rundll32.exe
Windows host process (Rundll32) by Microsoft
This is a Windows system installed file with Windows File Protection (WFP) enabled.
Overview
rundll32.exe has 16 known versions, the most recent one is 6.3.9600.16384 (winblue_rtm.130821-1623). rundll32.exe is run as a standard windows process with the logged in user's account privileges. By adding a startup entry to the run registry key, the file will be executed when the user logs into Windows. In addition the the run registry key, it also creates a scheduled job to be executed by the Windows Task Scheduler up user login, this is typically done in order to bypass a User Account Control (UAC) prompt. The average file size is about 42.5 KB. The programs ASUS Security Protect Manager, Musicmatch® Jukebox and Crystal Reports ActiveX have been observed as installing specific variations of rundll32.exe. During the process's lifecycle, the typical CPU resource utilization is less than 0.01%, the average private memory consumption is about 11.7 MB with the maximum memory reaching around 12.33 MB. Addionally, typically read and write I/O disk operations is about 35.9 KB per minute for reads and 51.6 KB per minute for writes.
 Details
|
| File name: | rundll32.exe |
| Publisher: | Microsoft Corporation |
| Product name: | Windows host process (Rundll32) |
| Description: | Microsoft® Windows® Operating System |
| Typical file path: | C:\Windows\System32\rundll32.exe |
| Original name: | RUNDLL32.EXE.MUI |
Programs installed in
(Note, the programs listed below are for all versions of Windows host process (Rundll32).)
ASUS Security Protect Manager increases system security through the use of Multifactor AuthenticationPolicy. A system administrator can assign multifactor authentication policies to other users and ad...
“Mail Merge Toolkit is a powerful add-in for Microsoft Office 2002 (XP), 2003, 2007, 2010 and 2013 designed to extend the mail merging capabilities in Microsoft Outlook, Microsoft Word and Microsoft Pu...”
|
MicroVideo Software Corp. |
|
“With Micro Video Capture, you can record video and image from webcam, TV tuner card, digital camera and other capture devices in real time, and all captured video files can be saved as AVI format by u...”
The Jukebox has a skinnable, graphical interface and allows users to manage a catalogue of digital music, as well as CD and stream-based audio. It has a fairly advanced AutoDJ but has been noted as ha...
Behaviors
(Note, the behaviors below are for all versions of rundll32.exe, select a unique version for details.)
Autoplay handlers
Runs under the registry key 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers'
- Handler name 'VLCPlayVideoFilesOnArrival'
- Handler name 'VLCPlayVCDMovieOnArrival'
- Handler name 'VLCPlaySVCDMovieOnArrival'
- Handler name 'VLCPlayMusicFilesOnArrival'
- Handler name 'VLCPlayDVDMovieOnArrival'
- Handler name 'VLCPlayDVDAudioOnArrival'
- Handler name 'VLCPlayCDAudioOnArrival'
- Handler name 'NeroAutoPlay2LaunchNeroStartSmart'
- Handler name 'NeroAutoPlay2DataDisc'
- Handler name 'NeroAutoPlay2CopyCD'
- Handler name 'NeroAutoPlay2CDAudio'
- Handler name 'MSWMEncVCArrival'
- Handler name 'SonicSCDataTask'
- Handler name 'SonicSCDataProject'
- Handler name 'SonicSCCopyDisc'
- Handler name 'SonicSCCopyCD'
- Handler name 'SonicSCAudioCDTask'
- Handler name 'muveeVideoCameraArrival'
- Handler name 'MSSHAudioDevHandler'
- Handler name 'RPCDBurningOnArrival'
- Handler name 'MSWMPBurnCDOnArrival'
- Handler name 'MSWMDMHandler'
Approved shell extensions
Located in the registry at 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
- CLSID: {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Scheduled tasks
- The task 'SpeedMaxPc Registration3' runs daily in the path 'C:\WINDOWS\Tasks\SpeedMaxPc Registration3.job'
- The task 'SparkTrust Registration3' runs daily in the path 'C:\WINDOWS\Tasks\SparkTrust Registration3.job'
- The task 'SpeedyPC Registration3' runs in the path 'C:\WINDOWS\Tasks\SpeedyPC Registration3.job'
- The task 'EasyShare Registration Task' runs daily in the path 'C:\WINDOWS\Tasks\EasyShare Registration Task.job'
- The task 'EasyShare Registration RunOnce Task' runs on logon in the path 'C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job'
- The task 'ParetoLogic Registration3' runs daily in the path 'C:\WINDOWS\Tasks\ParetoLogic Registration3.job'
- Entry path 'C:\WINXP\Tasks\ParetoLogic Registration3.job'
- Entry path 'C:\WINDOWS\Tasks\SpeedMaxPc Registration3.job'
- Entry path 'C:\WINDOWS\Tasks\ParetoLogic Registration3.job'
- Entry path 'C:\WINDOWS\Tasks\SpeedyPC Registration3.job'
Windows firewall allowed programs
Exceptions allow programs to access to the Internet through an outbound connections
- Firewall exception for 'C:\WINDOWS.0\system32\rundll32.exe'
- Firewall exception for 'C:\WINDOWS\system32\rundll32.exe'
Scheduled tasks startups
Set to load on user login (bypasses Windows UAC if enabled)
- Login entry path 'C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job'
Startup files (user) run
Runs under the registry key 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- 'NextLive' → C:\WINDOWS\system32\rundll32.exe ",EntryPoint -m l
All file variations of rundll32.exe
Distribution by Windows OS
| OS version | distribution |
| Windows 7 Ultimate |
41.31% |
|
| Windows 7 Home Premium |
21.66% |
|
| Windows 7 Ultimate N |
8.56% |
|
| Windows Vista Ultimate |
5.54% |
|
| Windows Vista Home Premium |
4.79% |
|
| Windows Vista™ Home Premium |
4.53% |
|
| Windows 7 Professional |
2.77% |
|
| Windows 8 Pro |
1.51% |
|
| Windows Vista Home Basic |
1.26% |
|
| Windows 8 |
1.26% |
|
| Microsoft Windows 7 Professional |
1.26% |
|
| Windows 8.1 |
1.01% |
|
| Windows 8 Pro with Media Center |
0.76% |
|
| Windows 7 Starter |
0.76% |
|
| Windows 8.1 Pro |
0.50% |
|
| Windows 8 Enterprise |
0.50% |
|
| Windows 7 Home Basic |
0.50% |
|
| Microsoft Windows XP |
0.50% |
|
| Windows 8 Single Language |
0.25% |
|
| Windows 7 Home Premium N |
0.25% |
|
| Windows Server 2008 Standard |
0.25% |
|
| 22 other Windows OS version |
Distribution by country
United States installs about 54.23% of Windows host process (Rundll32).
Distribution by PC manufacturer
| PC Manufacturer | distribution |
| Hewlett-Packard |
20.00% |
|
| Acer |
17.27% |
|
| Dell |
16.36% |
|
| Toshiba |
12.73% |
|
| Sony |
9.09% |
|
| Lenovo |
9.09% |
|
| GIGABYTE |
5.45% |
|
| Alienware |
4.55% |
|
| ASUS |
3.64% |
|
| Gateway |
1.82% |
|
