mikeytown2

wow6432node in x64 box, RegWrite

14 posts in this topic

I'm using win xp 64 bit edition and i can't write to the wow6432node key.

this explains why...

http://support.microsoft.com/default.aspx?...kb;en-us;896459

in short windoze intercepts the RegWrite command...

so my qeustion is how would i write to a regestry key in

HKEY_LOCAL_MACHINE\Software\WOW6432node

using the RegWrite command???

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I'm using win xp 64 bit edition and i can't write to the wow6432node key.

this explains why...

http://support.microsoft.com/default.aspx?...kb;en-us;896459

in short windoze intercepts the RegWrite command...

so my qeustion is how would i write to a regestry key in

HKEY_LOCAL_MACHINE\Software\WOW6432node

using the RegWrite command???

<{POST_SNAPBACK}>

The solution is in the article!

When you install a new program or when you run a program on a Windows x64 Edition computer, registry calls made by 64-bit programs access the HKEY_LOCAL_MACHINE\Software registry sub key without redirection. WOW64 intercepts registry calls to HKEY_LOCAL_MACHINE\Software that are made by 32-bit programs, and then redirects them to the HKEY_LOCAL_MACHINE\Software\WOW6432node sub key. By redirecting only the 32-bit program calls, WOW64 makes sure that programs always write to the appropriate registry sub key. Registry redirection does not require program code modification, and this process is transparent to the user.

So, you can't write to HKEY_LOCAL_MACHINE\Software\WOW6432node directly from a 32 Bit application (which AutoIT is). However, you don't have to write to that Key directly . If a 32 Bit application writes to HKEY_LOCAL_MACHINE\Software WOW64 intercepts that call and redirects it to HKEY_LOCAL_MACHINE\Software\WOW6432node. So, just write to HKEY_LOCAL_MACHINE\Software\ and your programm will work just fine. Reading is the same!

EDIT: Unfortunately this also means, that you cannot write to the real key HKEY_LOCAL_MACHINE\Software\ with AutoIT unless someone compiles a 64 Bit version for you.

Cheers

Kurt

Edited by /dev/null

__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

So, you can't write to HKEY_LOCAL_MACHINE\Software\WOW6432node from a 32 Bit application (which AutoIT is). However, you don't have to write to that Key directly . If a 32 Bit application writes to HKEY_LOCAL_MACHINE\Software WOW64 intercepts that call and redirects it to HKEY_LOCAL_MACHINE\Software\WOW6432node. So, just write to HKEY_LOCAL_MACHINE\Software\ and your programm will work just fine. Reading is the same!

Cheers

Kurt

<{POST_SNAPBACK}>

Sadly this doesnt work.

This is what i have to detect if the program is running on a x64 box. I didnt have this code before and it still wrote the code to HKEY_LOCAL_MACHINE\SOFTWARE\. now that i have the code it still writes the code to HKEY_LOCAL_MACHINE\SOFTWARE\ eventhough i tell it to write to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node

$var = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node", 1)
If $var = "" Then;not x64
    $regvalue = "HKEY_LOCAL_MACHINE\SOFTWARE\"
Else;is x64
    $regvalue = "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\"
EndIf
RegWrite($regvalue & "", "", "", "")

the detect x64 code works. i've ran it on the box with the msgbox displaying $regvalue. it shows it as HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ on 64 bit and HKEY_LOCAL_MACHINE\SOFTWARE\ on 32 bit.

it's a bug with windoze... so for now i have this in my code and it works

FileInstall("64.reg", "64.reg")
RunWait(@ComSpec & " /C " & "regedit.exe " & "/s " & "64.reg", "", @SW_HIDE)
FileDelete("64.reg")

inside the reg file it points to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\

Share this post


Link to post
Share on other sites

The solution is in the article!

When you install a new program or when you run a program on a Windows x64 Edition computer, registry calls made by 64-bit programs access the HKEY_LOCAL_MACHINE\Software registry sub key without redirection. WOW64 intercepts registry calls to HKEY_LOCAL_MACHINE\Software that are made by 32-bit programs, and then redirects them to the HKEY_LOCAL_MACHINE\Software\WOW6432node sub key. By redirecting only the 32-bit program calls, WOW64 makes sure that programs always write to the appropriate registry sub key. Registry redirection does not require program code modification, and this process is transparent to the user.

So, you can't write to HKEY_LOCAL_MACHINE\Software\WOW6432node directly from a 32 Bit application (which AutoIT is). However, you don't have to write to that Key directly . If a 32 Bit application writes to HKEY_LOCAL_MACHINE\Software WOW64 intercepts that call and redirects it to HKEY_LOCAL_MACHINE\Software\WOW6432node. So, just write to HKEY_LOCAL_MACHINE\Software\ and your programm will work just fine. Reading is the same!

EDIT: Unfortunately this also means, that you cannot write to the real key HKEY_LOCAL_MACHINE\Software\ with AutoIT unless someone compiles a 64 Bit version for you.

Cheers

Kurt

<{POST_SNAPBACK}>

On the bright side though, this should give... arg i forget the name, but there was someone that wanted a way to find out if the xp their program was running on was 64bit... seems like that registry node would be a good thing to check for to tell....

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

On the bright side though, this should give... arg i forget the name, but there was someone that wanted a way to find out if the xp their program was running on was 64bit... seems like that registry node would be a good thing to check for to tell....

