32

Using the ShellExecute documentation as a reference:

I run the following from the command line:

C:\>RUNDLL32.EXE SHELL32.DLL,ShellExecute handle,"open","C:\Documents and Settings\admin\Desktop\tmp",NULL,NULL,SW_SHOWNORMAL

This results in an exception error.

I don't know what this means:

HINSTANCE ShellExecute(
  __in_opt  HWND hwnd,
  __in_opt  LPCTSTR lpOperation,
  __in      LPCTSTR lpFile,
  __in_opt  LPCTSTR lpParameters,
  __in_opt  LPCTSTR lpDirectory,
  __in      INT nShowCmd
);

But in the description, a handle (HWND), and a pointer to a null-terminated string (LPCTSTR), are mentioned, but it is very confusing.

Any help would be greatly appreciated. I would also like to learn more, so any references (book, web links, etc) would also be great!

Matteo Italia
  • 123,740
  • 17
  • 206
  • 299
mike
  • 1,319
  • 2
  • 11
  • 15
  • It would be helpful if you explained what you're trying to accomplish since there may be better ways than using RUNDLL32. Regrdless, you are not calling RUNDLL32 correctly. For example, parameters must be separated by spaces (comma only separates entry point from DLL), hwnd and nShowCmd expect integer values, etc. See http://support.microsoft.com/kb/164787 for more info. – Alek Davis Jul 08 '10 at 20:01
  • I am a wandering head. I read: http://vlaurie.com/computers2/Articles/rundll32.htm. Then I started looking at different dll files, and found this: http://msdn.microsoft.com/en-us/library/bb776426%28v=VS.85%29.aspx. I started to look at the individual functions, and wondered if they could be used with rundll32.exe. I picked the ShellExecute function because I understand what it does (open a folder). I am mainly trying to learn how these things work (in MSDN). I don't even know if it is C, C++, C#, etc. – mike Jul 08 '10 at 20:09

1 Answers1

33

Rundll32 only supports running DLL exports with the following signature:

void CALLBACK
  EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

It does not support running arbitrary entry points. Since ShellExecute does not have that signature, clearly bad things will happen.

INFO: Windows Rundll and Rundll32 Interface has more info on the rundll32 interface.

If you want to do the equivelent of ShellExecute from the command line, just use start:

C:\>start "C:\Documents and Settings\admin\Desktop\tmp"
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Michael
  • 54,279
  • 5
  • 125
  • 144
  • How do I know which DLL exports have the proper signature? – mike Jul 08 '10 at 19:58
  • 6
    You shoudln't be calling Rundll32 with random functions. Either it is documented that you can use Rundll32 (for install, InstallHinfSection) or you provide the export your self. – Michael Jul 08 '10 at 20:20
  • 2
    If you're brave, you can call other functions - which will accept these 4 parameters (through cdecl calling convention). This is possible for some argumentless functions, or others that would just accept a meaningless handle or two as arguments. You can also easily write your own DLLs, with entry points (=dll exports) adhering to this signature, and call them with rundll32. And the functions in WinAPI are documented in MSDN. You'll see that really few can be used directly with rundll32... – Tomasz Gandor Jul 24 '12 at 00:25
  • 1
    It seems like it doesn't have to be `void CALLBACK EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)`. I compiled my own DLL with `extern "C" void Example()` and it ran properly (`extern "C"` was there so I could get a clean function name, `void Example()` works as well as long as you use Dependency Walker to find the name of the function). So it seems like it just has to be void for it to work. However, I'm not necessarily encouraging you to use this. – FluorescentGreen5 Sep 30 '16 at 12:46
  • 3
    If you just have extern "C" void Example(), it's most probably __cdecl (the default calling convention in which the caller cleans up the stack). CALLBACK is __stdcall calling convention, where the callee cleans up the stack. Your function will ignore the 4 parameters, and that's fine, but it won't clean up the stack, which means the stack will be corrupted when it returns, potentially crashing rundll32 process. – Sergiy Migdalskiy Nov 26 '17 at 02:41
  • 1
    FYI `C:\> rundll32 user32.dll, MessageBeep -MB_ICONEXCLAMATION` will play a sound. – Mike Nakis Jan 28 '23 at 14:57