What is rundll32.exe And Why Is It Running?
You are no doubt reading this article because you’ve looked in task manager and wondered what on earth all those rundll32.exe processes are, and why they are running… So what are they?
Explanation
If you’ve been around Windows for any amount of time, you’ve seen the zillions of *.dll (Dynamic Link Library) files in every application folder, which are used to store common pieces of application logic that can be accessed from multiple applications.
Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This executable is a valid part of Windows, and normally shouldn’t be a threat.
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.
Using Windows Vista’s Task Manager
One of the great features in Windows Vista’s Task Manager is the ability to see the full command line for any running application. For instance, you’ll see that I have two rundll32.exe processes in my list here:
If you go to View \ Select Columns, you’ll see the option for “Command Line” in the list, which you’ll want to check.
Now you can see the full path for the file in the list, which you’ll notice is the valid path for rundll32.exe in the System32 directory, and the argument is another DLL that is actually what is being run.
If you browse down to locate that file, which in this example is nvmctray.dll, you’ll usually see what it actually is when you hover your mouse over the filename:
Otherwise, you can open up the Properties and take a look at the Details to see the file description, which usually will tell you the purpose for that file.
Once we know what it is, we can figure out if we want to disable it or not, which we’ll cover below. If there isn’t any information at all, you should either Google it, or ask somebody on a helpful forum.
Using Process Explorer on Vista or XP
Instead of using Task Manager, we can use the freeware Process Explorer utility from Microsoft to figure out what is going on, which has the benefit of also working in Windows XP.
Simply launch Process Explorer, and if you are using Vista you’ll want to choose File \ Show Details for All Processes.
Now when you hover over the rundll32.exe in the list, you’ll see a tooltip with the details of what it actually is:
Or you can right-click, choose Properties, and then take a look at the Image tab to see the full pathname that is being launched, and you can even see the Parent process, which in this case is the Windows shell (explorer.exe), indicating that it was likely launched from a shortcut or startup item.
You can browse down and view the details of the file just like we did in the task manager section above. In my instance, it’s a part of the NVIDIA control panel, and so I’m not going to do anything about it.
Disabling the Process
Depending on what the process is, you won’t want to necessarily disable it, but if you would like to, you can type msconfig.exe into the start menu search or run box and you should be able to find it by the Command column, which should be the same as the “Command line” field we saw in Process Explorer. Simply uncheck the box to prevent it from starting automatically.
Sometimes the process doesn’t actually have a startup item, in which case you’ll likely have to do some research to figure out where it was started from. For instance, if you open up Display Properties on XP you’ll see another rundll32.exe in the list, because Windows internally uses rundll32 to run that dialog.
When all else fails, you should post the full command path over on a helpful forum and get advice from somebody else that might know more about it.
Daily Email Updates
You can get our how-to articles in your inbox each day for free. Just enter your name and email below:
| Similar Articles | Featured Wiki Articles |
| Latest Software Reviews | Quick Linux Tips |
| Geek Arcade | Popular Forum Threads |
Great Post,
Thanks geek!
is the ‘32′ alluding to the 32 bit OS? If so, is there something different when using a 64 bit OS?
Here is what I have found about rundll32: if it is running ALL THE TIME… you most likely have a program that is not written correctly OR a virus/spyware/whatever (malicious program) on your system.
There is no reason (except for very few beta programs like NIS2009 that I was just testing) that a rundll32 should be running all the time on your system, and that’s coming straight from the guy at Microsoft who I talked with the other day.
@Norcross: I think it is refering to the 32-bit OS from the 16-bit transition. There used to be a rundll.exe program that was for 16-bit dlls. From a few searchs online it seems it is still rundll32.exe on 64-bit. Not sure why that would be.
I also have two rundll32.exe’s running in Task Manager; however the second one doesn’t list anything under Command Line – possible virus?
i think the bigger question would be: why do i have 20 svchost.exes running, and why cant they consolidate them down to one, so i can see the rest of my programs?
@Hydra: See the article at http://www.howtogeek.com/howto.....t-running/
Thanks jd. I looked quickly, but i didn’t find it. You figure it would be in the related articles.
You almost lost your geekhood status by simply mentioning Task Manager, but nicely redeemed yourself with the Process Explorer reference (although technically speaking, I believe Process Explorer is by Systinternals, although they are owned by Microsoft). Not that I claim to be a geek myself, but even I know that the latter is much more powerful, yet still a lot easier to understand.
i have like 6 or 7 running at once. What should i do?
@vin-ay: Use the information in this article to find the command line for each of the4 6 or 7 and post them on the forum. Someone should be able to tell you what they are for and if they are needed.
not able to open the external harddrive, it says currupt, and gives gives the option to format, and I have some important data, and needs to back that up.
@Harjit: Post your question on the forum. More people will see it and be able to help you.
I have a very modest hardware setup running vista, yet a search reveals over 100,000 DLLs. This is program fragmentation gone berserk. This says all that ever needs to be said about the Windows OS. It is a makework system for software developers (programmers).
Very nice article! Thank you!
which processes of the system can be ended…
i have a 1gb ram….
and nearly 45 processes running….it is said that minimum the processes the greater is the speed …!!!
if it is so then tell me the processs that can be ended to tor my p.c faster… plz reply fast./..
On starting my PC I get the prompt ‘rundll32.exe’, has stopped running. Is this something I should worry about?
I also have this problem:
I also have two rundll32.exe’s running in Task Manager; however the second one doesn’t list anything under Command Line – possible virus?
How do you do this on xp? I can’t find the command line column.
I have a problem running some software I downloaded and the provider told me to do the following, but I’m concerned about what it will do to my system. Can anyone explain what these things mean and what they do? Should I be concerned? Thanks:
For Windows Vista please try the following steps:
Ø Click Start
Ø Select Run
Ø Type cmd
Ø Within the command prompt window
o Type taskkill /F /IM rundll32.exe
o Type cd C:\ProgramData\SysMon
o Type rundll32.exe SysMon.dll rdl
thanks…well presented.
i do not have a SysMon
if go to add/remove error msg says it cant locat Windows\System32\rundll32.exe, pls advice how to pix this as i dont hv win xp cd.
Thanx.