Understanding RunDLL32: Leveraging Dynamic Function Invocation

January 13, 2025

Author

Pavel Yosifovich

25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses and “Windows Internals” series.

Introduction to RunDLL32

RunDLL32 is a built-in Windows executable that allows users to run specific functions within DLLs (Dynamic Link Libraries). Found in all Windows installations, it comes in both 32-bit and 64-bit versions. The tool works by loading a DLL, locating the address, and invoking it with specified arguments.

This makes RunDLL32 a powerful utility for executing system-level operations, invoking control panel applets, and even enabling developers to test their custom DLL functions.

Note: This blog post is designed to complement the accompanying video embedded at the top of the page. The video provides an in-depth, visual demonstration of the concepts and code discussed here, making it an invaluable resource for learners.

How RunDLL32 Works

To use RunDLL32, the command syntax is straightforward:

RunDLL32 <DLL Path>,<Function Name> [Arguments]

There must not be a space between the DLL name and the function name.
Errors will result in message box alerts for missing DLLs or functions.
Function implementation errors cannot be reported back.

Examples of RunDLL32 in Action

Invoking Windows built-in Dialogs
- Example: Editing environment variables using RunDLL32 sysdm.cpl,EditEnvironmentVariables
- You can explore exported functions of DLLs using tools like Total PE.
Shell32 Functions
- Open file association dialog: RunDLL32 shell32.dll,OpenAs_RunDLL example.txt
- Run control panel applets: RunDLL32 shell32.dll,Control_RunDLL appwiz.cpl

$1,478

$1182 or $120 X 10 payments

Windows Master Developer

Takes you from a “generic” C programmer to a master Windows programmer in user mode and kernel mode.

Creating Custom DLLs for RunDLL32

Developers can create custom DLLs to be invoked via RunDLL32. The function prototype must follow specific conventions:

void __stdcall MyFunction(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

Here’s how to build and test a simple example:

Set Up the Project
- Create a DLL project in Visual Studio.
- Define and export the desired function.
Handle Parameters
- Use the command line argument (lpszCmdLine) to pass inputs to the function.
Test with RunDLL32
- Invoke the function: RunDLL32 <Path to DLL>,MyFunction Arguments

Advanced Use Cases

Killing a Process: Example function to terminate a process by PID.

void KillProcess(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
    DWORD pid = atoi(lpszCmdLine);
    HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
    if (hProcess) {
        TerminateProcess(hProcess, 1);
        CloseHandle(hProcess);
    }
}

Unicode Support: Export wide-character functions by appending “W” to the function name.

Why Use RunDLL32 for Custom DLLs?

Reusability: DLLs can be used across multiple applications.
Stealth: Running functions via RunDLL32 appears as a standard Windows process, reducing suspicion.

Conclusion

RunDLL32 offers a versatile way to interact with system DLLs and test custom functionality. By understanding its syntax and capabilities, developers can leverage it for both system management and software development.

Gain Insider Knowledge

Subscribe to updates from the TrainSec trainers

For more insights into Windows internals and advanced programming concepts, keep exploring TrainSec’s Knowledge Library. Stay tuned for more deep dives into topics that empower your technical growth!

About the author