Helping people with computers... one answer at a time.
When given just a file name, it's often difficult to know exactly where it came from or what it does. I'll look at a few approaches to identifying .exe and .dll files.
I found a file on my machine that I don't recognize called "________.exe," what is it? Can I delete it?
My computer keeps crashing with a problem in "________.dll," but I've never heard of this file and have no idea what it does. How do I find out?
This is actually an update to an article that I originally wrote in 2003, and it's just as relevant today as it was back then.
In the years since, I've received various forms of this question quite literally hundreds of times - the two above are simply examples where the "________" is the name of some file - often obscure - that someone has discovered for various reasons and doesn't recognize.
Most often, the question "what is this?" is really just a replacement for the real question, "Is this malware?"
Maybe. Maybe not.
Here are the steps I take, ranging from easy to obscure, to try and track down just what the DLL is going on. This approach actually works for EXEs and many other types of files, if you're trying to track one of those down.
One of the best clues for identifying at least the source of a file is its location on on your hard disk.
By that, I mean the full path of the folder in which the file resides.
For example, if the folder you've found a file "scrubber.dll" in:
c:\Program Files (x86)\Toothbrush Magic\scrubber.dll
Then, there's a pretty reasonable chance that the is somehow related to the program "Toothbrush Magic," and was probably placed on your computer when you installed that program.
Unfortunately, that doesn't always work for folders that are common, such as any of the Windows folders. For example, if you find that "scrubber.dll" is here:
...there's really not much you can say. While applications shouldn't install things into the Windows folders, many do. The result is that the file could be a part of Windows, it could be part of an application you've installed, or it could be malware.
Most DLLs and EXEs have embedded version information. The easiest way to see the version information is to do this: in Windows Explorer, right-click on the file, select Properties, and then select the Details or Version tab.
In the example above, I randomly chose the file "pnidui.dll" in C:\Windows\System32. The version information in the file gives at least a hint of what the file is for and who produced it.
There are problems with version information:
Not all DLLs or EXEs may have version information.
If version information is present, it might be obscure and/or vague.
Malware may include intentionally misleading version information.
While it might not always be an absolute source, version information can often be very useful, even if it's only as a clue to your investigation.
If you can identify the manufacturer of a file, either by file location or version information, you might ask them.
Different companies offer widely varying levels of online functionality, so it's hard to know what to expect here, but searching the company's support site might well take you to very specific information about the file in question.
Microsoft Support has a huge collection of information.
Even if the DLL or EXE isn't actually from Microsoft, it's still worth searching the knowledgebase and forums, especially if the file is causing your system problems. Quite often, articles or posts will reference third-party files and describe issues and/or resolutions.
While Microsoft's support isn't always the most clearly written information, it's been improving over the years and can often add valuable information and clues to help your search. I still consider Microsoft's support site to be one of the internet's more under-utilitized resources.
You probably already know how powerful Google can be. Search on the DLL or EXE file name and you will likely get a number of hits.
Unfortunately, Google results for random filename searches seem to be an area where serious caution is required.
Many, and for some files even most, of the search results provide only the minimum of information and instead attempt to sell you a product to help "protect" your system. The worst will classify just about anything as potential malware in an effort to scare you into purchasing software that is typically either sub-par, ineffective, or in some cases, completely bogus.
The rule's pretty simple: if you're just doing research, don't spend a dime. If the site holds information hostage until you buy something, move on to another source.
In amongst the noise, however, will often be interesting discussions or even Q&A - not unlike the articles here on Ask Leo! that might well mention and provide more information on the DLL.
In one sense, using Google is a long shot and you'll need to spend some time separating the wheat from the chaff. A Google search might display 25 hits, only the last of which might be an reasonable/reliable source.
On the other hand, it can be quite educational to read through some of the interesting material that results.
When you're faced with an executable file - a DLL or EXE - that you don't recognize, it can sometimes be a bit of a research project to identify it. Sometimes, it'll be quick and obvious, other times not so much.
Particularly given the nature of malware attempting to disguise itself as something else, it's often difficult to know with certainty that what you have is what you think you have.
(This is an update to an article originally published September 5, 2003.)
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.