Raymond.CC Blog

I’ve just received a good question in Forum on whether she should stop and kill all rundll32 processes…

Previously I’ve written a guide on how to identify svchost.exe in your Windows and here’s another process that might be showing in your Windows Task List but you can never know what is it. The process is rundll32.exe. Rundll32.exe is part of Windows found in Windows\System32 and used to run program code in DLL files as if it were an actual program. DLL files can’t be executed directly, that’s why it needs rundll32.exe to run it.

Many viruses also use this name or similar names such as ‘rundII32′ (uppercase i appears the same as lowercase L in many fonts). It’s also commonly used by spyware to launch its own code. As you can see at the my Windows Task Manager, I can only see rundll32.exe being loaded and it did not show what DLL is being loaded.

Here’s how to identify what DLL files are being loaded in rundll32.exe on Windows XP Professional.


You can use HijackThis to do a system scan to find out which DLL is being automatically loaded with Rundll32.exe. Here’s an example of my HijackThis log file showing 2 entries of rundll32.exe loading NvCpl.dll and NvMcTray.dll whenever Windows is booted up.

Here is a manual way of identifying DLL files in rundll32.exe. In command prompt, type the command below and hit enter.


Do take note that Windows XP Home edition does not have “tasklist.exe”. The modules(DLLs) is displayed on the right side of the tasklist result. You’ll probably see a lot of modules being displayed and it takes a little experience to identify any dangerous DLLs on the list. What you can do is filter out all the system files and dependencies used by Rundll32.exe. If you’re unsure, you can always do a search in Google on the dll filename or you can ask in forums.

Notice the NvMcTray.dll that’s loaded in rundll32.exe? That’s the same result as using HijackThis.

OK, now you’ve learn how to identify loaded DLLs in rundll32.exe. But there are also spywares and virus that replaces Windows original rundll32.exe with a fake one. When you have a bad or corrupted rundll32.exe, you’ll have problems in opening Control Panel and etc… To check whether your rundll32.exe has been modified or replaced with a virus, you can open rundll32.exe with Notepad. Once you’ve opened rundll32.exe with Notepad, FIND for the word “paddings“. If the word paddings is in rundll32.exe, it means that you’re using a fake rundll32.exe.

To restore a clean version of Rundll32.exe from Windows CD:

1. Boot in to Safe Mode
2. Put in Windows XP CD-ROM.
3. Open command prompt (Go to Start -> Run and type cmd)
4. Assuming D: is the drive letter for your CD-ROM, type expand D:\i386\rundll32.ex_ %Systemroot%\rundll32.exe and press Enter.

5. Restart your computer

If you don’t have your Windows XP CD-ROM, you can download rundll32.exe from the link below and restore it to your Windows\System32 folder.

[ Download RunDLL32.exe for Windows XP Professional ]