rundll32.exe
runDLL32.exeis a Win32 - utility of Microsoft Windows from Windows 95 and is used to Win32 functions from libraries as separate routines execute. Only functions that have been explicitly declared in the program library to be executed with this utility can be executed. In older Windows versions (Windows 95 to Windows Me), the 16-bit version RUNDLL.EXEfor executing Win16 functions is still included for reasons of compatibility .
For Windows NT to Windows 10, the file is located in the folder %windir%\system32(for example C:\WINNT\system32) and for Windows 95 to Windows ME directly in the Windows directory (for example C:\Windows). With 64-bit operating systems, the 32-bit version of the file ( Windows on Windows ) is also located under %windir%\SysWOW64.
These applications are important in the automation of system-related processes. This is why rundll32.exe is one of the attack points at risk from malware and has become known by name to many users.
Program libraries
A program library ( DLL file ) is used to make functions available to other programs as a program module, but normally cannot be executed directly. The RunDLL allows individual functions of such an interface to be called, for example on the command line, from scripts or as a link. The execution takes place in a separate process, therefore RunDLL calls are also used by other programs that want to protect themselves against errors in the called DLL. Program functions in executable system files ( EXE files ) can also be called in the same way .
Examples:
-
rundll32 SHELL32.DLL,Control_RunDLL hotplug.dll- opens the function Safely Remove Hardware , such as those for USB flash drives is needed
-
rundll32 SHELL32.DLL,SHExitWindowsEx 2rundll32 USER.EXE,ExitWindowsExec-
Reboot (restart) the system (from Windows XP, the reboot is
shutdown.execontrolled via the program file.)
-
Reboot (restart) the system (from Windows XP, the reboot is
-
rundll32 URL.DLL,FileProtocolHandler "%1"- opens the file named% 1 with the standard application assigned to it ( automatic file recognition )
Control panels
The control panels (CPL files), which are normally called via the virtual system control folder , can alternatively be made directly accessible with the RunDLL via the command line . This is done by calling the Shell32.dll:
Code:
-
rundll32 SHELL32.DLL,Control_RunDLL filename.CPL,@n,t
While the applets of the individual functions are well documented, when controlling the appropriate tab, you have to rely on trial and error or tips in the relevant literature and web resources.
Examples:
-
rundll32 SHELL32.DLL,Control_RunDLL TIMEDATE.CPL,@0,1- opens the time zone setting of the date / time function
-
rundll32 shell32.dll,Control_RunDLL access.cpl,,4- Setting the mouse accessibility for impaired users
application
This method can be carried out from the command line or batch processing , from various script languages and with simple links ( LNK files ). Since the functions run very close to the operating system, caution is advised in relevant circles during experiments and is only recommended for the moderately experienced user.
Typical sources of error
The functions called by Rundll32.exe are expected to correspond to a specific signature:
void CALLBACK NameDerFunktion(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
Usually, however, this restriction is disregarded (also from the examples on this page). In any case, this leads to a corruption of the stack and to unforeseen behavior, for example endless loops .
safety
Due to its frequent use by programs, through which rundll32 can frequently appear in the process list, the rundll32 is often used by viruses , spyware and the like as the "namesake" for their malware programs.
Furthermore, a file outside of %windir%the name is rundll32.exein most cases a virus. A maliciously replaced original RunDLL is backed up by the Windows System Restore function , which automatically resets system files to a reliable state.
List of functions
Below is a list of typical functions. The first parameter is consistently a .dll or .exe file; the extension is not specified because it is found via the path variable and the Windows-typical supplementary key *.exe → *.dll → andere Dateien. The second parameter is the name of the routine, the other parameters are input values for this routine, e.g. For example, in some dialogs with several tabs, the number of the tab as , @ 1 or ,, 1 .
