Bookmark

Donate

Subscribe

Subscribe to our RSS feed

Subscribe to our RSS feed
Email Subscription

Enter your Email ID:

Delivered by FeedBurner

Categories

Links

What's the suspicious Rundll32.exe process?

Published : June 27, 2004
Updated   : June 28, 2005
Send your feedback

Introduction

When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may also encounter a rundll32.exe error at shutdown. Rundll32.exe is a valid system file which executes a DLL. The actual command may be Rundll32.exe filename.xxx, <function>, whereas Task Manager reports only the command name and not it's parameter.

[More accurate method]
List all processes and their
Command-line parameters

To know the module which is executed by Rundll32, proceed further. Without any third-party tools, here is a neat way to track down what the Rundll32 is executing. Open a Command Prompt window and type the following command:

tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt

rundll32-2.JPG (35490 bytes)Now, open the file C:\rundll32.txt file and identify the "odd" modules. (filter out the system files and dependencies used by Rundll32.exe. The odd one (in this example) is the timedate.cpl file. Yes. I had the Date/Time dialog open and this is what Rundll32.exe was executing.

Windows XP Home Edition does not have Tasklist.exe

The above is just an example and you may use this method to find out the module loaded by the rundll32.exe process. If an unknown module was found, it may be a Malware. In that case, it's a good idea to:

  1. Inspect the startup applications

  2. Scan the system using these tools:

Related links