Process rundll32.exe Windows/
Welcome to the pages of the Computer76 blog, today we will consider the rundll32.exe process. What kind of process is it, why are there several of them running or not at all.
Theory. As always.
If you use Windows for a decent amount of time, you may have noticed that in the folder with almost any application there are many files with the extension .dll – “dlls” (unless, of course, the system is configured so that you can read extensions at all files). These are dynamic link libraries and are used to store compatible pieces of program or application logic so that they can be accessed by any (or at least most) other application.
A .dll file will not run when double-clicking on it. Therefore, the application or process rundll32.exe is designed to read the entry from these library files, and reading occurs in a cross manner – from application to application, from system to program, and vice versa. For program developers, this is a panacea for the endlessly increasing requirements for RAM in the current session of the application developed by them and currently running by the user: the main program is launched on behalf of the user – the necessary libraries are unloaded from the folder with the program – the program is closed – .dll files are closed (however, not Always). Plus, different applications can interact with each other – this is the ultimate meaning of these small files. And rundll32.exe controls all this. This rundll32.exe process is authorized by the system, there is nothing forbidden or illegal in it in terms of access. And some viruses have learned to use it.
Virus or not?
Strictly speaking, computer worms like to hide behind them. The location of rundll32.exe is one:
And if you decide to check the location of the process, and the path does not lead to this folder (you won’t be able to put anything there without the permission of the system), then it’s time to run anti-virus software. For the purity of the experiment, do this in safe mode with network driver support. However, you can draw some conclusions without an antivirus program. So, the rundll.exe process shows where they start and what processes are supported in Windows.
What is running as rundll32. exe?
You will download a zip archive. Copy the .exe file to your desktop and run. Here is an updated Task Manager. Click File Show Details for All Processes, confirm administrator rights and you will see a complete list of running processes on the system.
In general, it doesn’t matter what tool you use. The rundll32.exe process is a system process and is not hidden from the user’s eyes. It can also be easily found in the user’s configuration file. This is the one called by the famous search string command:
Here, in the Startup tab, the process associated with rundll32.exe can sometimes be “hooked” – it is written in the path to the application:
In my experience, the rundll32.exe process constantly displayed in the Dispatcher indicates violations in the work with hardware or programs that are related to each other. This violation can be local (during the current session; it returns to normal after a reboot) or permanent (damage to the files themselves, “broken driver”, bad HDD sectors, virus).
Users of Windows 7 and later rarely experience this problem. Windows XP users experienced this issue more frequently. As well as ways of solutions were more. In any case, the 100% solution was to copy the original rundll32.exe file from a boot disk or from the network (beware of fakes!).
The article describes the ability to find out the nature of any process on the example of rundll.exe using the familiar Windows Task Manager. The technique will allow you to determine with high accuracy whether a suspicious process belongs to the system, or is it a virus.
One of the main problems for those who are just starting to get acquainted with Windows is trying to diagnose some kind of malfunction. At the same time, when going to the Task Manager, the user often stumbles upon multiple and at the same time processes of the same name. A reasonable question arises – is it the same process? Then why are there a lot of them? And is there any malware among them that masquerades as a real process? One of these processes (you can actually count them on your fingers) is rundll32.exe. Along with the svchost process, there may be a dozen or more of them in the Dispatcher. But it’s not just about them.
What is Rundll32. exe?
Rundll32.exe is, let me remind you, a part of the system that hides in the WindowsSystem32 directory and is used by Windows to run program code in some dll file, as if this file were a real program. The whole problem is that the dll itself is simply not capable of directly executing itself. And to do this, Rundll32.exe is launched.
Of course, for many malware, this situation is a tasty morsel. Some of them call themselves similar names in order to fool the user, who doesn’t really look at the names of the processes. I came across viruses like rundII32.exe (where the last two letters are not small Latin l (eL), but large i – a feature of writing in Latin). Or, say, rundll.32.exe – note the two dots separating the name. It is not uncommon for the real Rundll32 to be used to run malicious code. And the Windows Task Manager has long indulged this development of events: it is still almost impossible to understand what and where from the list of running processes.
