Rundll32.exe process details

Rundll32.exe, as its name implies, "executes a 32-bit DLL file ". The internal implementation is the internal implementation of the dllfile. In this process, only rundll32.exe is available, and no DLL backdoor process is available. In this way, process hiding is realized. If you see multiple rundll32.exefiles in the system, you do not need to be alarmed. This shows how many DLL files are started with rundll32.exe. Of course, we can find all the DLL files executed by rundll32.exe from the locations where the system automatically loads them.

The function prototype used by Rundll32.exe:
Void CALLBACK FunctionName (
HWND hwnd,
HINSTANCE hinst,
LPTSTR lpCmdLine,
Int nCmdShow
);

The command line uses Rundll32.exe DLLname and Functionname [Arguments].
DLLname is the name of the DLL file to be executed, Functionname is the specific extraction function of the DLL file to be executed on the front, and [Arguments] is the specific parameter of the extraction function.

Run the rundll32 command to restart the machine experiment: Click Start-process-ms-dos ", enter the DOS window, then click rundll32.exe user.exe, restartwindows, and then press Enter. You will see that the machine has been restarted!

RUNDLL. EXE
Note the following three points: 1. the Dll file name cannot contain spaces. For example, if the file is in the c: ProgramFiles directory, change the path to c: Progra ~ 1; 2. the Dll file name and the Dll entry point must have fewer commas. Otherwise, the program will fail and no information will be provided! 3. This is the most important point: Rundll cannot be used to call a Dll containing return value parameters, such as GetUserName () and GetTextFace () in Win32API. In Visual Basic, a command Shell for executing external programs is provided, in the format:
Shell "command column"
If rundll32.exe is ready to use Shell commands, it will make your VB program have an effect that is hard to achieve or even impossible to achieve in other ways: restart is still used as an example. The traditional method requires you to create a module in the VB project, write the WinAPI declaration before calling in the program. Now, you only need one sentence:

Shell restart rundll32.exe user.exe, restartwindows "is done!

In contrast, rundll32.exe has unique advantages in calling various Windows control panels and System Options.
Command column: rundll32.exe shell32.dll, Control_RunDLL
Function: Display Control Panel
Command column: rundll32.exe shell32.dll, Control_RunDLL access. cpl, 1
Function: displays the "control panel-Auxiliary options-keyboard" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL access. cpl, 2
Function: displays the "control panel-Auxiliary options-sound" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL access. cpl, 3
Function: displays the "control panel-Auxiliary options-display" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL access. cpl, 4
Function: displays the control panel-secondary option-mouse option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL access. cpl, 5
Function: displays the "control panel-Auxiliary options-traditional" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL sysdm. cpl @ 1
Function: run the "control panel-add new hardware" Wizard.
Command column: rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL AddPrinter
Function: run the control panel-add new printer wizard.
Command column: rundll32.exe shell32.dll, Control_RunDLL appwiz. cpl, 1
Function: the "control panel-Add/delete programs-install/uninstall" panel is displayed.
Command column: rundll32.exe shell32.dll, Control_RunDLL appwiz. cpl, 2
Function: the "control panel-Add/delete programs-install Windows" panel is displayed.
Command column: rundll32.exe shell32.dll, Control_RunDLL appwiz. cpl, 3
Function: the "control panel-Add/delete programs-boot disk" panel is displayed.
Command column: rundll32.exe syncui. dll, Briefcase_Create
Function: Create a new "My Briefcase" on the desktop ".
Command column: rundll32.exe diskcopy. dll, DiskCopyRunDll
Function: displays the copy disk Window.
Command column: rundll32.exe apwiz. cpl, NewLinkHere % 1
Function: the "Create shortcut" dialog box is displayed. The location of the created shortcut is determined by the % 1 parameter.
Command column: rundll32.exe shell32.dll, Control_RunDLL timedate. cpl, 0
Function: displays the "Date and Time" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL timedate. cpl, 1
Function: displays the "Time Zone" option window.
Command column: rundll32.exe rnaui. dll, RnaDial [name of a dial-up connection]
Function: displays the dialing window for a dial-up connection. If a dial-up connection has been established, the current connection status window is displayed.
Command column: rundll32.exe rnaui. dll, RnaWizard
Function: displays the window of the new dial-up connection wizard.
Command column: rundll32.exe shell32.dll, Control_RunDLL desk. cpl, 0
Function: displays the "Display Properties-background" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL desk. cpl, 1
Function: displays the "Display Properties-Screen Saver" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL desk. cpl, 2
Function: displays the display properties-appearance option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL desk. cpl, 3
Function: displays the "show properties-properties" option window.
Command column: rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL FontsFolder
Function: display the "font" folder of Windows.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 3
Function: displays the "font" folder of Windows.
Command column: rundll32.exe shell32.dll, SHformatDrive
Function: displays the formatting dialog box.
Command column: rundll32.exe shell32.dll, Control_RunDLL joy. cpl, 0
Function: displays the "control panel-Game Controller-General" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL joy. cpl, 1
Function: displays the "control panel-game controller-advanced" option window.

