When you run winver it calls the shell32.dll!ShellAbout function to display the following dialog box:

It turns out the ShellAbout function’s declaration makes it a potential target for calling it from rundll32.exe, even if its prototype doesn’t follow the rundll32 calling protocol.

The function accepts the following parameters:

INT ShellAboutA(
  [in, optional] HWND   hWnd,
  [in]           LPCSTR szApp,
  [in, optional] LPCSTR szOtherStuff,
  [in, optional] HICON  hIcon
);

and the rundll32 callback is declared as:

RunDll32EntryPoint(
HWND hwnd, 
HINSTANCE hinst, 
LPSTR lpszCmdLine, 
int nCmdShow
);

In other words, the mapping of the function arguments looks like this:

HWND   hWnd -> HWND hwnd
LPCSTR szApp -> HINSTANCE hinst
LPCSTR szOtherStuff -> lpszCmdLine
HICON  hIcon -> nCmdShow

So, by calling:

rundll32.exe shell32.dll, ShellAbout Visit http://extend-windows-license-by-10-years-for-free.com now!

we fill-in the following bit:

LPCSTR szOtherStuff -> lpszCmdLine

with a string provided via a command line.

And as the API documentation describes, this parameter is:

A pointer to a null-terminated string that contains text to be displayed in the dialog box after the version and copyright information. This parameter can be NULL.

Thanks to that coincidence, the result of our rundl32 invocation is the following dialog box:

If you paid attention, you probably noticed that the title of the dialog box got corrupted:

but that’s a side-effect of szApp parameter getting some random value from the stack/rdx register (if you follow the calling conventions of x86/x64).

Rest assured that this is not a security risk, but just yet another example of using Windows API in a slightly unorthodox way, similar to this example I posted about a few years back…