rundll32.exe | Used To Run DLL Files | Safe?

Rundll32.exe is an executable file used by Windows to run DLL files as if they were within the actual program. Unfortunately, virus writers use similar names to trick users, and malware often uses this program to run code in Windows.

What Are DLL Files?

Here’s what lifewire says:

A DLL file, short for Dynamic Link Library, is a type of file that contains instructions that other programs can call upon to do certain things.

This way, multiple programs can share the abilities programmed into a single file, and even do so simultaneously.

For example, several different programs might all call upon the veryuseful.dll file (I made that up, of course) to find the free space on a hard drive, locate a file in a particular directory, and print a test page to the default printer.

Unlike executable programs, like those with the EXE file extension, DLL files can’t be run directly but instead must be called upon by other code that is already running.

https://www.lifewire.com/what-is-a-dll-file-2625852

What Is rundll32.exe?

The Microsoft Operating System uses rundll32.exe to access these DLL libraries on behalf of other programs.

It’s therefore an important file and shouldn’t, usually, be removed or disabled. However it is known to have a couple of security issues.


Security Issues With The rundll32.exe Process

Issue 1: Malware Masquerading As rundll32.exe

This is an issue common to other Windows processes such as conhost.exe.

Virus/Trojan/Spyware etc writers give their malicious files a similar name to these legitimate processes, hoping that users will mistake them for their safe namesake.

The key way to check that the rundle32.exe file running on your computer is the legitimate one is to check its file location. The real process sits in the C://Windows/System32 folder and hence if your file is elsewhere, it is likely to be malicious.

How To Check A File’s Location

a. Press ctrl-alt-del

b. Click on the ‘Details Tab’ as below:

Examine Rundll32.exe
source: https://www.raymond.cc/blog/identify-loaded-rundll32exe-in-windows-task-list/

c. Highlight the rundll32.exe file as above

d. Right click and click ‘Properties’ to get the following screen:

how to find rundll32.exe location

e. Note the location (circled)

Issue 2: Malicious DLL Libraries

The legitimate rundll32.exe file can also be used for nefarious purposes.

It can be used to download and run malicious code in a rogue DLL file. This is a well known security vulnerability (see here).


Conclusion

The rundll32 process is usually legitimate and should not be removed.

However both rogue files with a similar name, and malware which uses the process to run malicious code should be guarded against.



Featured Posts