Command column: rundll32.exe mshtml. dll, PrintHTML (HTML document)
Function: Print HTML documents.
Command column: rundll32.exe shell32.dll, Control_RunDLL ml1_32.cpl
Function: displays the Microsoft Exchange General options window.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 0
Function: displays the "control panel-mouse" option.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 1
Function: displays the "control panel-keyboard properties-speed" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 1, 1
Function: displays the "control panel-keyboard properties-language" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 2
Function: displays the Windows "Printer" folder.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 3
Function: displays the Windows "font" folder.
Command column: rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 4
Function: displays the "control panel-Input Method properties-Input Method" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL modem. cpl, add
Function: run the Add new modem wizard.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl, 0
Function: displays the "control panel-multimedia properties-Audio" property page.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl, 1
Function: displays the "control panel-multimedia properties-video" property page.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl, 2
Function: displays the "control panel-multimedia properties-MIDI" property page.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl, 3
Function: displays the "control panel-multimedia properties-CD music" property page.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl, 4
Function: displays the "control panel-multimedia properties-devices" property page.
Command column: rundll32.exe shell32.dll, Control_RunDLL mmsys. cpl @ 1
Function: displays the control panel-sound option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL netcpl. cpl
Function: displays the control panel-Network option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL odbccp32.cpl
Function: displays the ODBC32 data management option window.
Command column: rundll32.exe shell32.dll, OpenAs_RunDLL {drive: pathfilename}

Function: displays the open mode dialog box for the specified file (drive: pathfilename.
Command column: rundll32.exe shell32.dll, Control_RunDLL password. cpl
Function: the "control panel-Password" option window is displayed.
Command column: rundll32.exe shell32.dll, Control_RunDLL powercfg. cpl
Function: displays the "control panel-Power Management Properties" option window.
Command column: rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL PrintersFolder
Function: displays the Windows "Printer" folder. (Same as rundll32.exe shell32.dll, Control_RunDLL main. cpl @ 2)
Command column: rundll32.exe shell32.dll, Control_RunDLL intl. cpl, 0
Function: the "control panel-region settings properties-region Settings" option window is displayed.
Command column: rundll32.exe shell32.dll, Control_RunDLL intl. cpl, 1
Function: displays the "control panel-region settings properties-numbers" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL intl. cpl, 2
Function: the "control panel-region settings properties-currency" option window is displayed.
Command column: rundll32.exe shell32.dll, Control_RunDLL intl. cpl, 3
Function: displays the "control panel-region settings property-time" option window.
Command column: rundll32.exe shell32.dll, Control_RunDLL intl. cpl, 4
Function: displays the "control panel-region settings properties-Date" option window.
Command column: rundll32.exe desk. cpl, InstallScreenSaver [Screen saver file name]
Function: sets the specified screen saver file to Windows and displays the screen saver Properties window.
Command column: rundll32.exe shell32.dll, Control_RunDLL sysdm. cpl, 0
Function: displays the "control panel-system properties-traditional" attribute window.
Command column: rundll32.exe shell32.dll, Control_RunDLL sysdm. cpl, 1
Function: displays