|WOW64 - A Comprehensive Reference|
|Written by Darwin Sanoy|
|Monday, November 18, 2013 3:34pm|
%systemdrive%\Program Files (x86)
Location where 32-bit software is *supposed* to be installed to. This is not a hard rule that requires all 32-bit binaries are installed here, so you may find 32-bit binaries in “%systemdrive%\Program Files”
Location where 32-bit Windows Operating System binaries reside.
Folder alias which exists only in a WOW64 32-bit process[defn]. Allows 32-bit processes to activate 64-bit OS EXEs. Sysnative is an in-process redirection done by the WOW64 layer - so there is no evidence of the existence of this phantom folder anywhere on disk.
System profile folder for 64-bit processes and registry files for BOTH process bitnesses.
System profile for 32-bit processes (registry files are always sourced from 64-bit systemprofile folder even for 32-bit registry).
Assemblies compiled to run as 32-bit only.
Assemblies compiled to run as 64-bit only.
Assemblies compiled to run in the highest bitness available on the platform. MSIL stands for Microsoft Intermediary Language. Similar to scripting languages, assemblies compiled this way will run with whatever bitness runtime engine is available. These types of assemblies can be forced to run as 32-bit by editing the binary (EXE or DLL) with an EXE Editor and changing the appropriate flag (Covered in Lab manual).
32-bit .NET Runtime Engine. Also 32-bit registration utilities like installutil.exe and regsrvcs.exe should be pathed to this folder when a MSIL .NET assembly needs to configured to run as a 32-bit service, MMC snap-in, etc.
64-bit .NET Runtime Engine. Also 64-bit registration utilities like installutil.exe and regsrvcs.exe should be pathed to this folder when a MSIL .NET assembly needs to configured to run as a 64-bit service or MMC snap-in.
UAC virtualization stores files here for 32-bit processes that attempt to write to secure system locations with standard user permissions. This folder may include files virtualized from SysWOW64 (“System32” folder for 32-bit), System32 (64-bit aware 32-bit EXEs can disable redirection and so may virtualize), Program Files (x86) (32-bit Program Files), Program Files (32-bit software may reside in and try to write to the 64-bit Program Files folder).
Present in 32 and 64-bit processes, indicates BITNESS SPECIFIC Program Files folder. Default value on 64-bit PROCESS: “C:\Program Files”, Default value on WOW64 32-bit PROCESS: “C:\Program Files (x86)”, Default value on 32-bit OS: “C:\Program Files”
Present in 32 and 64-bit processes, indicates 32-bit Program Files folder. Default value on 32-bit WOW64 and 64-bit PROCESSES: “C:\Program Files (x86)”, Default value on 32-bit OS: Does not exist.
%ProgramW6432% (Win7 / Server 2008 R2 and later)
Present in 32 and 64-bit processes, indicates 64-bit Program Files folder. Default value on 64-bit OS: “C:\Program Files”, Default value on 32-bit OS: Does not exist.
%CommonProgramW6432% (Win7 / Server 2008 R2 and later)
Present in 32 and 64-bit processes, indicates 32-bit Common Program Files folder. Default value on 64-bit OS: “C:\Program Files\Common Files”, Default value on 32-bit OS: Does not exist.
Present in 32 and 64-bit OSes and Processes. Indicates PROCESS bitness. Default value on 32-bit PROCESS (on both OS bitnesses) “x86”, Default on 64-bit process: “AMD64”
%PROCESSOR_ARCHITEW6432% (Win7 and later)
Present ONLY in WOW64 32-bit processes (on 64-bit OS), if present indicates a WOW 32-bit process (32-bit process on 64-bit Windows). Set to same values as %PROCESS_ARCHITECTURE% Checking for a value in %ProgramFiles(x86)% works for 64-bit XP, 64-bit Vista and Windows 7.
Machine based software configuration keys. Writes to this location with standard user rights can also be subject to UAC Data Redirection on 64-bit.
