windows x64 file/registry redirection

December 7, 2009 - Programming

When first encountering a x64 based system running windows, one of the first questions posed is often, “what is C:\program files (x86)?” The simple response is that it is the equivalent of Program files on 32-bit systems; that is, 32-bit program files are installed there. This is true; but this is far from the only difference between the two systems and their file systems.

There is, however, further redirection within both other folders as well as The registry.

For example, the “real” %systemroot%\system32 folder actually stores the x64 system files; the 32-bit files are stored in %systemroot%\syswow64. However, when a 32-bit application access this system32, Windows automatically redirects all requests to the syswow64 folder, so accessing, say, “C:\windows\system32\file.txt” is actually accessing C:\windows\syswow64\file.txt. This includes any file operation at all. creation, editing, etc. there are a few folders exempt from this redirection- that is, they are not redirected. these folders include %windir%\system32\catroot,windir%\system32\catroot2,%windir%\system32\driversstore (this folder is redirected on all pre-windows 7 systems),%windir%\system32\drivers\etc,%windir%\system32\logfiles,%windir%\system32\spool. There are a few other features, for example, running “C:\windows\regedit.exe” from a 32-bit program will in fact run the program from C:\windows\syswow64\regedit.exe.

An additional feature is that a 32-bit program can access the 64-bit folder, Vista adds a “sysnative” alias folder in the windows folder, by accessing C:\windows\sysnative instead of C:\windows\system32, one gains access to the real C:\windows\system32 folder rather then being redirected to C:\windows\syswow64. The caveat of this feature is that most programs have validations before they accept a filename; since sysnative is not an actual folder but rather an alias used by the redirector, many validations (including the standard Open/Save dialog) can fail, meaning that one cannot “force” the access to a specific file. the main purpose is for use by the application for various reasons, not so users can access files within the folder from 32-bit applications.

The registry posesses redirection as well; the HKEY_LOCAL_MACHINE hive on x64 systems contains a key called “Wow6432node”, when a 32-bit program accesses, for example, “HKEY_LOCAL_MACHINE\Software\company\app”, they are in fact accessing “HKEY_LOCAL_MACHINE\Wow6432node\company\app”- basically, it separates 32-bit machine-specific data from 64-bit data. The only caveat is that, unlike the file system redirections, registry accesses are “mirrored” across the two; for example, COM classes are stored in HKEY_LOCAL_MACHINE\software\classes. when either HKEY_LOCAL_MACHINE\software\classes or HKEY_LOCAL_MACHINE\wow6432node\classes are have keys within changed, the change is reflected to the other location.

Additionally, certain 32-bit compiled applications can be given special treatment; if the image file (exe,dll, ocx) has the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set, wow64 (the windows 32 on windows 64 emulation layer) gives it a 4GB user-mode address space, whereas with a 32-bit system it would be given a 2GB user mode address space. the flag is required, rather then being the default behaviour, because such large addresses may not have been expected when the program was written; therefore, by adding the compiler flag, you are telling windows “yes, I understand and am able to deal with the larger address space in my program”. It doesn’t actually do anything to the program itself, just changes how windows deals it memory.

another special-case is with regard to program installers for some older 32-bit programs. Many such programs used a stub 16-bit windows 3.1 program to determine the windows version, and then, launch the 32-bit installer if possible. Since 64-bit windows cannot run 16-bit applications, Microsoft decided to hack about a little fix; the followint 16-bit installer technologies have 64-bit equivalents that will be launched instead:

  • Microsoft Setup for Windows 1.2
  • Microsoft Setup for Windows 2.6
  • Microsoft Setup for Windows 3.0
  • Microsoft Setup for Windows 3.01
  • InstallShield 5.x

the list of such redirections can be found in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NtVdm64, the 64-bit equivalents are found in Syswow64.

For the most part, these changes make using a 64-bit operating system nearly indistiguishable from using it’s 32-bit equivalent; windows itself bears the brunt of the change, and the application developers pick up a little of the tail-end of it.

Have something to say about this post? Comment!

One thought on “windows x64 file/registry redirection


Excellent info ! !

Thanx again.

Comments are closed.