I’ve posted this already in Virus and Malware removal as part of a different thread. As I don’t believe it’s malware related I’m posting here. I really want to understand what rundll32 is doing!!!
I want to revisit this as it’s becoming a bit of a pain.
I get this every night, as soon as the system has been idle for a period of time. There are no tasks scheduled, no scans, defrags etc. This problem only happens on the Windows 7 PC. I have never seen anything like this on the XP PC. On occasion I wake to find CIS has crashed.
This problem is not a malware issue (maybe move this topic…), as it happens on a clean install of 7100, which came from MS.
So the question is, what the heck is rundll32 doing with all these processes/applications, and why are they appearing in the D+ log?
Attached another copy from last night.
sample:
Sun Jun 21 2:04:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\ATISetup.exe
Sun Jun 21 2:06:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\ATI\CIM\Bin\Setup.exe
Sun Jun 21 2:08:16 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\zh-Hant\system.resources.dll
Sun Jun 21 2:10:15 AM
C:\Windows\System32\rundll32.exe
Create Process, Execute Image
C:\Program Files\Microsoft Silverlight\2.0.40115.0\de\mscorrc.dll
Why is rundll32.exe running so seemingly often on Win 7? Good question to which I have no answer.
The reason why, I guess, it gets flagged in the D+ logs is because you don’t allow the request. So Default Deny does its thing and since it gets blocked it will get logged.
I guess you have something there, as most of these alerts occur when I’m away from the PC, so I never see them until after the event. (no pun intended)
The question remains, however, why is it happening…
Is there a rundl32 viewer similar to svchost viewer? That will answer the question what is calling rundll32.
As to the why here is a wild stab. Win 7 uses so called trigger services; it is one of the measures that makes Win 7 more lean and mean. These services do not continuously run or sit in the background; they only run when required. May be it’s the triggered services causing this? It’s just a big guess…
Keep me posted. I guess the Application Experience may also be the source of the firewall alerts for rundll32 to phone home on https (port 443).
I have a long list of legitimate programs I have allowed rundll32 to run. You think they may be related to the Application Experience? Or would there be other candidates as well? Notice there are not many tasks started using rundll32.exe.
I will await your findings. When Application Experience turns out to be the source of your alerts I will delete all the applications I have allowed for rundll32 after disabling Application Experience and see what happens.
Well, after three days, I’ve not had a re-occurrence of the ‘problem’. I guess what I was seeing before, was entirely due to the Application Experience Event, in task scheduler.
As for rundll32, I hadn’t noticed before that it seems to be ‘pre-loaded’ with applications it’s allowed to run in addition to any that have been ‘allowed’ since installation.
Personally, I don’t have any rules for rundll32 if my firewall, and I don’t recall seeing specific events requesting access…
Brilliant :-TU been getting these dang rundll32 things as well(pita)
Don`t know what the autochk SQM data thing does but it uses rundll32
Gonna clear the rundll32.exe Run an exe in D+ and see what happens.
Basically your thinking rundll32 is scaning the apps on win 7 then sending the info to Microsoft? Allthough i`ve never had a rundll32 firewall alert ???
Basically your thinking rundll32 is scaning the apps on win 7 then sending the info to Microsoft? Allthough i`ve never had a rundll32 firewall alert Huh
That’s my current thinking. What I’m looking at now is how that data was/is being transferred. I can’t see it being rundll32 doing the ‘grunt’ work, more likely something like svchost, which is a pain to track down.
I am finding that it is triggered by the screen saver cutting in.
What i am going to try is don’t have the screen saver operational but use the sleep mode instead.
I must admit it is a bloody nuisance mainly because you can’t click to allow with the remember setting set,it just does not remember and also it produces a whole load of popups from defense + learning/c:/windows/system 32/rundlll 32 exe.
The last time it happened the popups lasted for an hour which really annoyed me otherwise the latest version is a beauty.
It has also been suggested that i turn off “Balloon Messages”.I will try this if “Sleep Mode” dosn’t work.
Regards
One other thing I’ve noticed is the Windows search service can also cause this. As you probably know, indexing takes place when the system is idle, so you could try disabling the Windows search service and seeing if it makes a difference…
