-1

OS: Windows 10 LTSB (64bit)

Currently I'm working on whitelist program.

here is my question.

  • I have notepad.exe in c:\Windows\System32\notepad.exe

  • its hash value would be [9cd1c3d00ae15068...74a]

  • I have another notepad in c:\Windows\WinSxS\amd64...

  • its hash value would be [da0acee8f60a460...10a]

so basically they are different programs in point of my whitelist. But anyway, I added both of them into my whitelist.

I tried to edit a batch file, which triggered notepad.exe to be executed. But my whitelist program blocks notepad.exe to be executed because the notepad.exe was from c:\windows\system32\notepad.exe but had hash value of [da0acee8f60a460...10a].

But if I check the hash value of notepad.exe in System32 again, it's same as before, which is [9cd1c3d00ae15068...74a].

it seems like that notepad.exe from winSxS had been copied to system32 when it's triggered. Is this how it works for system programs?

by the way, it did not happen for windows7 in 32bit

Pandol
  • 39
  • 1
  • 1
  • 4

1 Answers1

0

I found out that it's not the WinSxS files which make this confusion. It was sysWow64.

basically, windows10 provide sysWow64 directory to emulate 64bit programs as 32bit. windows10 automatically redirect the access to system32 to sysWow64.

So when I was calculating the hash value for notepad.exe in System32, OS automatically redirect me to notepad.exe in sysWow64. Therefore, The hash value in my list records [9cd1c3d00ae15068...74a] but the real hash value of this was [da0acee8f60a460...10a]

Hope this might help for anyone who face similar trouble.

Pandol
  • 39
  • 1
  • 1
  • 4