\/pre>\n
Using Command-line<\/h3>\n
To view the list of rundll32.exe processes along with the command-line and Process ID, run this command in a Command Prompt window:<\/p>\n
WMIC PROCESS WHERE Name=\"rundll32.exe\" get Caption,Commandline,Processid \/format:list<\/pre>\n
To view processes running under administrator token, run the above command from admin Command Prompt<\/a>.<\/p>\n
Sample Output<\/h4>\n
Caption=rundll32.exe\r\nCommandLine=\"C:\\WINDOWS\\system32\\rundll32.exe\" C:\\WINDOWS\\system32\\shell32.dll,Control_RunDLL C:\\WINDOWS\\System32\\srchadmin.dll ,\r\nProcessId=11404\r\n\r\nCaption=rundll32.exe\r\nCommandLine=\"C:\\WINDOWS\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\WINDOWS\\system32\\timedate.cpl\"\r\nProcessId=10580<\/pre>\n
List of modules used by RunDll32.exe process<\/h4>\n
To view the list of modules that are being used by each instance of rundll32.exe<\/code>, open a Command Prompt window and run this command:<\/p>\n
tasklist \/m \/fi \"IMAGENAME eq rundll32.exe\"<\/pre>\n
You’ll see an output like this:<\/p>\n
\"rundll32<\/p>\n
Caveats regarding Rundll32.exe<\/h2>\n
You should be suspicious about the following things on your system:<\/p>\n