These calls are i. d. Usually not officially documented, so the availability may vary depending on the operating system version and edition. This may also differ from service pack, update or third party software.
| command | description | 9x / ME | XP / 2000 | Vista | Windows 7 |
|---|---|---|---|---|---|
| rundll32.exe User, tilechildwindows | Automatically arrange all open tasks side by side | Yes | No | No | No |
| rundll32.exe User32.dll, LockWorkStation | Locks the computer | No | Yes | Yes | Yes |
| rundll32.exe User, cascadechildwindows | Automatically arrange all open tasks one after the other | Yes | No | No | No |
| rundll32.exe Msprint2.dll, RUNDLL_PrintTestPage | Output test page to a printer | Yes | No | No | No |
| rundll32.exe Sysdm.cpl, InstallDevice_Rundll | Start the hardware wizard | Yes | No | No | No |
| rundll32.exe User, wnetcancelconnection <server name> | Disconnection of the network connection to the network server | Yes | No | No | No |
| rundll32.exe User, wnetconnectdialog | Map network drives | Yes | No | No | No |
| rundll32.exe User, wnetdisconnectdialog | Disconnect network drives | Yes | No | No | No |
| rundll32.exe User, repaintscreen | Refresh the screen content | Yes | No | No | No |
| rundll32.exe User, setcursorpos | Places the mouse cursor in the upper left corner | Yes | No | No | No |
| rundll32.exe Diskopy, DiskCopyRunDll | Accesses Diskcopy | Yes | No | No | No |
| rundll32.exe powrprof.dll, SetSuspendState | Puts the computer into standby or (if activated) hibernation | No | Yes | Yes | Yes |
| rundll32.exe printui.dll, PrintUIEntry / y / n <printer name> | Set a default printer | No | Yes | Yes | Yes |
| rundll32.exe Rnaui.dll, RnaWizard | Start dial-up networking | Yes | No | No | No |
| rundll32.exe Rnaserv, CallerAccess | Dial-up server | Yes | No | No | No |
| rundll32.exe Shell, shellexecute | Open explorer | Yes | No | No | No |
| rundll32.exe Shell32, OpenAs_RunDLL | Call up the "Open with" box | Yes | Yes | Yes | Yes |
| rundll32.exe Shell32, SHFormatDrive | Format floppy disk | Yes | No | No | No |
| rundll32.exe Shell32, ShellAboutA | Infobox (Winver) | Yes | Yes | Yes | Yes |
| rundll32.exe Shell32, SHExitWindowsEx 0 | Restart Windows | From Win98 | No | No | No |
| rundll32.exe Shell32, SHExitWindowsEx 1 | Exit Windows | From Win98 | No | No | No |
| rundll32.exe Shell32, SHExitWindowsEx 2 | Windows warm start | From Win98 | No | No | No |
| rundll32.exe Shell32, SHExitWindowsEx | log off active user | From Win98 | No | No | No |
| rundll32.exe Shell32, SHExitWindowsEx -1 | Restart Windows Explorer | From Win98 | No | No | No |
| rundll32.exe Shell32, Control_RunDLL | Control panel | Yes | Yes | Yes | Yes |
| rundll32.exe Shell32, Control_RunDLL desk.cpl | "Display" setting | Yes | Yes | Yes | Yes |
| rundll32.exe Sysdm.cpl, InstallDevice_Rundll | Fast hardware detection | From Win98 | No | No | No |
| rundll32.exe shell32.dll, Control_RunDLL access.cpl | Accessibility (overview) | Yes | Yes | ||
| rundll32.exe shell32.dll, Control_RunDLL access.cpl ,, 1 | Accessibility (keyboard) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL access.cpl ,, 2 | Accessibility (sound) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL access.cpl ,, 3 | Accessibility (display) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL access.cpl ,, 4 | Accessibility (mouse) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL access.cpl ,, 5 | Accessibility (general) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl ,, 0 | Software (removing / adding new programs) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl ,, 1 | Software (add new programs) | Yes | Yes | ? | yes (install programs from network) |
| rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl ,, 2 | Software (add or remove Windows components) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL desk.cpl ,, 0 | Display properties (background) | Yes | Yes | yes (desktop) | Yes |