In fact, the situation with Rundll32 recognition is easy (albeit partially) to fix. So, a fake rundll is easy to pull out using the same Dispatcher. Launch Task Manager:
Ctrl + Shift + Esc
Set the checkbox opposite the item Command line:
How to find out the nature of the rundll process. exe from the command line?
Where the legs of the process grow can be determined using the tasklist command utility. It will help to reveal the list of libraries and files accompanying the launch and operation of the process. Run command console as administrator and type command
tasklist /m /fi “IMAGENAME eq rundll32.exe”
The dll modules will show up on the right side of the console. However, their names can tell little to an inexperienced user, so Google is here to help.
The simplest and, probably, the most original way to check if a file supposedly belongs to the system for lice is to simply check it with the integrity utility. Yes, the same sfc / scannow, which is designed to check system files for compliance with the originally installed or updated ones. So, if you have doubts about the rundll.exe process or any other process, type a command like this in the console:
Please note: the command will be able to check a specific file at a specific address. And this file must be known to the system.
I’ll finish with this. In any case, let me remind you that most system files, including executive utilities such as rundll.exe, can be safely copied from a Windows installation disk or a virtual machine. So if the fears are confirmed, it is easy to find a replacement for the files.
The current version of the page has not yet been reviewed by experienced members and may differ significantly from the version reviewed on June 5, 2015; checks require 32 edits.
Library as software
A dynamic link library (DLL) is usually a software module for providing functions to other programs, however, it cannot be run directly on Windows OS. R UNDLL, on the other hand, allows you to call individual DLL functions, the name of which is specified on the command line. Execution is carried out in a separate process, so RunDLL calls are also used by other programs that want to protect their process from errors in the called DLL. Program functions in system executable files (.exe files) can be called in the same way.
Control Panel (CPL) files, which are usually located in the Control Panel virtual folder, can be called by method alternatives using RUNDLL invoked via the command line by calling Shell32.dll:
This method can be used both on the command line or when batch processing data from various scripts, or using regular shortcuts (LINK files). Because the functions work in conjunction with the operating system, caution is advised in certain experiments and is recommended only for fairly advanced users.
void CALLBACK NameFuction(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
Security threats can occur due to the use of rundll32 by viruses, spyware, using it as a “namesake” for their pest programs.
First of all, this allows RUNDLL to hide the actual villain: error messages and logs (log entries) identify the EXE file name as the cause. It turns out to be rundll32.exe, but it is absolutely flawless – a malicious program located in a DLL, and its name is not mentioned in many cases. Instead of determining which DLL is unwanted, rundll32.exe is blamed.
Also, in case this file is in a different location than %windir%system32
undll32.exe and is running from this other location, then it may be a virus and not related to the original file.
What is rundll32.exe
DLL files are simply used to store application logics that are common and can be accessed by multiple applications. However, there is no way to launch these dll files directly. So to run the functionalities stored in these dll files, the computer system uses the rundll32.exe application.
A computer system is an indispensable part of our life in present times. As our daily life is becoming more tech-savvy, we find it much easier to portray the colors of our dreams with a computer system, be it a PC, or a laptop or even a handheld device like smartphones.
This article is a part of our Windows explanatory series which explains different process found in Task manager like dwm.exe, svchost.exe, dllhost.exe, Windows Modules Installer worker and more.
If you are familiar with the windows system files, you might have spotted some files that have the extension of . dll. Now these DLL(dynamic link library) files are simply used to store application logics that are common and can be accessed by multiple applications.
There are two versions of the rundll32.exe program in 64-bit versions of Windows-family operating systems:
64-bit version: %WinDir%System32
32-bit version: %WinDir% SysWOW64
A 64-bit application can use the 64-bit version of rundll32.exe located in %WinDir% System32 to load 64-bit DLL. But 32-bit programs addressing %WinDir%System32 are redirected into %WinDir% SysWOW64 for compatibility purposes and therefore they will use the 32-bit version of rundll32.exe.
