@craig_howard said:
The Wow64 dll redirection is one of those things that if it all works well then it’s magic, if it doesn’t, well, then you’re in a special world of hurt. Here’s some background on it [ https://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WinBatch/64-bit+File~Redirection.txt ], do some GoogleFu on “wow64 dll redirection” for lot’s of more info on this …
Usually you don’t run into these problems because the app and dll’s are all linked to the same platform (x64 or x86) so it never comes up … you can, however, somehow manage to link in a library on an x86 application that is only x64 and then you’ve got trouble (so I would check my linker path and libraries)
The other interesting issue is that you’re calling the driver from an x86 client (note that the driver is labeled ‘hwinfo64.sys’) and the driver is likely an x64 driver. This could also be an issue with DLL sideloading, which is normally a malware technique but has some legitimate uses [ https://stackoverflow.com/questions/108971/using-side-by-side-assemblies-to-load-the-x64-or-x32-version-of-a-dll ] and you might be accidentally doing a sideload of your application system dll’s
Although x64 drivers can communicate with x86 clients, it sometimes causes problems (and I flat out disallow any x86 application IOCTL access with my drivers, create/close/read/write is as far as they can go) … if you haven’t already, do a pure x64 build of your client and run procmon; that will eliminate any x86 dll’s in the mix …
Thank you for your input, I do know however what WOW64 is… in fact I have been dealing with it for a long time because I make complex system calls through it. What I do not understand is why “some” drivers fail only due to this error, so I went to _C:\Windows\SysWOW64\drivers_ and I found only 4 drivers there; the ones always failing to open.
@Tim_Roberts said:
Well, if a 32-bit process tries to open “C:\Windows\System32\Drivers”, it will not find anything there. The path gets rewritten to SysWOW64, where there are no drivers. Is that what you were doing? You can turn that off with the bizarrely named Wow64DisableWow64FsRedirection
, or you can read from “C:\Windows\SysNative\Drivers”.
I tend to disaggree? From 250+ drivers loaded on my x64 system, I can open them all from user-mode just fine with ZwOpenFile directly. The ones failling are because the developers copied the drivers to C:\Windows\SysWOW64\drivers\ as well.
Why, it beats me. It’s an x64 system, having “wow64” drivers make no sense.
Checking the HWiNFO64A.SYS loaded into the system I can see 2 of them loaded: https://prnt.sc/1rd4bjq
https://prnt.sc/1rd4fm3
https://prnt.sc/1rd4hd1
Nevertheless I was able to resolve this issue from the x86 app by disabling redirection (RtlWow64EnableFsRedirectionEx…).
However I still do not understand what is going on, I understand the situation about DLL’s but not drivers.