Process

unknown

control.exe

control.exe is the program that opens Control Panel and Control Panel items. Windows and users invoke it to reach settings. Attackers abuse it to execute malicious Control Panel files (.cpl), which are just DLLs, so a signed Microsoft binary loads and runs their code.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • control.exe {PATH_ABSOLUTE}:evil.dllADS · Can be used to evade defensive countermeasures or to hide as a persistence mechanism
  • control.exe {PATH_ABSOLUTE:.cpl}Execute · Use to execute code and bypass application whitelisting

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

control.exe launches Control Panel and, given a .cpl file, the specific Control Panel applet it represents. A .cpl is a DLL with a control-panel entry point, so opening one loads and executes that DLL. control.exe is the front door for this, and double-clicking a .cpl routes through it. The genuine binary lives at C:\Windows\System32\control.exe.

Legitimately, control.exe runs whenever someone opens a Control Panel item, so the process itself is ordinary. The .cpl it loads and where that file came from are what give an instance meaning.

Security notes

control.exe is a system-binary proxy through Control Panel files (T1218.002). Because a .cpl is a DLL, an attacker delivers one (often renamed to look like a document) and has control.exe load and run it under a trusted, signed Microsoft process, bypassing application-control rules that allow control.exe. Malicious .cpl files have been a recurring malware delivery format for exactly this reason.

Since loading a legitimate applet is normal, the context is what matters: a .cpl from a temp or download folder, a parent like an Office application, or control.exe spawning a shell, mark it as abuse rather than someone opening a settings page.

Anomaly signals4
  • A .cpl loaded from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • control.exe spawning a shell or making outbound network connectionshigh
  • A .cpl with a mismatched or double extensionmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof control.exe?
Edit this page on GitHub