什么是rundll32.exe,为什么运行?
You are no doubt reading this article because you’ve looked in task manager and wondered what on earth all those rundll32.exe processes are, and why they are running… So what are they?
毫无疑问,您阅读本文是因为您已经查看了任务管理器,并且想知道所有这些rundll32.exe进程到底是什么,以及为什么它们正在运行……所以它们是什么?
This article is part of our ongoing series explaining various processes found in Task Manager, like svchost.exe, dwm.exe, ctfmon.exe, mDNSResponder.exe, conhost.exe, Adobe_Updater.exe, and many others. Don’t know what those services are? Better start reading!
本文是我们正在进行的系列文章的一部分,介绍了在任务管理器中找到的各种过程,例如svchost.exe , dwm.exe , ctfmon.exe , mDNSResponder.exe , conhost.exe , Adobe_Updater.exe以及许多其他过程 。 不知道这些服务是什么? 最好开始阅读!
说明 (Explanation)
If you’ve been around Windows for any amount of time, you’ve seen the zillions of *.dll (Dynamic Link Library) files in every application folder, which are used to store common pieces of application logic that can be accessed from multiple applications.
如果您使用Windows已有一段时间,那么您会在每个应用程序文件夹中看到无数的* .dll(动态链接库)文件,这些文件用于存储可以从多个应用程序访问的通用应用程序逻辑应用程序。
Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This executable is a valid part of Windows, and normally shouldn’t be a threat.
由于无法直接启动DLL文件,因此rundll32.exe应用程序仅用于启动存储在共享.dll文件中的功能。 该可执行文件是Windows的有效部分,通常不应构成威胁。
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.
注意:有效进程通常位于\ Windows \ System32 \ rundll32.exe,但有时间谍软件使用相同的文件名并从其他目录运行以掩饰自身。 如果您认为自己有问题,则应始终进行扫描以确保确定,但是我们可以准确地验证正在发生的事情……因此请继续阅读。
在Windows 10、8、7,Vista等上使用Process Explorer进行研究 (Research Using Process Explorer on Windows 10, 8, 7, Vista, etc)
Instead of using Task Manager, we can use the freeware Process Explorer utility from Microsoft to figure out what is going on, which has the benefit of working in every version of Windows and being the best choice for any troubleshooting job.
除了使用任务管理器外,我们还可以使用Microsoft的免费软件Process Explorer实用程序来了解发生了什么,这具有在Windows的每个版本中工作的优势,并且是进行任何故障排除工作的最佳选择。
Simply launch Process Explorer, and you’ll want to choose File \ Show Details for All Processes to make sure that you’re seeing everything.
只需启动Process Explorer,然后选择“文件\显示所有进程的详细信息”以确保您看到的一切。
Now when you hover over the rundll32.exe in the list, you’ll see a tooltip with the details of what it actually is:
现在,当您将鼠标悬停在列表中的rundll32.exe上时,您将看到一个工具提示,其中包含实际内容的详细信息:
Or you can right-click, choose Properties, and then take a look at the Image tab to see the full pathname that is being launched, and you can even see the Parent process, which in this case is the Windows shell (explorer.exe), indicating that it was likely launched from a shortcut or startup item.
或者,您可以右键单击,选择“属性”,然后查看“图像”选项卡以查看正在启动的完整路径名,甚至可以看到“父”进程,在这种情况下,该进程是Windows Shell(explorer.exe ),表明它可能是从快捷方式或启动项启动的。
You can browse down and view the details of the file just like we did in the task manager section above. In my instance, it’s a part of the NVIDIA control panel, and so I’m not going to do anything about it.
您可以像在上面的任务管理器部分中一样向下浏览并查看文件的详细信息。 以我为例,它是NVIDIA控制面板的一部分,因此我将不做任何事情。
如何禁用Rundll32进程(Windows 7) (How to Disable the Rundll32 Process (Windows 7))
Depending on what the process is, you won’t want to necessarily disable it, but if you would like to, you can type msconfig.exe into the start menu search or run box and you should be able to find it by the Command column, which should be the same as the “Command line” field we saw in Process Explorer. Simply uncheck the box to prevent it from starting automatically.
根据该过程是什么,您不一定要禁用它,但是如果愿意,可以在开始菜单搜索或运行框中键入msconfig.exe ,并且应该可以在“命令”列中找到它。 ,该字段应与我们在Process Explorer中看到的“命令行”字段相同。 只需取消选中该框即可防止其自动启动。
Sometimes the process doesn’t actually have a startup item, in which case you’ll likely have to do some research to figure out where it was started from. For instance, if you open up Display Properties on XP you’ll see another rundll32.exe in the list, because Windows internally uses rundll32 to run that dialog.
有时,该过程实际上没有启动项,在这种情况下,您可能必须进行一些研究才能确定从何处开始。 例如,如果您在XP上打开“显示属性”,您将在列表中看到另一个rundll32.exe,因为Windows内部使用rundll32来运行该对话框。
在Windows 8或10中禁用 (Disabling in Windows 8 or 10)
If you’re using Windows 8 or 10, you can use the Startup section of Task Manager to disable it.
如果您使用的是Windows 8或10,则可以使用任务管理器的“启动”部分将其禁用。
使用Windows 7或Vista任务管理器 (Using Windows 7 or Vista Task Manager)
One of the great features in Windows 7 or Vista Task Manager is the ability to see the full command line for any running application. For instance, you’ll see that I have two rundll32.exe processes in my list here:
Windows 7或Vista Task Manager的一项重要功能是能够查看任何正在运行的应用程序的完整命令行。 例如,您将在列表中看到两个rundll32.exe进程:
If you go to View \ Select Columns, you’ll see the option for “Command Line” in the list, which you’ll want to check.
如果转到“查看\选择列”,您将在列表中看到要检查的“命令行”选项。
Now you can see the full path for the file in the list, which you’ll notice is the valid path for rundll32.exe in the System32 directory, and the argument is another DLL that is actually what is being run.
现在,您可以在列表中看到文件的完整路径,您会注意到该文件是System32目录中rundll32.exe的有效路径,而参数是另一个实际上正在运行的DLL。
If you browse down to locate that file, which in this example is nvmctray.dll, you’ll usually see what it actually is when you hover your mouse over the filename:
如果向下浏览以找到该文件(在本示例中为nvmctray.dll),则将鼠标悬停在文件名上时,通常会看到它的实际含义:
Otherwise, you can open up the Properties and take a look at the Details to see the file description, which usually will tell you the purpose for that file.
否则,您可以打开“属性”并查看“详细信息”以查看文件描述,通常可以告诉您该文件的用途。
Once we know what it is, we can figure out if we want to disable it or not, which we’ll cover below. If there isn’t any information at all, you should either Google it, or ask somebody on a helpful forum.
一旦知道了它是什么,我们就可以确定是否要禁用它,我们将在下面介绍。 如果根本没有任何信息,则您应该搜索它,或在一个有用的论坛上向其他人询问 。
When all else fails, you should post the full command path over on a helpful forum and get advice from somebody else that might know more about it.
当所有其他方法都失败时,您应该将完整的命令路径发布在一个有用的论坛上,并从可能对此有更多了解的其他人那里获得建议。
翻译自: https://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/