Q: When is System32 not System32?

  • Article

A: When the question comes from a 32-bit process on a 64-bit version of Windows.

 

In 32-bit Windows there is just one "System32" folder which contains many native binaries (or hard links), and there is no way to execute 64-bit code on 32-bit Windows.

With 64-bit Windows, however, we have "Windows On Windows 64" (WOW64) which allows 32-bit processes to run through a wrapper, and there are some things to take into account in this scenario:
1. Only 32-bit DLLs can be loaded into 32-bit processes, and only 64-bit DLLs can be loaded into 64-bit processes.
> This is why printer drivers must be native to the OS on which the Print Spooler is running.

2. 32-bit processes expect to work seamlessly on 64-bit Windows, so because of (1) we need to have both 32-bit and 64-bit versions of some binaries.
> This is one of the reasons why x64 Windows' disk footprint is significantly larger than x86 Windows'.

3. In order to facilitate (2) but not break native (x64) processes' behaviour, 32-bit processes get certain I/O redirected without their knowledge.
> This is the symptom which is the subject of this blog entry.

A bit more detail on (3):
- %systemroot%\System32 contains native binaries in all cases - so on x64 Windows these are 64-bit binaries
- %systemroot%\SysWOW64 contains WOW binaries - so on x64 Windows these are 32-bit binaries
- x64 Windows does not support 16-bit processes at all

For 32-bit processes running on x64 Windows:
- %systemroot%\System32 is redirected to %systemroot%\SysWOW64
- HKEY_LOCAL_MACHINE\SOFTWARE is redirected to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node (there are others too, but this is the most obvious one)

 

When does this cause problems for a 32-bit process running on x64 Windows?

If it requests to load a DLL or start a process which does not exist in 32-bit.
If it tries to recurse through the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node, it can get stuck in an infinite loop.

32-bit processes running on x64 Windows are marked with an asterisk in Task Manager:
TaskManager-cmd

To demonstrate how the 2 different flavours of cmd.exe see System32, here are screenshots from the native version and 32-bit version respectively executing the command "dir %systemroot%\system32" on the same computer - see how the contents are different (even where there are common files, their sizes are different, as they are not the same file):

cmd-x64

cmd-x86