I treat rundll32 as a totally untrusted application, so every dll it loads needs to be approved. However, the Program Compatibility Data Uploader (aepdu.dll) of Windows 7 is a system service running inside rundll32 and to do its job, it loads all executables in the system. This would trigger a lot of prompts from CIS, but I shouldn’t really make CIS “remember” them.
So could some special treatment for rundll32 be added so that the dll passed on the command line to rundll32 is identified as the main program as opposed to rundll32.exe. For example, when aepdu.dll is working, CIS would say “Program Compatibility Data Uploader is trying to execute …” instead of “rundll32.exe is …” and I would be able to set some rules for aepdu.dll without affecting other dlls running under rundll32. It could be made more general by changing the current executable path matching to command line pattern matching, but I guess that’s a bit weird.