Archive for May 30, 2011

What is rundll32.exe And Why Is It Running?

What is rundll32.exe And Why Is It Running?


You are no doubt reading this article because you’ve looked in task manager and wondered what on earth all those rundll32.exe processes are, and why they are running… So what are they?

Explanation

If you’ve been around Windows for any amount of time, you’ve seen the zillions of *.dll (Dynamic Link Library) files in every application folder, which are used to store common pieces of application logic that can be accessed from multiple applications.
Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This executable is a valid part of Windows, and normally shouldn’t be a threat.
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.

Using Windows Vista’s Task Manager

One of the great features in Windows Vista’s Task Manager is the ability to see the full command line for any running application. For instance, you’ll see that I have two rundll32.exe processes in my list here:

If you go to View \ Select Columns, you’ll see the option for “Command Line” in the list, which you’ll want to check.



Now you can see the full path for the file in the list, which you’ll notice is the valid path for rundll32.exe in the System32 directory, and the argument is another DLL that is actually what is being run.



If you browse down to locate that file, which in this example is nvmctray.dll, you’ll usually see what it actually is when you hover your mouse over the filename:

Otherwise, you can open up the Properties and take a look at the Details to see the file description, which usually will tell you the purpose for that file.


Once we know what it is, we can figure out if we want to disable it or not, which we’ll cover below. If there isn’t any information at all, you should either Google it, or ask somebody on a helpful forum.

Using Process Explorer on Vista or XP

Instead of using Task Manager, we can use the freeware Process Explorer utility from Microsoft to figure out what is going on, which has the benefit of also working in Windows XP.
Simply launch Process Explorer, and if you are using Vista you’ll want to choose File \ Show Details for All Processes.


Now when you hover over the rundll32.exe in the list, you’ll see a tooltip with the details of what it actually is:



Or you can right-click, choose Properties, and then take a look at the Image tab to see the full pathname that is being launched, and you can even see the Parent process, which in this case is the Windows shell (explorer.exe), indicating that it was likely launched from a shortcut or startup item.


You can browse down and view the details of the file just like we did in the task manager section above. In my instance, it’s a part of the NVIDIA control panel, and so I’m not going to do anything about it.

Disabling the Process

Depending on what the process is, you won’t want to necessarily disable it, but if you would like to, you can type msconfig.exe into the start menu search or run box and you should be able to find it by the Command column, which should be the same as the “Command line” field we saw in Process Explorer. Simply uncheck the box to prevent it from starting automatically.



Sometimes the process doesn’t actually have a startup item, in which case you’ll likely have to do some research to figure out where it was started from. For instance, if you open up Display Properties on XP you’ll see another rundll32.exe in the list, because Windows internally uses rundll32 to run that dialog.
When all else fails, you should post the full command path over on a helpful forum and get advice from somebody else that might know more about it.