Jump to content











Photo

setwow64.exe and loadwow64.exe?


  • Please log in to reply
2 replies to this topic

#1 misty

misty

    Gold Member

  • Developer
  • 1066 posts
  •  
    United Kingdom

Posted 07 February 2018 - 07:51 PM

Is anyone able to provide any information about setwow64.exe or loadwow64.exe? And what they do? And any alternatives?

I've been doing some tests manually adding SysWOW64 support to a WinPE. Using Windows 10.0.15063 (Build 1703) and Windows 10.0.16299 (Build 1709) source files, Windows 32-bit programs work without running either of these executables.

On older source files, including Windows 10.0.14393 and earlier versions, 32-bit programs will not start and an error message is displayed -

The application was unable to start correctly (0xc0000034). Click OK to
close the application.

EDIT - Running setwow64.exe in WinPE resolves this issue. As does adding a loadwow64.exe entry to the "ControlSet001\Control\Session Manager" key > with a REG_MULTI_SZ "BootExecute" value > containing data "loadwow64.exe"

Information about these files is a bit sparse.

Noel in his microWinpeBuilder project appears to have created an alternative using a powershell script. In the documentation he states -
 

The 'MonSetWow64.PS1' script

I replaced the "SetWow64.exe" program by a PS (rule 1) 'MonSetWow64.PS1' script. It includes two features:
• Launched without parameters, it allows to visualize objects in the system (like winobj) in a 64- bit system.
• With the 'create' parameter, it creates 2 necessary objects.



#2 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 07 February 2018 - 10:02 PM

Hello misty,

I miss many informations in my pdf. In the script "monSetWow64.PS1, i translate the code C++ in C# and after i put it in the PS. So, the code is visible, easy readable.

The chinese guys found two native objects missing :

  • create an object "\\KnownDlls32" with NtCreateDirectoryObject API,
  • create "SymbolicLink" with NtCreateSymbolicLinkObject API.

Please, see code into the PS.

Very short c++ code. But Huge consequence for build 10586.

 

I'm testing this in V1709 : i comment lines in script which launch "monsetWow64" in my winpe.

And you are RIHGT ! :)These two objects are created by os in this version ! 

 

My analyse : like hives now contain X: and not C: since build 10240 (in my memory but it's in my pdf), i suppose the hazard of modifications introduces this change (objects created).

Remember : in winpe, nothing are stable along versions. Perhaps it will come back in the futur

 

Bravo misty !!!

 

 

i forgot... the two programs do same thing but are wrote by two differents guy...in my translator in the chenise forum was good


Edited by noel, 07 February 2018 - 10:22 PM.

  • misty likes this

#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 09 February 2018 - 11:20 AM

@Misty

 

goo.gl/AedDBm

 

https://github.com/g...k-testing-tools

 

:duff:

Wonko






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users