The errors associated with rundll32.exe may occur during computer startup, program startup or while executing a special function in our program like printing. Some of the common errors associated with rundll32.exe are listed below:
Also Read: What is Akamai Netsession Interface? High CPU Usage?
How to restore rundll32. .exe file?
Alternate Methods to restore rundll32.exe:
1. How many rundll32.exe instances are ideal to be running at the same time?
At one single point of time , there may be several instances of rundll32.exe running in our computer system. However, to be sure about any vulnerability you might like to check the path of the running rundll32.exe processes. If any of them is in a strange folder, that would likely be a problem. It should be kept in mind that the original rundll32.exe file resides in the System32 folder of our system.
2. Is rundll32.exe a virus in disguise?
As mentioned earlier, rundll32.exe is not a threat to our computer system. However, there are instances when spywares or viruses uses the same file name and run from different directory.
3. Is it safe to end or stop it from running in background?
In the Windows operating system, hundreds of processes work simultaneously, consuming RAM, CPU resources, accessing files on disks. This is a completely natural phenomenon. But sometimes some elements overload the OS, preventing us from working or playing on the computer. From this post you will learn – why Rundll32.exe loads the Windows 7 processor? By the way, it is on the seven that he shows increased activity.
Let’s start with the basics. If this part of the “narrative” is not interesting for you, then scroll down to the next chapter.
This is a system component that is responsible for searching for data on the Internet. Users cannot directly manage its work, ask what and where to look for. Similar directives are written in the Windows OS itself.
For example, you need to find an update for a system application or game – Rundll32 initiates a procedure that will last until the “victorious end”. And if there are connection problems, problems with Microsoft servers, then the process can take a lot of time. In this case, the file loads the system up to the maximum consumption of processor resources.
Where is it? The object is located along the path:
It can also be found in the SysWOW64 folder (if you have a 64-bit version of the OS installed).
Rundll32 loads the processor – how to fix it?
Can it be deleted? In no case, otherwise it is fraught with a critical failure in the work of Windows. The file is also related to Microsoft’s desire to force users to switch to Windows 10, it constantly tries to establish a connection with the company’s servers. Because of what loads the PC.
The solution is simple – you should limit the capabilities of the file or switch to the “top ten”. Consider the first way:
You can also go the other way – open taskschd.msc in the System32 folder:
Agree to make changes. There won’t be any negative consequences.
The Rundll32 host process loads Windows when the game starts – what should I do?
Windows 7 has pre-installed games that are located in the “Games Explorer” (everyone’s favorite solitaire games, Minesweeper, Pinball and others). So, Rundll32.exe is also responsible for searching the Internet for additional content – images, updates for these components. But some of them have not been supported by developers for a long time, and on January 14, 2020, access to servers will be completely closed.
“Randll32” actively searches, absorbing processor resources. But this can be stopped using a simple and safe way:
Did this solution help?
Another reason is virus infection of the computer
The Rundll32 file itself is unlikely to be damaged by intruders, but hackers often disguise malicious scripts as system elements. If you notice in the task manager that the object is loading the processor, right-click on it and view the location:
As you remember, Rundll32.exe is located in the System32 (or SysWOW64) folder. If another directory opens, you should immediately run an anti-virus scan. Also pay attention to the name – it may differ by one or two letters, for example, Rundl32 or Ryndll.
The easiest way to scan a Windows 7 system is with free utilities or . Ideally, perform actions in safe mode:
In this article we will tell you what the hosts file is and where it is located.
What the hosts file looks like in Windows:
How the Linux hosts file looks like:
How the hosts file appeared
At that time, the Stanford Research Institute Network Information Center (abbreviated as NIC SRI) was responsible for hosts.txt. If a new site appeared on the network, administrators sent information about the changes to the NIC SRI. After that, they synchronized their hosts file with the data from the NIC. This happened 1-2 times a week.
However, as the Internet spread, this scheme of work became impossible: the amount of information grew, and it became much more difficult to synchronize data.
