What Is rundll32.exe and Why Is It Running?

Publish date: 2024-06-29

Quick Links

Key Takeaways

Rundll32.exe is a standard part of Windows used to run Dynamic Link Library (DLLs) files. DLLs contain code for various functions of a program and are commonly used by Windows processes and third-party apps. Rundll32.exe is not normally malware, but it can be used to execute malicious code.

You open up Task Manager only to find countless instances of rundll32.exe running all at once. But what is rundll32.exe? What does it do, and how do you determine what any given instance of it is actually doing on your PC? Here's everything you need to know.

What Is Rundll32? 

Rundll32.exe is used to run Dynamic Link Library (DLLs) on the Windows operating system. DLLs store code to provide functions to Windows processes and third-party applications, and can be accessed by multiple programs simultaneously.

There are thousands (if not more) of DLLs included with your regular Windows installation that are related to everything from networking to the UI you interact with daily. Most programs you install also use DLLs. This ubiquity makes rundll32.exe an essential part of Windows, whether you're using Windows 10, Windows 11, or an older version of Windows like Windows 7.

Is Rundll32.exe a Virus?

Rundll32.exe is a normal part of Windows. However, malware can pretend to be a legitimate copy of rundll32.exe or use the real rundll32.exe to execute malicious code on your PC.

There are a few legitimate copies of the rundll32 executable contained in a Windows install. The two you'll commonly see are located in "C:\Windows\System32\" and "C:\Windows\SysWOW64", but if you perform a search, you'll find additional ones in the Windows folder.

Sometimes malware will use the same executable name and run from a different directory to disguise itself. You should immediately be suspicious of any rundll32 executable that is not located in your Windows folder, or a Windows subfolder.

Typically, the best thing to do if you suspect you have a malicious copy of rundll32.exe on your PC is to run a virus scan with Microsoft Defender or the antivirus program you prefer. Malwarebytes is an excellent choice and will take care of most malware, though there are other great antivirus software packages out there.

However, antivirus programs are not perfect, and occasionally malware that runs with rundll32 will avoid detection. If that is the case, you'll need to dig into what rundll32.exe is doing manually, and how to disable it if you find something you don't want.

Related: What Are DLL Files, and Why Is One Missing From My PC?

Research Rundll32.exe Using Process Explorer on Windows 10 or Windows 11

Process Explorer, a free utility from Microsoft, provides more specific information that is useful if you're trying to determine exactly what an application is doing. It is small, doesn't need to be installed, and works with any version of Windows. Here, we're going to use it to investigate the activity of rundll32.exe.

Launch Process Explorer as administrator, then go to File > Show Details for All Processes to make sure you're seeing everything. There is probably going to be a lot of stuff listed, and you might not recognize all of it if you've never looked closely into how Windows operates before. It doesn't mean you have a virus.

You don't have to launch Process Explorer as admin, but it is better if you do. Some processes might not display all of their information without admin privileges.

Now when you hover over rundll32.exe in the list, you'll see a tooltip with the details of what it is doing. Better yet, you can right-click, choose "Properties" to get more detailed information.

There is a lot of information available in the Properties window, but you should start with the "Image" tab. It'll show you the full pathname, the parent process, the user, and more. In this case, our rundll32.exe is associated with something named "localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617."

So, what exactly is "-localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617"? We're not entirely sure, but we have confirmed it is present on a completely clean install of Windows 10, so it is definitely a normal part of Windows. It seems to be involved in presenting images in the user interface somehow. If you suspend or kill the process, the icon next to your media controls will no longer appear, and some users have reported that it interacts with User Account icons.

You should be a little leery of strange things you find running via rundll32 -localserver, even if the executable is the legitimate one included with windows. It can be used to perform malicious operations.

Can You Delete Rundll32.exe?

You cannot safely delete rundll32.exe if you want Windows to function properly. It's a normal, critical part of the Windows operating system. It's like asking whether you can open up your microwave and start removing various components. Well sure, it's physically possible, but you can't do it if you want your microwave to continue working properly.

So yes, you can technically delete rundll32.exe if you're willing to go to great lengths, but you really shouldn't. Odds are deleting rundll32.exe will break tons of things and make running your PC normally a headache.

Don't delete rundll32.exe from your computer.

