there are 2 versions on a 64 bit windows 7/10 machine
c:\windows\system32\rundll32.exe <-- this is the 64 bit and should be used with 64 bit dlls
c:\windows\syswow64\rundll32.exe <-- this is the 32 bit and should be used with 32 bit dlls
so if i am analyzing a DLL with an export function such as "update.dll" with function "StartW"
if i open in PEstudio and see that it's a 32 bit DLL then my IDA Debugger -> process options would be
Application: c:\windows\syswow64\rundll32.exe
Input file: [my dll path]
Directory: [my dll folder]
Parameters: [my dll path], [my export function]
I noticed that initially i was trying
Application: c:\windows\system32\rundll32.exe
but rundll32 would just crash and IDA would never hit my breakpoint
but if i changed it to
Application: c:\windows\syswow64\rundll32.exe
then it would hit my breakpoint in IDA
nice!
