How To Fix C Windows System32 Rundll32.exe
Clotilde Wilks
Today, we are going to dwell on a Microsoft tool, the infamous rundll32.exe, which allows you to load and execute code. It is often used by adversaries during their offensive operations to execute malicious code through a process which we will explain in detail.
On the one hand, rundll32.exe is an executable signed by Microsoft which is natively present on all Windows systems; on the other hand, it is also very flexible and efficient for loading code into memory, acting as a proxy for this purpose. Moreover, because rundll32.exe benefits from a certain degree of trust, it could be a possible AppLocker and Software Restriction Policies (SRP) bypass.
Last but not least, rundll32.exe is also able to help to dump the memory of processes, such as the LSASS (Local Security Authority Subsystem Service) process to retrieve credentials, which we will demonstrate.
Although rundll32.exe has frequent and undeniable legitimate use, it is also taken advantage of by many attackers, ranging from state-affiliated groups (APTs) to cybercriminal groups to proxy execution of malicious code.
We could also note that tools such as Cobalt Strike can use rundll32.exe to load DLL from the command line. This list could be much longer but the idea is to briefly summarize the importance, dangerousness and diversity of these groups that rely on rundll32.exe, so it is important to understand its mechanism to detect it.
Note: As per Microsoft API documentation, when rundll32.exe calls the DllMain function with any specific entry point, (i.e. a value other than DLL_PROCESS_ATTACH), the return value is ignored. If the return value is FALSE when DllMain is called during process initialization, the process terminates with an error and GetLastError is called to provide extended error information.
Note: This behavior was previously discussed, it is related to the dwFlags set to LOAD_WITH_ALTERED_SEARCH_PATH when calling LoadLibraryExW from rundll32.exe (this flag is not under control).
As result, we could notice a spawned cmd.exe with non-existing parent because the rundll32.exe process (PID 1844) is terminated and cmd.exe process (PID 10904) was created as a new and independent process:
However, thanks to the Cybereason Defense Platform, we could examine the history, all loaded modules and all other relevant information and also visualize the processes tree to notice that rundll32.exe is the parent of cmd.exe:
We have seen that rundll32.exe is a powerful asset for adversaries to proxy execution of arbitrary and malicious code. This binary has another ace in the hole, it could leverage comsvcs.dll (a Microsoft-signed DLL) which exports a function called MiniDumpW that rely on MiniDumpWriteDump to dump lsass.exe (Local Security Authority Subsystem Service) process memory to retrieve credentials.
Indeed, on the one hand, we already noticed that Cybereason is able to avoid false positives about benign use of rundll32.exe, using our test DLL to spawn another Windows binary which is not causing any harm to the system:
We notice a machine with IP 10.160.155.26 (victim) connecting to another machine with IP 10.160.201.220 on port TCP/8080. This corresponds to the reverse Meterpreter (TCP) payload we created (sample.dll) and executed using rundll32.exe:
The queries provided in this section can be used to hunt for possible malicious rundll32.exe processes. First of all, the following query provide all instances of rundll32.exe (including non-malicious ones), to have an overview of activities:
I am running Windows 8.1 Update in a Parallels VM. After about 5 minutes of inactivity, a rundll32.exe process is spawned and consumes a core. MsMpEng.exe activity also increases. (probably due to lots of IO but I can't confirm) If I interact with the VM in any way, the rundll32.exe immediately exits until I let it idle for another 5 minutes.
Hi I have found this same problem with updating to Win 10 and not a single common answer to this issue worked for me, when my computer would go idle the C:Drive usage would go up to 100% and make any task impossible, leading to manual shutdown by holding the power button. Windows Process explorer would show rundll32.exe and in the properties of this file would be C:\Windows\system32\rundll32.exe invagent,RunUpdate -noappraiser (then random numbers and letters).
So I have fixed 100% C:drive problem by changing invagent.dll to invagent.dll.bak. But potentially opened up a new problem that is currently not causing me any issues. I will edit this answer if I have any further issues over the next week, or discover why multiple versions of rundll32.exe are now running.