In 1984, documents appeared that described the DNS system. It was she who came to replace hosts.txt.
The hosts file still exists, but its purpose has changed. It is on every computer and is responsible for displaying sites on a specific device. Hosts does not affect the global web.
Where is the hosts file
The location of the hosts file depends on the family and version of the OS that is installed on your computer.
Unable to change hosts file
Sometimes an attempt to change hosts fails. You may encounter this if you are editing a file on a Windows system.
To solve this problem, open Notepad as an administrator. For this:
What is localhost
As a rule, localhost is used to set up network tools: for example, if you set up a server on your computer and want to access it by name or IP.
In addition, localhost can be used to block access to any site. Suppose you want to block vk.com on a specific computer. Then you need to add the line to the hosts file:
How to restore original hosts file
If you accidentally deleted the hosts file, you can restore it manually. To do this, go to the folder where it should be stored. Then create a text file with no extension, name it hosts. After that, the file must be filled. The default content depends on the OS that is installed on your computer.
Standard hosts for Windows
Standard hosts for MacOS
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
Then save the file.
Despite the fact that the hosts file no longer affects the operation of sites on the global network, it helps to solve some important tasks on your computer.
Check file for changes
Note: If the content of the Hosts file has been changed, run a virus scan. Malicious programs can modify the contents of the file to redirect connections from your computer to malicious sites.
Common changes causing problems
Here are some examples of the most common changes that affect Blizzard games. If you find these lines in your Hosts file, remove them:
Restore the default settings assigned by Microsoft to the Hosts file
To restore the default settings for the Hosts file, do the following:
Hello, dear readers of the KtoNaNovenkogo.ru blog. Today I want to talk about such a fairly simple thing in my device as the Hosts file.
Remarkably, it lives on almost all operating systems (and therefore all computers of Internet users), from Linux to Windows 7. Another distinguishing feature of it is that it does not have an extension, but this is due precisely to the fact that it should work in any OS, which means it must be universal.
But this is not the main thing. Although it is a relic of the past, there are still many ways to use Hosts for both good and bad purposes. For example, viruses and virus writers love it very much and often use it either to replace official sites with their phishing duplicates, or to block the ability to update your anti-virus program.
When the Internet first appeared and was slow, many users registered in Hosts the resources they most frequently visited, and also blocked servers with ads through it, well, or access to those programs that they activated, let’s say, without paying for this developers.
But even now this file can be useful, including for webmasters. For example, when changing hosting, you sometimes have to wait a day before all DNS servers register a new IP address of your site. However, you can start working and testing the site on a new hosting immediately after placing it there. How to do it? Well, all with the help of the same Hosts.
By tradition, it’s worth starting with how this miracle actually appeared and managed to settle on the vast majority of computers in the world. Well, here, as always, everything is simple.
When the Internet (World Wide Web, global network or simply WWW) did not yet exist as such (how it appeared can be found in the article about the emergence of WWW on the Internet), but there were already small local networks of computers connected to each other, then even then they came to the conclusion that it is much easier to refer to hosts (computers on a network) by name, and not by a numerical code, which is called an IP address.
However, network equipment needs IP-ishniks and nothing else. Therefore, a list of correspondence between the host name and its IP address was manually formed. Such a list was called Hosts and sent to all nodes of the local network. Everything was great until the moment when it became impossible to use such a method due to the huge number of entries contained in this file. Distributing it became problematic.
In this regard, we decided to approach this issue differently, namely, to place on the Internet a whole tree-like network of DNS servers (domain name system) that would store all these correspondence tables and users’ computers would contact the nearest one with a question about volume, and some Ip-ishnik corresponds to the Vasya.ru domain.
At the same time, everyone safely forgot about the Hosts file, but it still had a place to be in all operating systems, except that only its content was extremely scarce. Usually there was and still is only one entry:
For some reason, this IP address (or rather the range 127.0.0.1 – 127.255.255.255) was chosen to denote the local host (private IP), i.e. the very computer you are sitting at (literally localhost – “this computer”). But, really, that’s all for the old IPv4 (fourth version).
