What to do when the Rundll32 process is occupying CPU, memory, loading at Windows startup, or not responding. What is the problem, and how can it be investigated? One of the Windows components that have been present in the Microsoft operating system for years is Rundll32: introduced at the time of Windows 95, and it was preserved in the years to come, so much so that Windows 10 and 11 still use it today.
Rundll32 was designed to load and call functions inside DLL libraries, providing an interface between the operating system and the shared libraries. Its name combines “Run” and ” Dynamic Link Library, “indicating its role in loading and executing code contained in DLLs .Windows DLLs are shared libraries containing code and data: they can be used by multiple programs simultaneously to activate specific features.
DLLs are designed to promote modularity and reusability by allowing different applications to share common code without duplicating it in each program. To understand this, you can check how many DLL files are in the Windows system folder (usually \windows\system32). Despite its name, Rundll32 – an executable file stored in the named Windows system folder rundll32.exe– can be used to load 32-bit and 64-bit DLLs.
In reality, there are two versions of rundll32 on a 64-bit Windows system: one in the directory system and another in SysWOW64: anyway, users are not interested in knowing the existence of these two versions; they expect the libraries necessary for a program to function properly (and the functions they contain to be executed as needed).
Rundll32 Uses Too Much CPU And RAM
The Rundll32 executable does not seem to have a very good reputation: search the Web to realize how many users report problems attributable to it. Among the most recurrent complaints are the high CPU occupation by Rundll32 or excessive consumption of RAM available on the system in use.
To notice this, open the Task Manager (you can do it quickly using the key combination CTRL+MAIUSC+ESC), click on the Details tab, and then on the CPU column header until the arrow points downwards. If the process Rundll32.exe is at the top, it significantly engages the processor subtracting precious resources from the operating system and running applications.
The fact that Rundll32, for example, permanently occupies more than 20-25% of the processor is already an indication of a problem that reverberates on the overall performance of the computer: it is slower, less snappy, tends to heat up, the fans of the heat remain active and so on. Despite the name, which brings to mind past times and the 8, 16, 32, and 64-bit run, Rundll32 is also actively used in the most recent versions of Windows, and many applications use it for loading DLLs.
The inspiration for writing this article came to us from a reader who complained about a constantly plastered Windows 11 system without understanding the reason for the problem. Examining the contents of the Details tab of the Task Manager, it was the Rundll32 process that was overwhelmingly occupying the processor, but it was not possible to trace who was responsible.
We suggested downloading and running the free Process Explorer utility, already developed by Mark Russinovich before he joined Microsoft (and now updated by the same software engineer who later became CTO of Azure). With a double click on the file, procexp64.exe it can start Process Explorer on 64-bit Windows systems, but assigning administrative rights to the program is still essential.
To do it quickly, click on the File menu, then on Show Details for All Processes: answer Yes to the UAC request, and right-clicking on the Rundll32.exe instance that is abnormally occupying the resources available on the local system, then choose Properties, you will find yourself before a screen similar to the one in the figure.
The suggestion is to check the contents of the Command line field: unlike what is possible with the Windows Task Manager, here it is possible to ascertain the exact command used to invoke Rundll32. The information to the right of rundll32.should usually give a specific clue as to which software and DLL are causing problems. You need to not “kill” Rundll32, which is a legitimate system component, but figure out which application is using it incorrectly.
The application in question could be loaded when Windows starts, started using Task Scheduler, or run manually by the user or through another program. In another article, we have seen the various tools that can be used to run a program when Windows starts automatically. In most cases, to solve the problem with Rundll32, you can remove the application that uses the DLL library indicated in the Command line field or update the program to a newer version.
Rundll32 Is Loaded On Startup Or Is Not Responding
The fact that Rundll32 runs when Windows starts is not a problem: some installed applications often configure the loading of some DLL library when the desktop loads immediately after login. This becomes a problem if Rundll32 exhibits the misbehavior described in the previous point or displays an error message stating that it is not responding.
Using a software tool such as Autoruns, it is possible to ascertain which applications are running automatically, i.e., those loaded when Windows starts, and to identify any occurrences of Rundll32 created by programs as they load on the system. To make searching easier, type rundll32 in the Autoruns Filter box (it’s at the top of the interface). Rundll32.exe, moreover, being a Microsoft digitally signed executable, is often used by cybercriminals as a proxy to execute malicious code.
As the Cybereason researchers beautifully explain, Rundll32 has historically been able to benefit from a certain “freedom of action”: the executable can therefore be exploited to overcome some protection features such as AppLocker and Software Restriction Policies (SRP) as well as to carry out the credential dumping memory, managed by the Local Security Authority Subsystem Service (LSASS )process. Rundll32 is, therefore, a “special observation” whose behavior must be immediately ascertained when anomalies are detected using the Task Manager and Process Explorer.
ALSO READ: How To Try The Software Without Installing Anything On Your PC
