Rundll32 process. Explaining the purpose

Rundll32 process. Explaining the purpose.
rundll32, rundll32.exe
Written by Wilbur Woodham

Rundll32.exe process is an internal Windows process, which carries an important function. However, different malicious programs are used to mimic this process, to stay longer in the system. In this post, you will see the explanation of the task of the rundll32.exe process. Besides, I will show you the ways of recognizing that this process is a counterfeit.

Why this process is needed?

This system application is essential for the correct system functioning. The main task it carries is a correct execution of the programs, based on dynamic-link libraries (DLL). DLLs act as toolkits that allow to the creation of the functions in the program. Every program needs its own chain of dynamic-link libraries, and to make the calling of these DLLs easier, Windows offers such a function.

Besides these functions, rundll32 also allows calling different system functions manually, from the command prompt. For example, to call the Control Panel, you need to type the next command:

RUNDLL32 SHELL32.DLL,Control_RunDLL filename.CPL,@n,t

Rundll32 functions usage

Where “filename” is an exact name of the Control Panel file, “n” is an applet of the CPL file, and “t” is the number of tabs the applet has (if it has several ones).

Such functions open a wide range of abilities for software developers, who don’t need to create a separate way of system function calling. Instead, they may just make use of the embedded Windows mechanism.

Can I stop rundll32 exe?

You will not likely find this process in the classic Task Manager. It is hidden from the user, without any clear reasons. The only way to spectate the rundll32 process is to use another task management application from Microsoft – Process Explorer. It allows you to see a lot of different hidden processes, including the subject. Stopping this process will surely lead to various problems with the applications that require this service to be active. Moreover, that process consumes very small amounts of CPU/RAM capacity, so there is no need to suspend it.

The times when Windows processes may be disabled to increase the system performance have passed long ago. When Windows XP was the last actual OS version, computers were quite weak, and their upgrade was quite expensive, disabling several services could really make your PC faster without any significant problems. Nowadays, such tricks can make things even worse.

How can I understand that rundll32 is a virus?

The perfect way to check if the process is launched by a malicious program is to open its file location. Find the rundll32.exe process in Process Explorer, and click it with a right mouse button. Choose the “Open file location” option, and you will see the folder where the .exe file is located. If the source file – rundll32.exe is located in C:/Windows/System32, everything is ok. Any other location of the source file means that you have malware on your computer. A wide range of viruses is mimic this process, copying its name. To check your PC for viruses, I can offer you to use GridinSoft Anti-Malware1.

Rundll32 exe file location

Proper location of rundll32.exe file

Removing the viruses with GridinSoft Anti-Malware

  • Download and install the GridinSoft Anti-Malware. After the installation, you will be offered to perform the standard scan. Apply this action.
  • GridinSoft Anti-Malware during the scan process

  • Standard scan lasts up to six minutes and checks the system files together with the files of the programs you have installed on your computer.
  • GridinSoft Anti-Malware scan results

  • When the scan is complete, press “Apply” to wipe out the malicious items that are present on your PC.
  • Malware removing with GridinSoft Anti-Malware

    Frequently Asked Questions

    Can I just delete the process from the root directory?

    No. In case if the process belongs to the legitimate system element, you will not be able to edit the root directory of the system, where it is stored, without granting yourself permission for this action. And its deletion will surely lead to a system crash without a possibility of loading the system back because the crucial component is absent.

    Is it possible to decrease the hardware consumption of this process?

    That process consumes literally nothing, so you will likely see no occasions when there is a need to make it less greedy with resources. However, if you see that it takes more than 20-30% of your CPU and the same amount of RAM, it is likely a virus. Perform the guide I wrote above.

    How can I know this process is malicious without checking its root directory?

    As was mentioned in the previous question, the CPU/RAM consumption of the original process is very low. So, the rundll32 process that uses a lot of hardware capacity is definitely a virus. Another way to understand that this process belongs to a malicious program is its location inside of the Process Explorer. System processes are listed in the corresponding thread, so that process’ application among the user’s background processes is a sign of malware presence.

    User Review
    0 (0 votes)
    Comments Rating 0 (0 reviews)


    1. Explanation why do I recommend you to use GridinSoft Anti-Malware.
    Rundll32 process. Explaining the purpose
    Rundll32 process. Explaining the purpose
    Rundll32 is a system process which is responsible for correct DLL usage for every app. It is often counterfeited by malicious programs.

    About the author

    Wilbur Woodham

    I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

    Leave a Reply


    This site uses Akismet to reduce spam. Learn how your comment data is processed.