And in IPv6, which is now in use (due to the fact that the number of addresses included in the previous version is not enough for everyone), such an entry will look a bit different:
But the essence is the same. Because Since both standards for specifying an IP address are still used or can be used, both of these lines are usually present in the Hosts file. True, any gibberish can be written above them (depending on the OS used), but all those lines contain the hash symbol # (hash) at the beginning, which means that these lines are comments and should not be taken into account.
On my old Windows Vista, the Hosts file now looks like this:
The syntax of the record is very simple – first the IP address is indicated, and then the name of the host (computer, node or domain) is written after any number of spaces (tab characters). A separate line is used for each entry of this kind.
Here the main question arises, what place does Hosts take now in the process of matching the domain names entered in the browser and those IP addresses that are hidden behind these domains? Well, as it turned out, it occupies a very important place, namely the first one. But first things first.
So, you enter the URL address into the address bar of the browser (read about Url here) or follow the link from the browser bookmarks, or from any web page open in it. In any case, the browser receives from you the path to the document you want to see.
Either way, the URL will contain the domain name of the site where the document you are interested in is located (ktonanovenkogo.ru in our example). However, this domain corresponds to a very specific server (maybe virtual), where this very site is hosted. And this server must have an IP address so that it can be seen on the network and can be accessed.
Your browser cannot know which IP corresponds to the domain name contained in the URL (well, unless you have enabled caching of DNS records in this very browser and this site was previously visited by you). Therefore, he turns first of all for clarifications to the Hosts file on your computer.
If this domain (and its corresponding IP) is not found there, then the browser will start torturing the DNS records caching service from Windows. If earlier you accessed this domain and not much time has passed since then, then the DNS cache will give the browser this same IP address. The browser will receive it and open the document you requested.
If there are no records for this domain among the cache, the browser will send a request to the nearest DNS server (most likely, it will be the server of your Internet provider) and receive the required information from it. True, in this case there may be a slight delay in opening the web page you requested, but with modern Internet speeds this will be practically not noticeable.
And this happens with absolutely any request to open a document from the Internet from your computer. Do you get it? Empty Hosts does not create any problems, but if you fill it out, and even with malicious intent, it may turn out that you enter the password for your Yandex wallet not on the official website of this payment system, but on a phishing resource with a similar design (see what is phishing).
How can this be? Well, no one is safe from virus infection (here I wrote about my viral epic with websites), and a virus can easily add the IP address of a phishing resource to the Hosts and assign it the money.yandex.ru domain name, for example. Therein lies the danger.
A fake social networking site might intercept your passwords, charge you to enter, or do something more creative. The saddest thing is that it is impossible to notice the substitution, because the correct domain name will show off in the address bar of the browser.
Where is the Hosts file located and how can I remove virus entries from it?
On the other hand, even an absolute noob in computers can remove the changes made by the virus from the Host file. Usually the problem lies precisely in finding where this very file is located.
In older versions of Windows, such as XP or 2000, it was open to everyone and lived in system folders at the following address:
You won’t believe it, but he lives at the same address in both Windows 7 and Vista, but everything is a bit more complicated there, because following the path:
You won’t find etc folders there. The developers felt that this file should not be touched by ordinary mortals in order to avoid problems.
However, the hosts file in windows 7 and vista still has a place to be, you just need to look for it with Administrator rights. Personally, I never even tried to figure out all this nonsense with rights, but for myself I found a very simple way to get around this limitation.