HKLM\Software\Wow6432Node\Classes\CLSID, …\Interface, …\Typelib
32-bit redirection of Com Registrations. These may also be read by 32-bit software that skips CoCreateInstance and looks up this data directly.
UAC virtualization stores registry values here for 32-bit processes that attempt to write to secure system locations with standard user permissions. This folder may include values virtualized from wow6432node sub-keys (redirected registry) – especially HKLM\Software\wow6432node.
The following commands existing in both %windir%\System32 (64-bit) and %windir%\SysWOW64 (32-bit).
Default Execution by WINDOWS - by virtual of the default path and that Windows Explorer is 64-bit, the 64-bit version of each command is the default execution.
CAUTION: If anything OTHER THAN the Windows environment (Explorer, Group Policy, etc) is responsible for initiating an operating system command EXE, the bitness of the calling process will dictate the bitness of the called EXE. For example, if your software distribution system runs as a 32-bit service, unpathed calls to these EXEs results in 32-bit execution because the 32-bit service is automatically redirected to the 32-bit windows folder SysWOW64.
Forcing 32-bit Execution from 64-bit Processes - when the path to the 32-bit version in %windir%\SysWOW64 is fully specified, the 32-bit version is used and is subject to WOW64 redirections.
Bitness Auto Adaptive in the below list this label indicates that the 32 or 64-bit EXE may do something special in regard to bitness. For instance the 64-bit version of an EXE may forward your request to the 32-bit version or the 32-bit version may always push you to the 64-bit EXE – essentially disabling 32-bit execution of that particular command.
Single Instance Only in the below list this label indicates that only one instance of either the 32 or 64-bit EXE is allowed to be loaded interactively at one time. So if the 64-bit version is already in memory, an attempt to load the 32-bit version will simply present the existing 64-bit version. This *usually* does not affect command line use of the tool (e.g. regedit.exe).
Forcing 64-bit Execution from 32-bit Processes - If the 64-bit version of a command must be initiated from a 32-bit process, this can be done by fully pathing the command at %windir%\sysnative Sysnative is not a folder on the system but an inprocess re-direct. It is only active for WOW64 processes (32-bit processes running on 64-bit Windows).
cmd.exe consoles and script (.BAT & .CMD)
Forcing bitness execution for command prompts and shell scripting (.BAT/.CMD). For 32-bit forced execution, any command called in the shell prompt or shell script will also be 32-bit – ensuring that 32-bit redirections are done when they are preferred (e.g. importing 32-bit software registry keys, configuring 32-bit ODBC drivers). An easy way to ensure 32-bit versions of any other console commands are used is to start a 32-bit cmd.exe shell prompt. Any unpathed calls to System32 EXEs result in starting the 32-bit version.
Windows Script Host Engines (VBScript and Jscript)
32-bit execution of VBScript (.VBS) or Jscript (.JS). Any function calls (e.g. registry manipulation) or objects created in the script will also be 32-bit – ensuring that 32-bit redirections are done when they are preferred (e.g. importing 32-bit software registry keys). Any unpathed calls to System32 EXEs result in starting the 32-bit version.
32-bit execution of the powershell prompt and scripts (.PS1). Any function calls (e.g. registry manipulation) or objects created in the script will also be 32-bit – ensuring that 32-bit redirections are done when they are preferred (e.g. importing 32-bit software registry keys). Any unpathed calls to System32 EXEs result in starting the 32-bit version.
Registering DLLs with Regsvr32.exe (Bitness Auto Adaptive)
64-bit regsrv32.exe is smart enough to notice if you are trying to register a 32-bit DLL and will call 32-bit regsrv32.exe if you do so. However, 32-bit DLLs that are manually copied to the Windows folder and registered will generate an error that the DLL cannot be found even though it is plainly in the folder. This is because when 64-bit regsrv32.exe calls 32-bit regsrv32.exe – the 32-bit version is subject to WOW64 redirections and when it attempts to access the real “system32” folder it is redirected to %windir%\SysWOW64 where the DLL DOES NOT EXIST. If 32-bit DLLs are normally put in “System32” they must be put in “SysWOW64” on Windows 64-bit.