However, if you really want to do it for some reason, the easiest way is to boot into a Linux distribution, make sure your Windows drive is mounted, and delete it from there. Windows protects rundll32.exe quite aggressively, and you'd be hard-pressed to get rid of it from within Windows itself. Deleting it from within Linux bypasses those protective measures completely. If you do manage to do this, you'll probably have a broken Windows installation you'll need to repair with something like the SFC command.

If you don't like something rundll32.exe is doing, you're much better off finding out which process rundll32.exe is associated with and just disabling the triggers related to that process instead.

How to Disable Rundll32.exe

Don't get overzealous disabling this and that without confirming what you're doing. You might break something accidentally.

You can't directly disable rundll32.exe since it doesn't really do anything by itself, but you can disable the applications and services that use rundll32.exe to operate. This can sometimes be a bit complicated, depending on what exactly you want. We have another instance of rundll32.exe running on our system that is loading something called "rxdiag.dll" that we'll use for the following example.

The simplest solution is to right-click the instance of rundll32.exe in Process Manager and click "Kill Process" to end it immediately.

However, that fix won't stop rundll32 from being called and starting up again as soon as it is needed. If you want to do that, you have to determine what is causing rundll32.exe to activate or completely uninstall the program that calls it. Here is how you might do that, starting from the ground up.

Right-click the instance of rundll32.exe and click "Properties," then make sure that you're on the "Image" tab. Note the rundll32.exe is the legitimate copy located in the Windows folder, the parent process is something called "nvcontainer.exe," and that the DLL stored in the "C:\Program Files\Nvidia Corporation\nvstreamsrv" folder.

That tells us a lot. We can be very confident that it isn't malware, and we know that it is associated with our graphics driver (we have an NVIDIA GPU) because of the folder it is located in. If you don't recognize the folder name, try searching on the internet. Usually, you'll be able to find several results that explain what program created the folder.

So, you now know that an NVIDIA program is responsible for it, but you have a few different NVIDIA programs on your PC. How do you know which one it is?

The subfolder name --- nvstreamsrv --- provides some helpful insight. GeForce Experience, a gaming-focused utility produced by NVIDIA, allows you to stream and record video via a feature called Shadowplay. The folder name "nvstreamsrv" is probably shorthand for "NVIDIA StreamServer," and that points us towards GeForce Experience being responsible for this call to rundll32.exe, rather than another piece of NVIDIA software, like the NVIDIA Control Panel.

Again, if you can't readily form a connection between the folder name (or other argument attached to rundll32), try searching it on the internet. Most of the things you'll encounter will be well-documented.

We've can now reasonably guess that GeForce Experience is most likely responsible for this instance of rundll32.exe. Now you need to actually turn it off so that rundll32 won't just fire up again. The specifics will vary depending on your circumstances, but keep the general outline of these steps in mind:

  • Since we suspect it is related to Shadowplay, disable Shadowplay in GeForce Experience
  • Remove GeForce Experience from the Startup Programs List
  • Disable any associated services in the Services utility
  • Disable any scheduled tasks that might trigger GeForce Experience to auto-run (Auto-updates are a common culprit) in the Task Scheduler
  • Uninstall the program entirely
  • In this case, disabling ShadowPlay and GeForce Experience's streaming features didn't cut it. We had to entirely disable GeForce Experience.

    You should usually try to be as targeted as possible when disabling things. We first tried disabling a specific feature that we thought was responsible, then disabling startup or a service, then removing an important scheduled activity (an auto-update), and only then did we remove the application. This minimizes the possibility of accidentally breaking another important feature that you may use or might be important behind the scenes in a way you didn't realize.

    Of course, if you know you don't want the application at all, then just skip the other steps and go straight to uninstalling it. Just be careful --- you don't want to uninstall or delete something important by accident.

    This article is part of our ongoing series explaining various processes found in Task Manager, like  svchost.exedwm.exe , ctfmon.exemDNSResponder.exe , conhost.exeAdobe_Updater.exe , and many others

    ncG1vNJzZmivp6x7qbvWraagnZWge6S7zGhoa2pgZMSprdNmoKxloqq7pbjLbGmesJVirq%2BwjLCfsmWZqHqqwIyrrKemmaO0cA%3D%3D