System 32 File System redirection in 64-bit Systems

Preface

Due to an accidental opportunity, you need to access the content in the "C:/Windows/system32" folder of the system directory. The windows 64 system is pre-installed on the testing machine used. The file path does not exist when the program is running !! By viewing relevant information on the Internet, we can see that in a 64-bit system, the two folders SYSTEM32 (including program files) are dynamically redirected. To intuitively reflect this problem, we will compile a small test program for verification.

 

Instance verification

First, select a random file and copy it to the System32 folder in the system directory. This article selects the QQ Startup Program for verification (mainly the QQ built-in penguin icon is easy to recognize, haha), as shown in 1

Figure 1 manually copy QQ to the System32 folder

Compile the actual test program and run the Code directly (call the Windows system API pathfileexists to determine whether the file exists)

/*************************************** * ******************************** // * File: verify that * Author: huagang li * Date: 01:22:55 * tips cannot be directly found in the EXE of system32 and program files on 64-bit machines using the API: in a 64-bit system, the System32 Folder Redirection mechanism is **//**************************** **************************************** * ***/# include <windows. h> # include <string> # include <tchar. h> # include <shlwapi. h> # pragma comment (Lib, "shlwapi. lib ") // when pathfileexists is linked, int winapi winmain (_ in hinstance, _ in_opt hinstance hprevinstance, _ in_opt lpstr lpcmdline, _ in int nshowcmd) {STD:: wstring strfile = l "C: \ windows \ system32 \ qqprotect.exe"; if (: pathfileexists (strfile. c_str () {: MessageBox (null, _ T ("file exists"), _ T ("good"), mb_ OK);} else {:: messageBox (null, _ T ("file does not exist"), _ T ("OPPs"), mb_ OK) ;}return exit_success ;}

The running result 2 is as follows:

Figure 2 file does not exist ??

From the above results, we can see that when Windows API is called to check whether the QQ file exists, the system provides an incredible conclusion: the file does not exist !! But this file is indeed copied to this directory. To explain this strange phenomenon, you haveFile System redirectionSpeaking. When Microsoft develops a 64-bit system, in order to achieve forward compatibility, it is necessary to re-implement 32 as the required files in the system (DLL and exe In the System32 folder ). However, these new implementation versions are developed based on 64-bit systems. Therefore, if they are stored in the System32 folder, they are not real-name. However, to ensure forward compatibility, you need to store these dependent files in this directory. To solve the above conflicts, Microsoft adopts a file system redirection mechanism: In a 64-bit system, the files in the System32 folder are actually redirected to the sysnative folder (note that this folder cannot be found directly ). In this way, the 64-bit libraries and applications in the 64-bit system can be stored in the System32 folder (because the database has been redirected to sysnative ), 32-bit libraries and applications are stored in another folder named syswow64. The relationship is as follows:

\ Windows \ syswow64 folder stores 32-bit libraries and applications (wow64 = windows on Windows 64 bit)

\ Windows \ system32 folder stores 64-bit libraries and Applications

To verify File System redirection, change the test path in the previous article:

std::wstring strFile = L"C:\\Windows\\SysNative\\QQProtect.exe";

Test result 3:

Figure 3 change to sysnative result

The above results show that if you need to access the files in the System32 directory in a 64-bit system, you can change the access path to sysnative. However, because the sysnative folder cannot be accessed through windows Resource Manager (as shown in figure 4), it is confusing for the average person to change the name.

Figure 4 Resource Manager cannot access the sysnative folder

Since Microsoft has developed a file system redirection mechanism, this mechanism can be operated in a certain way. By viewing msdn, you can find that the http://msdn.microsoft.com/en-us/library/aa365743.aspx provides a way to disable file system redirection problems. Therefore, this article tries to call this API for verification:

/*************************************** * ******************************** // * File: verify that * Author: huagang li * Date: 01:22:55 * tips cannot be directly found in the EXE of system32 and program files on 64-bit machines using the API: in a 64-bit system, the System32 Folder Redirection mechanism is **//**************************** **************************************** * ***/# include <windows. h> # include <string> # include <tchar. h> # include <shlwapi. h> # pragma comment (Lib, "shlwapi. lib ") // when pathfileexists is linked, int winapi winmain (_ in hinstance, _ in_opt hinstance hprevinstance, _ in_opt lpstr lpcmdline, _ in int nshowcmd) {STD:: wstring strfile = l "C :\\ windows \\ system32 \\ qqprotect.exe"; // In a 64-bit system, the System32 file system redirects pvoid oldvalue = NULL; wow64disablewow64fsredirection (& oldvalue ); if (: pathfileexists (strfile. c_str () {: MessageBox (null, _ T ("file exists"), _ T ("good"), mb_ OK);} else {:: messageBox (null, _ T ("file does not exist"), _ T ("OPPs"), mb_ OK);} wow64revertwow64fsredirection (oldvalue); Return exit_success ;}

The result obtained after running is the same as that obtained in sysnative, as shown in Figure 5:

Figure 5 result of disabling File System redirection

Note: disabling File System redirection may cause other problems (for example, loading DLL files originally dependent on system32 fails). After disabling and completing the required operations, you need to return to the original disabling status (for example, wow64revertwow64fsredirection (oldvalue );). In this way, after pathfileexists is called, the file system redirection mechanism is restored without affecting subsequent operations.

In addition, the relationship between program files and program files (x86) in 64-bit systems is the same as that in system32 and S, which is also wow64, and there is also a file system redirection.

 

Conclusion

1. File System redirector in a 64-bit System)

2. the System32 folder is dynamically directed to the sysnative folder.

3. You can disable this targeting mechanism through Windows API wow64disablewow64fsredirection.

 

Reference

[1] http://msdn.microsoft.com/en-us/library/aa384187.aspx

[2] http://msdn.microsoft.com/en-us/library/aa365743.aspx

[3] http://blog.sina.com.cn/s/blog_792da39c01013bzh.html

 

System 32 File System redirection in 64-bit Systems