I believe that is caused by UAC and how the Admin account is subjected to UAC per say.
I have done the below to resolve that.
You can also create a short-cut to the area you are blocked and it worked that way for me to.
Do a search on the rundll32.exe and UAC to see more info about it.
If Target contains any commas, they must be escaped as shown three times in the following example:
Run rundll32.exe shell32.dll`,Control_RunDLL desk.cpl[color=#FF0000]`,`,[/color] 3 ; Opens Control Panel > Display Properties > Settings
While monitoring the network activity or rundll32.exe from Austin, Texas USA with the GlassWire software we found it connects to settingsfd-geo.trafficmanager.net which appears to be controlled by Microsoft Corporation. We found no other network activity with the .exe. We believe rundll32.exe connects to settingsfd-geo.trafficmanager.net to help manage the distribution of traffic across your PCs endpoints. This traffic management seems to happen at the DNS level to help your PC and apps work properly.
Any file can have any name so we look at the location. If for example the file is; c:\Windows\system32\rundll32.exe that's legitimate. However a malicious file may have the same name but executed from an illegitimate location like; C:\Users\User_Name\AppData\Local\Temp\rundll32.exe then the chances are this EXE is malicious or at the very minimum suspicious.
Your problem likely is that your program is compiled as 32-bit and your OS is 64-bit, and thus, when you try to access "C:\Windows\System32\Speech\SpeechUX\SpeechUX.dll" from your program, you're really accessing "C:\Windows\SysWOW64\Speech\SpeechUX\SpeechUX.dll" which, as rundll32.exe is reporting doesn't exist.
Hello, few minutes ago i got windows popup notification that i can change language with alt + shift, in that time i had only one language installed, after that i added eng language and i tried alt + shift to change language but it didnt worked so i opened win 10 notifications and clicked on that popup, malwarebytes instantly reported and blocked exploit from it. Is it false positive or do i have some **** in my newly installed windows 10 ? here is screen, log + mbst-grab-results
yes i clicked apply. I fixed it another way, just changed combination in windows 10 settings for it. It seems like it was swapped with Ctrl + shift. Its weird, i never changed it.
well, when its false positive and all is working again(i hope) then its done i think. I was ready to reinstall win10 again :D
Thank you for your time and help.
user opened file.csv and then removed a usb drive, so since excel was opened prior windows records that as the parent process, so in short two unrelated events that are merged to one with the way windows records parent process and children processes.
I'm sure you already saw this support article:
-us/help/2417592
Other than the suggested options, providing the following shortcut to DG managers might be an option, depending on permissions due to direct group management in the user context instead of via the Exchange Trusted Subsystem:
%SystemRoot%\SYSTEM32\rundll32.exe dsquery,OpenQueryWindow
rundll32.exe is a dll used as an "entry point" for launching many system-related tasks. For example, many control panel applets relay on it launch/work. As you found, it is heavily used for scheduled tasks also.
Back to your original question: yes, it is normal for Windows to have many scheduled task and to launch them with rundll32.exe. However, only you can tell if the scheduled VB6 programs are good/bad and if they should be launched with different options.
I've noticed that in the Task Manager of Windows 7, I have multiple running instances (2) of rundll32.exe. Does this necessarily means that my machine is infected by a malware as noted here: -to-fix-rundll32-exe/
Additionally, even after the factory restore, I am always getting an error message indicating that rundll32.exe stopped working at Windows 7 startup which seems very suspicious for a clean (?) installation.
Also look here for a description of how you can adjust the table in your task manager to see the entire command line, and so which functions are actually being run by your rundll32. This will also tell you which rundll32.exe is being run (if one of them is in a strange folder, say C:\Program Files\whatever\rundll32.exe, that would likely be a problem. Both instances should have the same path (this may be different on 64bit systems which may have a separate 32bit version, I'm not sure about that).
aa06259810