Home

rundll32exe

Rundll32.exe is a Windows command-line utility that loads a Dynamic Link Library (DLL) and invokes a function exported by that DLL. It is a legitimate system binary included with Windows and located in the Windows system directory. On 64-bit Windows, both 64-bit and 32-bit versions exist: the 64-bit rundll32.exe is typically found in System32, while a 32-bit counterpart resides in SysWOW64.

Usage involves calling rundll32.exe with the DLL name and the name of the exported entry-point function, separated

Common legitimate uses include launching shell or control panel functionality from scripts, for example: rundll32.exe shell32.dll,Control_RunDLL

Because rundll32.exe executes code inside a DLL, it can be abused to run arbitrary payloads when supplied

by
a
comma,
followed
by
optional
arguments.
The
general
syntax
is:
rundll32.exe
dllname,EntryPoint
[arguments].
The
entry-point
must
be
a
function
exported
by
the
DLL
that
uses
the
signature
void
CALLBACK
EntryPoint(HWND
hwnd,
HINSTANCE
hinst,
PSTR
lpszCmdLine,
int
nCmdShow).
The
function
receives
command-line
text
via
lpszCmdLine,
and
the
calling
process
handles
any
returned
results
and
errors.
appwiz.cpl
to
open
Programs
and
Features,
or
rundll32.exe
user32.dll,LockWorkStation
to
lock
the
workstation.
These
calls
rely
on
exported
functions
in
well-known
DLLs
rather
than
standalone
executables.
with
a
malicious
DLL
and
entry-point.
As
a
result,
security
practices
often
monitor
or
restrict
its
use
in
sensitive
environments,
and
some
policies
block
code
execution
from
untrusted
DLLs
or
require
signed
components.