June 13, 2005

GetModuleFileName may return "incorrect" results for win32-apps running under wow64

If you have a win32-app that is running under an x64/IA64 OS (like Windows 2003 Server x64 Edition), then your app is running under Wow64

In Wow64, all file-access to “C:\windows\system32” is redirected to “C:\windows\SysWow64”. This is implemented using the File System Redirector

Now if you enumerate your modules (DLLs) in your (or other win32) process and then call GetModuleFileName, you will somtimes see a DLL which uses the “C:\windows\system32 path. I don´t know the reason for this, but this is fact.

But you do not need to worry about this problem. If you access this file the correct file under the SysWow64-directory is accessed. But if you want to see the “correct” filename, you need to open the file and get the filename from the given handle

I have made a simple example for retrieving the correct filename

Here is the output for this example as GetModuleFileName returns it:

  e:\enummodules\debug\EnumModules.exe

C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\syswow64\kernel32.dll C:\WINDOWS\system32\MSVCR80D.dll C:\WINDOWS\syswow64\msvcrt.dll C:\WINDOWS\system32\PSAPI.DLL C:\WINDOWS\system32\tsappcmp.dll C:\WINDOWS\syswow64\ADVAPI32.dll C:\WINDOWS\syswow64\RPCRT4.dll

You see: sometimes it is “system32” and sometimes “SysWow64”.

Here is now the “corrected” version:

  E:\EnumModules\Debug\EnumModules.exe
  C:\WINDOWS\SysWOW64\ntdll.dll
  C:\WINDOWS\SysWOW64\kernel32.dll
  C:\WINDOWS\SysWOW64\MSVCR80D.dll
  C:\WINDOWS\SysWOW64\msvcrt.dll
  C:\WINDOWS\SysWOW64\psapi.dll
  C:\WINDOWS\SysWOW64\tsappcmp.dll
  C:\WINDOWS\SysWOW64\advapi32.dll
  C:\WINDOWS\SysWOW64\rpcrt4.dll

Now you have the “real” path to the file.


Posted 2 years, 7 months ago on June 13, 2005
The trackback url for this post is http://blog.kalmbachnet.de/bblog/trackback.php/42/

Re: GetModuleFileName may return
Actually GetModuleFileName can return weird things even under pure Win32. I have seen it return things like \??\Windows\System32\... when called from some system processes like winlogon.exe. As I understand it GetModuleFileName simply returns the verbatim path recorded at some point during the loading process. You can never trust it completely (or even assume that the file still exists - it is possible to delete a dll which is currently being used)
Posted 2 years, 6 months ago by Eugene Gershnik • @wwwReply
Comment Trackback URL : http://blog.kalmbachnet.de/bblog/trackback.php/42/73/

Comments have now been turned off for this post