Setting up ODBC with odbcad32.exe (Bitness Aware, Single Instance Only)
In Windows 7 (Server 2008) and 8 (Server 2012): 32-bit ODBCAD32.exe must be explicitly executed in order to configure data sources. Unfortunately both 32 and 64-bit odbcad32.exe display all User DSNs (“User DSN” tab) regardless of their bitness. Many legacy drivers such as access, excel, paradox, dbase, oracle and text files (txt / csv) are only available as a 32-bit driver.
Up through Windows 7/Server 2012 odbcad32.exe does not have an indicator of which bitness the DSN is from. In Windows 7 odbcad32.exe only allows a single instance to run at a time – so make sure you exit any existing instances before attempting to start an instance of the other.
In Windows 8 / Server 2012 and later odbcad32.exe contains a bitness column which displays the bitness of the DSN. This is also helpful with dual-bitness DSNs. 32-bit DSNs can be seen in 64-bit odbcad32.exe, but they must be added, updated and deleted from the 32-bit utility. 32-bit odbcad32.exe can also display dual-bitness. In Windows 8 / Server 2012 and later the 32 and 64-bit editions of odbcad32.exe can run simultaneously – which makes comparing contents much easier.
Registry Access with reg.exe (Bitness Switch)
Enable read and write access of the registry from shell scripts. Both the 32 and 64-bt version of reg.exe support the “/REG:” switch to force which registry bitness is used for the operation. This bitness switch works for local and remote machines. “/REG:32” (no quotes) ensures 32-bit access and “/REG:32” (no quotes) ensures 64-bit access. However, the more consistent way to force registry bitness is to simply call the correct desired bitness edition – since this is what must be done for most other system utilities, it keeps things consistent.
View and Edit Text Files with Notepad.exe (Bitness Auto Adaptive)
Notepad.exe has typically resided in %windir%. The copy in %windir% is the 64-bit version. There is now also a 64-bit version in %windir%\System32 and a 32-bit version in %windir%\SysWOW64.
Registry access with regedit.exe (Single Instance Only)
Regedit.exe in %windir% is 64-bit. regedit.exe also has a 32-bit version in %windir%\sysWOW64. Regedit.exe only allows one instance to run – so make sure you exit any existing instances before attempting to start an instance of the other bitness.
explorer.exe (Windows Explorer) – explorer.exe in %windir% is the 64-bit version and a 32-bit version is present in %windir%\sysWOW64. explorer.exe running instances are managed so that only one instance is allowed – attempts to execute additional instances of explorer result in opening a new window in the already running instance. Explorer.exe execution is managed even further – even if the 64-bit version is terminated and the 32-bit edition is started, the 32-bit edition simply starts 64-bit explorer.exe and exits. The end result is even though 32-bit explorer.exe is present, it cannot be started on 64-bit Windows.
mmc.exe (Microsoft Management Console) – MMC.exe execution is managed to start the correct bitness edition by a rather elaborate algorithm (e.g. if all snap-ins are 64-bit, start in 64-bit, if at least one snap-in is 32-bit, start in 32-bit mode). If the 32-bit version of MMC is launched directly (%windir%\sysWOW64\mmc.exe) without a console file specified (.MSC) it will start 64-bit MMC and exit. If the internal algorithm in mmc.exe fails to correctly detect the proper bitness edition to startup, the bitness can be forced using the “/32” or “/64” switches.
mstsc.exe (RDP Client) – the RDP client always starts the 64-bit edition. If the 32-bit version is launched directly (%windir%\sysWOW64\mstsc.exe) it simply starts the 64-bit version and exits.
.NET utilities perform various installation and configuration tasks on NET assemblies. They differ in two key ways from the SysWOW64 and System32 folders. 1) The folder for these utilities is not on the system path, so there is no default execution from the command line, and 2) The legacy location stays 32-bit and a new location is used for 64-bit. The 32-bit utilities are in “%windir%\Microsoft.net\Framework\<dotnetversion>” and 64-bit utilities are in “%windir%\Microsoft.net\Framework64\<dotnetversion>”
Assemblies which are compiled as “MSIL” or Microsoft Intermediate Language, can run as either 32 or 64-bit. In cases where an MSIL assembly must be configured on the client (e.g. to run as a service), the bitness of the configuration utility will dictate the MSIL assembly bitness when it runs.
