2

I'm currently writing some test code in C++ that messes around with PE files to understand its file format structure. My project is set to compile to 64 bit. In my code I open %SystemRoot%\system32\calc.exe and read the IMAGE_DOS_HEADER and IMAGE_NT_HEADERS structures. At the same time I have the same calc.exe opened in Notepad++ with the hex editor plugin. I compared the values my code reads with Notepad++ and noticed they were different. I copied calc.exe from System32 to C:\Temp\calc.exe, and now the values match.

Notepad++ seems to be a 32 bit application (haven't checked the PE file, but since it's installed to Program Files (x86) by default, it seems to be a safe assumption to make).

Is this WinSxS at work? Or what else is causing this? And which file is actually fed to 32-bit applications opening %SystemRoot%\system32\calc.exe?

Just curious. Thanks in advance for any light shed on this.

Jehjoa
  • 551
  • 8
  • 23

3 Answers3

5

Yes, this is the WOW redirector. You'll see that there is a calc.exe in C:\Windows\SysWOW64 as well. That's the file that is opened when you use the %SystemRoot%\System32\calc.exe path.

This can be temporarily disabled to access the 64-bit version of the file with Wow64DisableWow64FsRedirection

More details can be found at File System Redirector

Paul Alexander
  • 31,970
  • 14
  • 96
  • 151
  • 1
    +1 but surely you really mean "temporarily disabled to access the 64-bit version"; the version in SysWOW64 is the 32-bit version – David Heffernan Apr 28 '11 at 17:02
  • You know, I didn't think it was backwards like that. It was my understanding that the 32-bit versions still existed in System32 and redirected to their 64-bit versions in SysWOW64. After re-reading the docs I see you're absolutely right. – Paul Alexander Apr 28 '11 at 17:17
  • 2
    It's easy to remember: the 32 bit stuff goes in the place with 64 in the name, and the 64 bit stuff goes in the place with 32. How could that confuse anyone?!! ;-) – David Heffernan Apr 28 '11 at 17:21
  • Thank you, that's it. I know the whole point of wow64 is to seamlessly run 32 bit code on a 64 bit platform, but this just seems... evil. I wonder how many people run 32 bit virus scanners on their 64 bit systems and are convinced there are no viruses in their system32 directory... – Jehjoa Apr 28 '11 at 18:16
  • @Jehjoa I think a sum total of 0 people run 32 bit virus scanners on a 64 bit machine. The developers of virus scanners are not idiots. They won't install a 32 bit scanner onto a 64 bit machine. What's more virus scanners typically integrate into the kernel and so in order to do so much be 64 bit on a 64 bit system. Yes WOW64 can be a bit confusing at times but you soon get used to it once you learn the ropes. – David Heffernan Apr 28 '11 at 23:10
2

Disabling WowFs redirection is unnecessary and sometimes is not even an option (for instance, when you are attempting to get Notepad++ to open files in the system32 directory). You can use the virtual directory %windir%\Sysnative instead of %windir%\System32 (you will not see it in explorer, but you can type it in the address bar)

WOW64 is implemented in three DLLs: wow64.dll, wow64cpu.dll, and wow64win.dll (and 32-bit NTDLL). Redirection (among other things) is implemented in wow64.dll, CPU emulation / helper routines in wow64cpu.dll, and wow64win.dll contains thunks to win32k.sys (the kernel mode driver responsible for the windows GUI).

subwar
  • 279
  • 1
  • 3
1

If I remember well, when a 32bit apps tries to open system32 directory, it's automatically redirected to syswow64 dir.

Marco
  • 56,740
  • 14
  • 129
  • 152
  • Thanks, you remembered well. :) Up voted, but I tagged Paul's reply as the answer because it's more complete. – Jehjoa Apr 28 '11 at 18:18
  • @Jehjoa: thanks for voting up and you are right: the other is more complete!! :) – Marco Apr 28 '11 at 20:16