Is it safe to permanently block rundll32.exe on the real machine?

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Some anti-exe programs will block rundll32.exe.
Until now, they cause no problem on my virtual machines.
But what about the real machine?

I heard that some drivers of nvidia graphic cards depend on rundll32.exe. So I guess permanently blocking it may cause some problems on some real machines.
However, this information is a bit old, so I do not know whether it applies to the modern drivers and systems or not.
I cannot verify this by myself because my graphic chip is integrated into the CPU.

So my problem is, would blocking rundll32.exe (potentially) influence the stability of the system?
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
What is rundll32.exe And Why Is It Running?
Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This executable is a valid part of Windows, and normally shouldn’t be a threat.
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself.

Read on about using Process Explorer to find out what's running rundll32.exe, then you can determine if it's a good idea or not.

Did you check if these anti-executable software block the genuine rundll32.exe or fakes?
 
  • Like
Reactions: Online_Sword

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
Well, this process belongs to System32 I believe. It is responsible for calling on 16 or 32 bit DLLs in conjunction with the rundll.exe process.

I wouldn't disable it since DLLs are a major part of Windows and could probably mess up your programs. Especially the 32 bit ones.

I am using Applocker which will auto whitelist system folders and files, so it doesn't block it for me! :)
 
  • Like
Reactions: Online_Sword
H

hjlbx

rundll32 is needed for Windows to work properly; blocking it will break many things on your system !

If you want to monitor rundll32, then use NVT ERP and white-list legitimate rundll32 command lines; you have to put in the time and effort to learn how it all works...
 

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Did you check if these anti-executable software block the genuine rundll32.exe or fakes?

Thank you for your reply.

In fact, this is the default option of both Exe Radar Pro and VoodooShield.

In particular, ERP identifies rundll32.exe as the "vunlnerable process", which is blocked by default in the "Lockdown" mode.
The default option of VS is similar.

I mean, this is the build-in feature of these products, and has nothing to do with whether rundll32.exe is fake or not.:)
 

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
rundll32 is needed for Windows to work properly; blocking it will break many things on your system !

If you want to monitor rundll32, then use NVT ERP and white-list legitimate rundll32 command lines; you have to put in the time and effort to learn how it all works...

Thank you for your reply.

But as you know, VS would also block rundll32 by default.
Different from ERP, VS seems not to have any command-line whitelist.
However, my virtual machine running VS still works well...
 

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
@Huracan , @hjlbx , sorry I made some mistakes.:(
VoodooShield (2.82 beta), as well as Exe Radar Pro, have their own command-line whitelists.
So...blocking rundll32 is safe only when essential operations are properly whitelisted...Is this correct?
 
H

hjlbx

@Huracan , @hjlbx , sorry I made some mistakes.:(
VoodooShield (2.82 beta), as well as Exe Radar Pro, have their own command-line whitelists.
So...blocking rundll32 is safe only when essential operations are properly whitelisted...Is this correct?

Correct. rundll32 should be monitored since there is a lot of malware that will abuse it...
 
  • Like
Reactions: Online_Sword

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Windows Explorer, changing the appearance and opening Windows based application are such one of the functions of Rundll32.exe which if you block may cause instability.

I've encounter quite of this which causes to be problematic like after a massive computer virus.

Better block other stuffs that cannot affect Windows operating system.
 
  • Like
Reactions: Online_Sword

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top