What Is Rundll32?

Rundll32.exe is used to run Dynamic Link Library (DLLs) on the Windows operating system. DLLs store code to provide functions to Windows processes and third-party applications, and can be accessed by multiple programs simultaneously. There are thousands (if not more) of DLLs included with your regular Windows installation that are related to everything from networking to the UI you interact with daily. Most programs you install also use DLLs. This ubiquity makes rundll32.exe an essential part of Windows, whether you’re using Windows 10, Windows 11, or an older version of Windows like Windows 7.

Is Rundll32.exe a Virus?

Rundll32.exe is a normal part of Windows. However, malware can pretend to be a legitimate copy of rundll32.exe or use the real rundll32.exe to execute malicious code on your PC. There are a few legitimate copies of the rundll32 executable contained in a Windows install. The two you’ll commonly see are located in “C:\Windows\System32\” and “C:\Windows\SysWOW64”, but if you perform a search, you’ll find additional ones in the Windows folder. Sometimes malware will use the same executable name and run from a different directory to disguise itself. You should immediately be suspicious of any rundll32 executable that is not located in your Windows folder, or a Windows subfolder. Typically, the best thing to do if you suspect you have a malicious copy of rundll32.exe on your PC is to run a virus scan with Microsoft Defender or the antivirus program you prefer. Malwarebytes is an excellent choice and will take care of most malware, though there are other great antivirus software packages out there. However, antivirus programs are not perfect, and occasionally malware that runs with rundll32 will avoid detection. If that is the case, you’ll need to dig into what rundll32.exe is doing manually, and how to disable it if you find something you don’t want.

Research Rundll32.exe Using Process Explorer on Windows 10 or Windows 11

Process Explorer, a free utility from Microsoft, provides more specific information that is useful if you’re trying to determine exactly what an application is doing. It is small, doesn’t need to be installed, and works with any version of Windows. Here, we’re going to use it to investigate the activity of rundll32.exe. Launch Process Explorer as administrator, then go to File > Show Details for All Processes to make sure you’re seeing everything. There is probably going to be a lot of stuff listed, and you might not recognize all of it if you’ve never looked closely into how Windows operates before. It doesn’t mean you have a virus.

Now when you hover over rundll32.exe in the list, you’ll see a tooltip with the details of what it is doing. Better yet, you can right-click, choose “Properties” to get more detailed information.

There is a lot of information available in the Properties window, but you should start with the “Image” tab. It’ll show you the full pathname, the parent process, the user, and more. In this case, our rundll32.exe is associated with something named “localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.”

So, what exactly is “-localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617”? We’re not entirely sure, but we have confirmed it is present on a completely clean install of Windows 10, so it is definitely a normal part of Windows. It seems to be involved in presenting images in the user interface somehow. If you suspend or kill the process, the icon next to your media controls will no longer appear, and some users have reported that it interacts with User Account icons.

Can You Delete Rundll32.exe?

You cannot safely delete rundll32.exe if you want Windows to function properly. It’s a normal, critical part of the Windows operating system. It’s like asking whether you can open up your microwave and start removing various components. Well sure, it’s physically possible, but you can’t do it if you want your microwave to continue working properly.

How to Disable Rundll32.exe

You can’t directly disable rundll32.exe since it doesn’t really do anything by itself, but you can disable the applications and services that use rundll32.exe to operate. This can sometimes be a bit complicated, depending on what exactly you want. We have another instance of rundll32.exe running on our system that is loading something called “rxdiag.dll” that we’ll use for the following example. The simplest solution is to right-click the instance of rundll32.exe in Process Manager and click “Kill Process” to end it immediately.

However, that fix won’t stop rundll32 from being called and starting up again as soon as it is needed. If you want to do that, you have to determine what is causing rundll32.exe to activate or completely uninstall the program that calls it. Here is how you might do that, starting from the ground up. Right-click the instance of rundll32.exe and click “Properties,” then make sure that you’re on the “Image” tab. Note the rundll32.exe is the legitimate copy located in the Windows folder, the parent process is something called “nvcontainer.exe,” and that the DLL stored in the “C:\Program Files\Nvidia Corporation\nvstreamsrv” folder.

That tells us a lot. We can be very confident that it isn’t malware, and we know that it is associated with our graphics driver (we have an NVIDIA GPU) because of the folder it is located in. If you don’t recognize the folder name, try searching on the internet. Usually, you’ll be able to find several results that explain what program created the folder. So, you now know that an NVIDIA program is responsible for it, but you have a few different NVIDIA programs on your PC. How do you know which one it is? The subfolder name — nvstreamsrv — provides some helpful insight. GeForce Experience, a gaming-focused utility produced by NVIDIA, allows you to stream and record video via a feature called Shadowplay.

The folder name “nvstreamsrv” is probably shorthand for “NVIDIA Stream Server,” and that points us towards GeForce Experience being responsible for this call to rundll32.exe, rather than another piece of NVIDIA software, like the NVIDIA Control Panel. Again, if you can’t readily form a connection between the folder name (or other argument attached to rundll32), try searching it on the internet. Most of the things you’ll encounter will be well-documented. We’ve can now reasonably guess that GeForce Experience is most likely responsible for this instance of rundll32.exe. Now you need to actually turn it off so that rundll32 won’t just fire up again.

You should usually try to be as targeted as possible when disabling things. We first tried disabling a specific feature that we thought was responsible, then disabling startup or a service, then removing an important scheduled activity (an auto-update), and only then did we remove the application. This minimizes the possibility of accidentally breaking another important feature that you may use or might be important behind the scenes in a way you didn’t realize. Of course, if you know you don’t want the application at all, then just skip the other steps and go straight to uninstalling it. Just be careful — you don’t want to uninstall or delete something important by accident.