Shell32.dll

Windows Shell Common Dll

Paths

• c:\windows\system32\shell32.dll
• c:\windows\syswow64\shell32.dll

Commands

Execute

Launch a DLL payload by calling the Control_RunDLL function.

Use case: Load a DLL payload.

Privileges: User

rundll32.exe shell32.dll,Control_RunDLL {PATH_ABSOLUTE:.dll}

Execute

Launch an executable by calling the ShellExec_RunDLL function.

Use case: Run an executable payload.

Privileges: User

rundll32.exe shell32.dll,ShellExec_RunDLL {PATH:.exe}

Execute

Launch command line by calling the ShellExec_RunDLL function.

Use case: Run an executable payload.

Privileges: User

rundll32 SHELL32.DLL,ShellExec_RunDLL {PATH:.exe} {CMD:args}

Execute

Load a DLL/CPL by calling undocumented Control_RunDLLNoFallback function.

Use case: Load a DLL/CPL payload.

Privileges: User

rundll32.exe shell32.dll,#44 {PATH:.dll}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml
• Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/rundll32_control_rundll_hunt.yml

Resources

• https://twitter.com/Hexacorn/status/885258886428725250
• https://twitter.com/pabraeken/status/991768766898941953
• https://twitter.com/mattifestation/status/776574940128485376
• https://twitter.com/KyleHanslovan/status/905189665120149506
• https://windows10dll.nirsoft.net/shell32_dll.html
• https://www.hexacorn.com/blog/2025/05/18/shell32-dll-44-lolbin/