There is a well known shell32.dll lolbas that relies on a function called Control_RunDLL. BUT, there is one more. The shell32.dll library exports a function called Control_RunDLLNoFallback under ordinal #44.

We can use it to launch CPL files using the syntax below:

"C:\windows\SysWOW64\rundll32.exe" "C:\windows\SysWOW64\shell32.dll",#44 "<localpath>.cpl"

I didn’t discover this technique – it was observed being used by various malware families including RaspberryRobin.