What's this file that ends in ".dll" or ".exe"?

Helping people with computers... one answer at a time.

When given just a file name, it's often difficult to know exactly where it came from or what it does. I'll look at a few approaches to identifying .exe and .dll files.

I found a file on my machine that I don't recognize called "________.exe," what is it? Can I delete it?

My computer keeps crashing with a problem in "________.dll," but I've never heard of this file and have no idea what it does. How do I find out?

•

This is actually an update to an article that I originally wrote in 2003, and it's just as relevant today as it was back then.

In the years since, I've received various forms of this question quite literally hundreds of times - the two above are simply examples where the "________" is the name of some file - often obscure - that someone has discovered for various reasons and doesn't recognize.

Most often, the question "what is this?" is really just a replacement for the real question, "Is this malware?"

Maybe. Maybe not.

Here are the steps I take, ranging from easy to obscure, to try and track down just what the DLL is going on. This approach actually works for EXEs and many other types of files, if you're trying to track one of those down.

•

Location, location, location

One of the best clues for identifying at least the source of a file is its location on on your hard disk.

By that, I mean the full path of the folder in which the file resides.

For example, if the folder you've found a file "scrubber.dll" in:

c:\Program Files (x86)\Toothbrush Magic\scrubber.dll

Then, there's a pretty reasonable chance that the is somehow related to the program "Toothbrush Magic," and was probably placed on your computer when you installed that program.

Unfortunately, that doesn't always work for folders that are common, such as any of the Windows folders. For example, if you find that "scrubber.dll" is here:

c:\windows\system32\scrubber.dll

...there's really not much you can say. While applications shouldn't install things into the Windows folders, many do. The result is that the file could be a part of Windows, it could be part of an application you've installed, or it could be malware.

Version information

Most DLLs and EXEs have embedded version information. The easiest way to see the version information is to do this: in Windows Explorer, right-click on the file, select Properties, and then select the Details or Version tab.

File Version Information

In the example above, I randomly chose the file "pnidui.dll" in C:\Windows\System32. The version information in the file gives at least a hint of what the file is for and who produced it.

There are problems with version information:

Not all DLLs or EXEs may have version information.
If version information is present, it might be obscure and/or vague.
Malware may include intentionally misleading version information.

While it might not always be an absolute source, version information can often be very useful, even if it's only as a clue to your investigation.

Consult the source

If you can identify the manufacturer of a file, either by file location or version information, you might ask them.

Different companies offer widely varying levels of online functionality, so it's hard to know what to expect here, but searching the company's support site might well take you to very specific information about the file in question.

Ask Microsoft

Microsoft Support has a huge collection of information.

Even if the DLL or EXE isn't actually from Microsoft, it's still worth searching the knowledgebase and forums, especially if the file is causing your system problems. Quite often, articles or posts will reference third-party files and describe issues and/or resolutions.

While Microsoft's support isn't always the most clearly written information, it's been improving over the years and can often add valuable information and clues to help your search. I still consider Microsoft's support site to be one of the internet's more under-utilitized resources.

Ask Google

You probably already know how powerful Google can be. Search on the DLL or EXE file name and you will likely get a number of hits.

Unfortunately, Google results for random filename searches seem to be an area where serious caution is required.

Many, and for some files even most, of the search results provide only the minimum of information and instead attempt to sell you a product to help "protect" your system. The worst will classify just about anything as potential malware in an effort to scare you into purchasing software that is typically either sub-par, ineffective, or in some cases, completely bogus.

The rule's pretty simple: if you're just doing research, don't spend a dime. If the site holds information hostage until you buy something, move on to another source.

In amongst the noise, however, will often be interesting discussions or even Q&A - not unlike the articles here on Ask Leo! that might well mention and provide more information on the DLL.

In one sense, using Google is a long shot and you'll need to spend some time separating the wheat from the chaff. A Google search might display 25 hits, only the last of which might be an reasonable/reliable source.

On the other hand, it can be quite educational to read through some of the interesting material that results.

It's a research project

When you're faced with an executable file - a DLL or EXE - that you don't recognize, it can sometimes be a bit of a research project to identify it. Sometimes, it'll be quick and obvious, other times not so much.

Particularly given the nature of malware attempting to disguise itself as something else, it's often difficult to know with certainty that what you have is what you think you have.

That's one of the (many) reasons why it's important to not only run appropriate security software, but also know how to stay safe on the internet in general.

(This is an update to an article originally published September 5, 2003.)

Article C1838 - October 1, 2012 « »

Share this article with your friends:

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

How do I figure out what kind of file I have - without the file extension? Normally, we use file extensions to identify a file's type. Without that, the next step is to look at the file's first few bytes or 'signature'.
What's a '.dat' file? DAT files are used by many different applications. To know what to do with a DAT file, you need to know what application created it.
This file does not have a program associated with it - what does this mean and what do I do? This file does not have a program associated with it is a common error message when Windows doesn't know what program is used to open a file. I'll look at what that means, and step you can take.

Recent Comments

49 Comments

Howard B. Evans, Jr.
October 2, 2012 1:29 PM

Thank you, Leo, for all the help you have provided over the years. I really enjoy reading your newsletter. However, reading the mostly ungrateful and demanding comments on this thread makes me sometimes wonder why you bother.

It was Good Advice to use Google to find information on suspicious file names. This will usually pop up a half-dozen or so forum sites to peruse for more information. A savvy user can filter through the garbage to find them.

To help identify unknown files, my personal favorite for the past few years has been Bill P's WinPatrol PLUS. There is a "freeware" version of WinPatrol as well as an upgrade to the PLUS paid version. Both come with no-cost periodic updates. I ran with the free version for many years before deciding to make a one-time purchase of the PLUS upgrade. No regrets, and I now have instant access to a Bill P webpage with information, if available, on the mystery file. Highly recommended.

I'm a fan of WinPatrol also, and probably should have included it above. WinPatrol - Get alerts to important changes to your computer

04-Oct-2012

richard Lovejoy
October 2, 2012 2:49 PM

I strongly recomment Win Patrol (paid ver) to gwt answers to many strange files and extensions

James Abuda
October 3, 2012 2:20 AM

I always read your article Leo, but how you earn money from doing this?

Mark J
October 3, 2012 2:49 AM

@James Abuda
Ask Leo! is an advertising supported website.
This article explains how it works.

BAW30s
October 3, 2012 3:34 AM

A couple of little tips to supplement Leo's excellent advice:
● If you have IE toolbars you don't want, in addition to spyware removers and add/remove programs, try "Manage Add-ons" in the Tools menu
● If you have a suspicious file, subject it to an on-line scan such as Jotti http://virusscan.jotti.org
or Vius Total
http://www.virustotal.com .
These subject the file to multiple scans: observing the extent to which findings differ from one anti-virus scan to another demonstrates graphically how much malware detection is an art rather than a science!

See all 49 comments...

•

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2013 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/whats_this_file_that_ends_in_dll_or_exe.html