Using WOW64 Redirection

This page has not been liked. Updated 4/12/13, 4:15 PM by BenKusTags: None

Relevance

The following example shows how to use relevance to properly redirect the client inspectors to the equivalent 32 or 64 bit application directory in the file system during relevance evaluation. The example checks the existence of a profile.ps1 file in the PowerShell application directory.

On 64 machines: The 64 bit application directory is located at C:\Windows\System32 and the 32 bit application directory is located at: C:\Windows\SysWOW64

If PowerShell is installed as a 32 bit application, the install and configuration files for PoweShell should reside in the C:\Windows\SysWOW64\WindowsPowerShell\v1.0 directory.

If it is installed as a 64 bit application, then the install and configuration files should reside in the C:\Windows\System32\WindowsPowerShell\v1.0 directory.







The following relevance statements redirect to either the 32 bit or 64 bit redirection equivalent of a file or folder:

x32 of <file>



x32 of <folder>

x64 of <file>

x64 of <folder>

The following cases show the expected relevance results for a variety of relevance statements when the profile.ps1 file lives in the 32 bit directory versus the 64 bit directory:



Case 1: For the case when the profile.ps1 file lives in the C:\Windows\System32\WindowsPowerShell\v1.0 directory (and not in the directory C:\Windows\SysWOW64\WindowsPowerShell\v1.0), the following relevance statements evaluate as follows:







Q: exists file "profile.ps1" of x32 folder "C:\Windows\System32\WindowsPowerShell\v1.0"



A: False







Q: exists x32 file "C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"



A: False







Q: exists file "profile.ps1" of x32 folder "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"



A: False







Q: exists x32 file "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1"



A: False







Q: exists file "profile.ps1" of x64 folder "C:\Windows\System32\WindowsPowerShell\v1.0"



A: True







Q: exists x64 file "C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"



A: True







Q: exists file "profile.ps1" of x64 folder "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"



A: False







Q: exists x64 file "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1"



A: False







Case 2: And for the case when the profile.ps1 file lives in the directory C:\Windows\SysWOW64\WindowsPowerShell\v1.0 (and not in the C:\Windows\System32\WindowsPowerShell\v1.0 directory), the following relevance statements evaluate as follows:







Q: exists file "profile.ps1" of x32 folder "C:\Windows\System32\WindowsPowerShell\v1.0"



A: True







Q: exists x32 file "C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"



A: True







Q: exists file "profile.ps1" of x32 folder "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"



A: True







Q: exists x32 file "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1"



A: True







Q: exists file "profile.ps1" of x64 folder "C:\Windows\System32\WindowsPowerShell\v1.0"



A: False







Q: exists x64 file "C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1"



A: False







Q: exists file "profile.ps1" of x64 folder "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"



A: True







Q: exists x64 file "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1"



A: True

 

Actions

 

The agent will operate in a 32-bit context for running actions unless you specify otherwise. This means that the paths to your files will be automatically translated by Windows into the 32-bit file path equivalents. This behavior is provided for reverse compatibility with 32-bit systems.

If you want the agent to run actions that avoid the wow64 redirection, then you can run the command action uses wow64 redirection false, which will avoid the redirection.



 

Syntax:

action uses wow64 redirection <true|false>

 

This command will change the behavior of the following action commands:

 

dos

run, wait (and their variants such as waithidden)

delete, copy, move, open

 

Simple Example:

 

// will run the 32-bit version of notepad.exe in the system path

run notepad.exe

 

// will run the 64-bit version of notepad.exe in the system path

action uses wow64 redirection {not x64 of operating system}

run notepad.exe