Installing Assemblies with InstallUtil.exe
Runs the install routines for an assembly. If an assembly’s install routines will configure it as service, installutil.exe will set it up as such. The bitness of installutil.exe will determine whether the bitness of an MSIL EXE runs as a 32 or 64-bit service.
Registering Assemblies as Services with Regsvcs.exe
Setup an assembly as a service, regardless of install routines.
Registering Assemblies as COM Interops with Regasm.exe
Used to register an assembly as a COM Interop Object[defn].
Registering Assemblies as COM Interops with Caspol.exe
Configure .NET Code Security.
Registering Assemblies as COM Interops with AddinUtil.exe
Used to configure an assembly as an MS Office Add-in. Bitness of the utility called must match the bitness edition of office. If the assembly is not MSIL, it will also need to match the bitness of office.
Windows Installer Properties and Constants
"Template Summary" property in summary information stream
set to "x64" indicates that 64-bit installation operations should be enabled. Each desired operation must ALSO be opted into using the below properties and bit flags. Setting "x64" blocks the package from running on 32-bit Windows. Setting the Template Summary property to x64 indicates that the Application Software in the MSI package requires 64-bit installation operations. It is NOT necessary and should not be used to indicate that the package is "allowed to run on 64-bit" when it only contains 32-bit software. MSI packages installing pure 32-bit software (even if designed to also run on 64-bit) should keep this setting on the 32-bit value "Intel". 32-bit MSI packages still have all the below properties set - so they can still detect 64-bit Windows support custom installation logic when installed on 64-bit Windows.
is pointed to “C:\Program Files (x86)” (32-bit Program Files folder) for both 32 and 64-bit MSIs.
is pointed to “C:\Program Files” (64-bit Program Files folder) for both 32 and 64-bit MSIs.
is pointed to “%windir%\SysWOW64” (32-bit System32 folder) for both 32 and 64-bit MSIs.
is pointed to “%windir%\System32" for both 32 and 64-bit MSIs.
is pointed to “C:\Program Files (x86)\Common Files” (32-bit Common Files) for both 32 and 64-bit MSIs.
is pointed to “C:\Program Files\Common Files” (64-bit Common Files) for both 32 and 64-bit MSIs.
msidbComponentAttributes64bit constant (value=256)
added to the Attributes column of the Component table for a component causes the component to be treated as 64-bit. All registry operations (Registry, Class, Typelib linked tables) are done to the 64-bit registry. Components without this attribute are redirected to 32-bit locations.
msidbLocatorType64bit constant (value=16)
added to the Attributes column in the RegLocator table for a row will do the lookup in the 64-bit registry. Without this value the locator table row will be subject to 32-bit registry redirection.
added to the Type column of the Custom Action table for the custom action for scripted custom action will execute the custom action with the 64-bit scripting engine. Without this value the custom action will run as 32-bit (due to being subject to 32-bit SysWOW64 redirection.
if this property exists with any value then the MSI is running on 64-bit Windows. Set to the full kernel version without build number. For example “601” indicates Windows 7 and “600” indicates Vista. The legacy property for the Windows version on 32-bit ([VersionNT]) still exists on 64-bit for backward compatibility.
if this property exists with any value then the MSI is running on 64-bit Windows. It is set to the same value as %PROCESSOR_LEVEL%. It is another generic way to check for ANY type of 64-bit Windows running on any processor type. [MsiAMD64] will also be set to %PROCESSOR_LEVEL% on 64-bit Windows running on Intel or AMD 64-bit processors. [Intel64] will be set to %PROCESSOR_LEVEL% on 64-bit Windows running on Itanium processors.
disables file system redirection for the calling thread.
restores file system redirection for the calling thread.