<{POST_SNAPBACK}>

There is a new macro in the latest beta: @ProcessorArch = "X86" | "IA64" | "X64"

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

There is a new macro in the latest beta: @ProcessorArch = "X86" | "IA64" | "X64"

Cheers

Kurt

<{POST_SNAPBACK}>

oh yeah, forgot about that, it was brought about (atleast in part) by the other thread i was talking about...

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

The solution is in the article!

When you install a new program or when you run a program on a Windows x64 Edition computer, registry calls made by 64-bit programs access the HKEY_LOCAL_MACHINE\Software registry sub key without redirection. WOW64 intercepts registry calls to HKEY_LOCAL_MACHINE\Software that are made by 32-bit programs, and then redirects them to the HKEY_LOCAL_MACHINE\Software\WOW6432node sub key. By redirecting only the 32-bit program calls, WOW64 makes sure that programs always write to the appropriate registry sub key. Registry redirection does not require program code modification, and this process is transparent to the user.

So, you can't write to HKEY_LOCAL_MACHINE\Software\WOW6432node directly from a 32 Bit application (which AutoIT is). However, you don't have to write to that Key directly . If a 32 Bit application writes to HKEY_LOCAL_MACHINE\Software WOW64 intercepts that call and redirects it to HKEY_LOCAL_MACHINE\Software\WOW6432node. So, just write to HKEY_LOCAL_MACHINE\Software\ and your programm will work just fine. Reading is the same!

EDIT: Unfortunately this also means, that you cannot write to the real key HKEY_LOCAL_MACHINE\Software\ with AutoIT unless someone compiles a 64 Bit version for you.

Cheers

Kurt

<{POST_SNAPBACK}>

This doesn't appear to be the case with RegRead. When trying to read a 64 bit registry using RegRead I can only access information in HKLM\Software.

Trying to read the registry specifying HKLM\Software will give me whats in HKLM\Software.

Specifying HKLM\Software\wow6432node will return nothing.

Anyone know of a way around this? I really need to be able to read values in the wow6432node key...

Thanks!

Share this post


Link to post
Share on other sites

Trying to read the registry specifying HKLM\Software will give me whats in HKLM\Software.

<{POST_SNAPBACK}>

Does that return what is expected. Seems to me this is normal for 32bit programs to operate under a 64bit OS?

Share this post


Link to post
Share on other sites

Does that return what is expected. Seems to me this is normal for 32bit programs to operate under a 64bit OS?

<{POST_SNAPBACK}>

According to whats been stated above, performing both queries should return the same results, since the two registry keys are essentially a mirror of each other.

I may have my signals crossed on how the wow6432node key works, but a 32 bit program should be able to read 32 bit registry entries in the HKLM\software\wow6432node key. Not just the 64 bit entries in the HKLM\software key.

Share this post


Link to post
Share on other sites

This doesn't appear to be the case with RegRead.  When trying to read a 64 bit registry using RegRead I can only access information in HKLM\Software.

Trying to read the registry specifying HKLM\Software will give me whats in HKLM\Software.

Specifying HKLM\Software\wow6432node will return nothing.

Anyone know of a way around this?  I really need to be able to read values in the wow6432node key...

Thanks!

<{POST_SNAPBACK}>

idea... what if you export the registry, and then read it in with auto it, are the values you need exported and read? seems like they should be.... then you could just read it back in with your program and read that data instead of reading direct from the registry

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

Registry redirection does not require program code modification, and this process is transparent to the user.

<{POST_SNAPBACK}>

Read and write normally. Is this not the case?

i.e. Forget about wow6432node

Share this post


Link to post
Share on other sites

idea... what if you export the registry, and then read it in with auto it, are the values you need exported and read? seems like they should be.... then you could just read it back in with your program and read that data instead of reading direct from the registry

<{POST_SNAPBACK}>

That is a good idea, and would probably work if I was working with local systems only, however, I need to be able to verify the registry entries on remote machines as well as local.

Do you know of any way to export remote registry entries? It appears that the reg command only handles local registries. :"> If I can get remote registry entries exported, than this would probably solve my problem...

Share this post


Link to post
Share on other sites

That is a good idea, and would probably work if I was working with local systems only, however, I need to be able to verify the registry entries on remote machines as well as local.

Do you know of any way to export remote registry entries?  It appears that the reg command only handles local registries. :">  If I can get remote registry entries exported, than this would probably solve my problem...

<{POST_SNAPBACK}>

i'm not able to write code for this right now but i've seen posts on here about running scripts on remote systems, and posts on exporting the registry (one of those is mine). It seems to me that if you can combine the two ideas to make a script that runs on a remote machine and export the registry... When you're exporting the registry, you could have it named with the computer name, and saved to a network share. Then your script could go through all of the exports with a simple FileFindFirstFile -> FileFindNextFile loop. Look on the forums about running scripts on remote computers and exporting the registry (may want to look up the concepts seperately) and i'm sure you'll be able to solve your problem. If i get a better block of freetime at work today i'll try to write up a quick example, but that's not looking likely right now.

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#14 ·  Posted

Is there anyway to read or write 64 bit registries from 32 bit exe.

As my exe should be able to run on both the 32 and 64, I have compiled it to 32 bit and it not accessing the 64 bit hive.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now