| rundll32.exe shell32.dll, Control_RunDLL desk.cpl ,, 1 | Properties of display (screen saver) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL desk.cpl ,, 2 | Properties of display (appearance) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 0 | Country settings (general) | Yes | Yes | yes (formats) | yes (formats) |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 1 | Country setting (numbers) | Yes | Yes | yes (whereabouts) | yes (whereabouts) |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 2 | Country setting (currency) | Yes | Yes | yes (keyboard and languages) | yes (keyboard and languages) |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 3 | Country setting (time) | Yes | Yes | yes (administration) | yes (administration) |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 4 | Country setting (date) | Yes | Yes | yes (formats) | yes (formats) |
| rundll32.exe shell32.dll, Control_RunDLL intl.cpl ,, 5 | Country setting (input) | Yes | Yes | yes (formats) | yes (formats) |
| rundll32.exe shell32.dll, Control_RunDLL joy.cpl ,, 0 | Game controller (general) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL joy.cpl ,, 1 | Game controller (advanced) | Yes | Yes | yes (general) | yes (general) |
| rundll32.exe shell32.dll, Control_RunDLL main.cpl, @ 0 | Properties of mouse (buttons) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL main.cpl, @ 1 | Keyboard Properties (Speed) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL mlcfg32.cpl | Mail and FAX | Yes | No | No | No |
| rundll32.exe shell32.dll, Control_RunDLL mmsys.cpl ,, 0 | Properties of sounds and multimedia (sounds) | Yes | Yes | yes (playback) | yes (playback) |
| rundll32.exe shell32.dll, Control_RunDLL mmsys.cpl ,, 1 | Properties of sounds and multimedia (audio) | Yes | Yes | yes (recording) | yes (recording) |
| rundll32.exe shell32.dll, Control_RunDLL mmsys.cpl ,, 2 | Properties of sounds and multimedia (hardware) | Yes | Yes | yes (sounds) | yes (sounds) |
| rundll32.exe shell32.dll, Control_RunDLL mmsys.cpl ,, 3 | Properties of sounds and multimedia (communication) | - | - | yes (playback) | Yes |
| rundll32.exe shell32.dll, Control_RunDLL modem.cpl | Telephone and modem options (modems) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL ncpa.cpl | Network connections | ? | Yes | ? | Yes |
| rundll32.exe shell32.dll, Control_RunDLL netcpl.cpl | Network settings | Yes | No | No | No |
| rundll32.exe shell32.dll, Control_RunDLL password.cpl | Password settings | Yes | No | No | No |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl | System properties (computer name) | ? | ? | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl ,, 0 | System properties (general) | Yes | Yes | No | No |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl ,, 1 | System properties (network identification) | Yes | Yes | yes (computer name) | yes (computer name) |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl ,, 2 | System properties (hardware) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl ,, 3 | System properties (user profiles) | Yes | Yes | yes (extended) | yes (extended) |
| rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl ,, 4 | System properties (advanced) | Yes | Yes | yes (computer protection) | yes (computer protection) |
| rundll32.exe shell32.dll, Control_RunDLL timedate.cpl ,, 0 | Date / time properties (date and time) | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL timedate.cpl ,, 1 | Date / Time Properties (Additional Clocks) | - | - | Yes | Yes |
| rundll32.exe shell32.dll, Control_RunDLL powercfg.cpl | Power management | - | Yes | Yes | Yes |
| rundll32.exe diskcopy.dll, DiskCopyRunDll | Disk copy | Yes | Yes | No | No |
| rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL AddPrinter | add Printer | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL PrintersFolder | Show printer | Yes | Yes | Yes | Yes |
| rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL FontsFolder | Show fonts | Yes | Yes | Yes | Yes |
| rundll32.exe dwmApi.dll, # 102 | Turn on Windows Vista Aero Glass Effect | No | No | Yes | No |
| rundll32.exe dwmApi.dll, # 104 | Turn off Windows Vista Aero Glass Effect | No | No | Yes | No |
Web links
- RunDLL documentation in the Microsoft Support Knowledge Base
- RUNDLL and RUNDLL32 - on Rob van der Woude's scripting page robvanderwoude.com
- C ++ implementation for calling these functions - on codeproject.com (English)
- blogs.msdn.com
- support.microsoft.com
Individual evidence
- ↑ microsoft.com/kb/164787
- ↑ a b c after Rob van der Woude
- ↑ a b c after Dx21
- ↑ c't Hotline 17/2007, p. 178
- ↑ support.microsoft.com
- ↑ blogs.msdn.com
- ↑ blogs.msdn.com