Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What’s the Difference Between a DLL and an EXE, and Why Is It Important?

Question:

DLL or EXE? Now, I’m beginning to get confused. I heard from one site that
.dll and .exe files are two different things. But I’ve also heard about
explorer.dll.exe. I’ve read from a site discussing about dll exe that dlls
cannot be directly executed. So how’s that work?

The difference shouldn’t matter to most Windows users. In general, this is something that should be one of those hidden details that you never need to worry about.

Unfortunately, that’s not the case.

I’ll describe what DLLs and EXEs are and how they relate to each other.

And I’ll also tell you why the folks who write malware make it important to
know that there’s a difference.

]]>
<![CDATA[

Become a Patron of Ask Leo! and go ad-free!

EXE files

“.exe” files, or files that end in the four characters “.exe” are assumed by
Windows (and even MS-DOS before it) to be executable
programs.

Which is really just a fancy way of saying that they’re the programs you
run.

You’ll recognize many examples:

  • explorer.exe – Windows Explorer and the Windows primary user interface
  • iexplore.exe – Internet Explorer web browser
  • chrome.exe – the Google Chrome browser
  • thunderbird.exe – the Mozilla Thunderbird email program
  • winword.exe – Microsoft Word, word processor
  • … and so on

DLL files

DLL stands for Dynamic Link Library.

A library is a collection of software that is made available for programs to
use. That means a program you run, such as ‘winword.exe’ from the list above, might load additional DLLs that contain more software that make up the program. In Word’s case,
perhaps the software for the “Word Art” feature is placed in a separate DLL
that winword.exe loads either at startup or when you use that particular
feature.

Software is often broken up into or provided as an .EXE and a collection of
.DLLs for any of a number of reasons:

  • The DLL only needs to be loaded when it’s used, which reduces load time and memory needs when not. Loading only when needed is the “dynamic” part of Dynamic Link Library.
  • The DLL may be shared among multiple programs. For example, if Word and
    PowerPoint both have WordArt as a feature, then they can both use that same .DLL to provide the feature (if written properly, of course). This avoids multiple programs from all needing to duplicate the software required to perform a task.
  • The DLL may provide functionality to another program. For example, using DLLs
    is one way that one program might cause features to appear in another, such as new
    context menu items in Windows Explorer.

In fact, much of Windows itself is implemented as DLLs that applications load and use to access your system.

It is true – DLLs cannot be directly executed. They’re designed to be loaded
and run by other programs: EXE programs.

Why the difference matters

In short, malware. In fact, your example perfectly shows one way that malware tries to mislead you:

explorer.dll.exe

That’s an .exe file, and nothing else. Everything in front of the .exe is
the name of the file – even the part that says “.dll”. The file ends
in .exe and Windows will treat that as a program. It is not a DLL. The fact
that it has .dll in the middle of its name is completely meaningless
– other than, to confuse and mislead you.

It is also not Windows Explorer – that’s “explorer.exe” without the “.dll”
in the middle. The name may be similar, but this is a completely unrelated
file.

Why do this?

Because when displaying files by default, Windows will “hide extensions for
known file types”. That means that while the file’s actual name is:

explorer.dll.exe

what will be displayed is:

explorer.dll

Hiding the “.exe” because that’s a known file type.

It could fool you into thinking that’s a DLL and not an EXE. What they might
do from there is unclear.

One thing that I can tell you though: Don’t double-click on
it
.

Double-clicking means “open this file”, which for an .exe means “run this
program”. Even though it shows .dll, the real filename ends in .exe and
that’s exactly how Windows will treat it.

Misleading you in this manner is one technique to get you to install
malware.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “What’s the Difference Between a DLL and an EXE, and Why Is It Important?”

  1. Naah…. That is for the geeks.

    If the extensions are hidden, it is much neater to look at. That is the main purpose of the GUI in the first place. And under this setting, if you happen to see an extension – the file is a suspect. Easier to detect a suspicious file this way than looking for double extensions. In fact the system itself can flag such multiple-extension files.

    Besides there are so many extensions that displaying them would confuse most users. That must have been the purpose of the default setting, I suspect.

    Personally, I prefer if the icons for all executable files would in someway indicate that they are executable – a system superimposed “X” perhaps. MS-Word files have “W” on the icon.

    -Rahul.

    Reply
  2. So are you saying to never open an exe file?

    Not at all. Just be aware that a .exe file is a program and that by “opening” a .exe you’re running a program. Make sure that’s what you want to do.

    Leo
    17-Jan-2012
    Reply
  3. @Dan
    Every time you run a program you are running an .exe file. The danger is in running an unknown .exe file. If you download a program from a trusted website, then you would have to run an .exe or an .msi file to install it. (An .msi file is a Microsoft Installation file which is also an executable file.)

    Reply
  4. @Dan – specifically, I’d suggest Leo was referring to the the ‘explorer.dll.exe’ file given in the example.

    @Rahul – It’s exactly because there are so many filetypes that I think extensions should be visible by default. It can only benefit the users understanding of what’s going on – something I’d sacrifice a ‘clean’ GUI for any day.

    Reply
  5. Funny thing is, I’ve used a “.” in the middle sometimes when naming a file, yet wasn’t quite sure what I was looking at when coming across files with seemingly double extensions like the example above. In fact I’ve seen video files ending in .wmv.flv (as if you could use both formats). Anyone know why that would be done?

    Reply
  6. What I do not understand is why does window use the hide known extensions as default when all that is doing is “assisting” Malware to be unknowingly executed???? What is Microsoft “gaining” by not so computer literate users unknowingly running .exe files??????

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.