So, go to the “Start” button menu – “All Programs” and find the “Accessories” folder there. Labels live inside it, among which it is easy to see the Notepad. Right-click on it and select “Run as Administrator” from the context menu that appears:
Well, actually, half the battle is done. Now in Notepad, select “File” – “Open” from the top menu. In the standard Windows Explorer window, find the etc folder you are looking for (inside the WindowsSystem32drivers directory), select “All files” in the lower right corner from the drop-down list and watch with happy eyes the appearance of this top-secret file:
It will be exactly without an extension, and the rest of the crap, like hosts.txt, is very often created by viruses to divert your attention and confuse you in the end. For a real file, they set the “Hidden” attribute, which can be set or unchecked by simply right-clicking on the file and selecting the lowest item “Properties”:
in Windows, by default, extensions are not displayed for registered file types (that’s why they did it – I don’t understand), then the user finds hosts.txt without seeing either its extension or the fact that there is another hosts in the same folder, but it is hidden from his eyes.
By making changes to the fake, he does not achieve anything, he starts tearing his hair, wringing his hands and goes to the store for a new laptop in order to finally get into his beloved Contact, which the virus blocked on the old computer. Ahh, horror.
There is a very easy way to open this file. It will be enough to press the key combination Win + R on the keyboard (or select the “Run” item from the “Start” button menu), then enter the following line in the window that opens and press Enter:
But it doesn’t matter. We still found where this secret (for Windows 7 and vista) file is located, and we must carefully examine it for possible abuse. If the initial examination of the patient did not reveal any pathologies, then look at the page scroll area in Notepad.
Well, if the substitution of addresses in this file is quite simple, for example, it might look like this:
So how, in this case, is blocking certain sites through Hosts? Well, it’s just that the domain to be blocked is assigned a private IP address of 127.0.0.1, like so:
Clever browser finds this match and tries to get the required document (web page) from your own computer, which, of course, it fails and about which it will immediately inform you. By the way, this is a good way to block your children from accessing sites that you think they should not visit. Of course, you will still need to create a list of such sites or take it somewhere, but you can try it if you wish.
As I already mentioned, in ancient times, when the Internet for most users was still slow, to speed up the opening of sites, their IPs were registered in Hosts. Another thing is that these same resources periodically changed hosting and, along with it, IP addresses. And the user, forgetting about what he did six months ago to speed up the Internet, is trying in vain to understand why his favorite resources are not available to him.
How to use Hosts when transferring a site to a new hosting?
And finally, I would like to tell you about how, by making changes to the Hosts file, you can work with a site that has moved to a new hosting even before a new record is registered on all DNS servers (corresponding to your domain new IP address). The method is very simple, but effective.
So, you are changing the host. Naturally, the IP address of your site also changes. How do they find out about it on the Internet? Everything is correct, using a network of DNS servers. By the way, you yourself will make the first and most important step by going to the control panel of your registrar and registering the addresses of the NS servers of your new host there.
It is from them that the new DNS will spread throughout the Internet. But this process is lengthy and, in the worst case scenario, it can take a couple of days. At this time, the site should be available both on the new and on the old hosting, so that users from all over the world would not be deprived of the opportunity to see it.
However, you yourself will be interested to know how, in fact, your resource feels with the new host? Check the operation of all plugins and other things. Is it really necessary to wait from several hours to two days? Because it’s unbearable.
First, you can try to reset the DNS cache on your own computer, because it may prevent you from seeing your resource on a new hosting if external DNS servers have already received a new entry. How to do it? Again, everything is very simple. Press the key combination Win + R on the keyboard (or select the “Run” item from the “Start” button menu), then enter in the window that opens:
A very scary window called Command Prompt will open where you will need to paste this command:
The regular paste buttons in the Command Prompt window don’t work, so just right-click on it and choose Paste.
After that, press “Enter”, the DNS cache will be cleared on your computer and you can try to open your site again. By the way, the DNS cache can also be in the browser itself, so clear it or refresh the window while holding down the “Shift” button on the keyboard.
By the way, if you are interested, you can see the contents of the DNS cache by typing the following command in the command line:
Is the site still open on the old hosting? No problem. We find the Hosts file in the way described above and add only one line to it:
Where 220.127.116.11 – this will be the IP address of your new hosting, and then the domain name of your site will follow. All. While the rest of the world is admiring your resource on the old hosting, you have the opportunity to fix possible jambs on the engine already transferred to the new hosting. The thing is wonderful and I always use it.