Endpoint Protection

SEP is a NATIVE 32 bit application, but on a 64 bit hardware on top of a emulation of 32 bit OS called WOW64. That is the reason  SEP client puts its files into C:\Program Files (x86) and not the C:\Program Files.

When we run a 32-bit program on a 64-bit version , the program runs in a 32-bit emulation mode, using software to simulate a 32-bit version of OS. This allows 32-bit programs to run smoothly on the 64-bit operating system.

This artcile would answer all your doubts.

Under Windows 64-bit, 32-bit applications run on top of an emulation of a 32-bit operating system that is called Windows 32-bit on Windows 64-bit, or WOW64 for short. WOW64 intercepts all operating system calls made by a 32-bit application.

For each operating system call made, WOW64 generates native 64-bit system calls, converting 32-bit data structures into 64-bit aligned structures. The appropriate native 64-bit system call is passed to the operating system kernel, and any output data from the 64-bit system call is converted into a format appropriate for the calling application before being passed back.

Like 32-bit applications, WOW64 runs in user mode so any errors that occur in translating an operating system call will only occur at that level. The 64-bit operating system kernel cannot be affected.

Since WOW64 runs in user mode, all 32-bit application code must also run in user mode. This explains why 32-bit kernel mode device drivers and applications that rely on them, will not work under Windows 64-bit.

The WOW64 emulator consists of the following DLLs, the only 64-bit DLLS that can be loaded into a 32-bit process:

Wow64.dll – the core emulation infrastructure and the links to the Ntoskrnl.exe entry-point functions.
Wow64Win.dll – the links to the Win32k.sys entry-point functions.
Wow64Cpu.dll – switches the processor from 32-bit to 64-bit mode.
Ntdll.dll – 64-bit version.

Wow64.dll loads the 32-bit version (x86) of Ntdll.dll and all necessary 32-bit DLLs which are mostly unmodified 32-bit binaries..However, some of these DLLs have been modified to behave differently on WOW64 than they do on 32-bit Windows. This is usually because they share memory with 64-bit system components.

WOW64 manages file and registry settings

In addition to handling operating system calls, the WOW64 interface needs to ensure that files and registry settings for 32-bit applications are kept apart from those for 64-bit applications. To achieve this two mechanisms are used, File and Registry Redirection and Key Reflection. Redirection maintains logical views of the data as if it were in 32-bit Windows and maps it to the correct physical location. Reflection ensures that 32-bit and 64-bit settings will be consistent where that is required.

File Redirection

File redirection ensures that there are separate folders for program and operating system files for 32- and 64-bit applications.

32-bit applications files are installed into

C:\Program Files(x86)

32-bit system files are installed into

C:\WINDOWS\SysWOW64

For 64-bit applications, files are installed to:

C:\Program Files
C:\WINDOWS\SYSTEM32

The WOW64 file redirector ensures that requests from 32-bit applications to open files in C:\Program Files or C:\WINDOWS\SYSTEM32 are redirected to the appropriate 32-bit directories.

There is one issue with file redirection that users and developers should be aware of.

Many 64 bit applications still use 32 bit installation routines. To ensure that an application is installed correctly, i.e. to C:\Program Files, the installation routine should make an operating system call to temporarily suspend the WOW64 file redirector. After installation another operating system call needs to be made to re-enable the redirector. If this approach isn't followed then the application will be installed to C:\Program Files (x86). A classic example of this is the 64 bit development version of Firefox 3.5, codenamed Shiretoko, which is installed to C:\Program Files(x86)\Shiretoko. Firefox still functions correctly, the only thing you can't do is change the icon for the application.

Registry Redirection

Registry keys specific to 32-bit applications are redirected from:

HKEY_LOCAL_MACHINE\Software

to:

HKEY_LOCAL_MACHINE\Software\WOW6432Node

You may also occasionally see Registry entries elsewhere although this is unusual

HKEY_CURRENT_USER\Software\WOW6432Node

This approach allows both the 32-bit and 64-bit versions of an application to be installed side-by-side without overwriting each other’s settings.

Registry reflection

Some redirected keys and/or values are also reflected. This means that if a 32-bit application makes a change to the redirected section of the registry, that change is also made to the 64 bit part of the registry, and vice-versa. Key reflection uses a policy of last writer wins. For example, if I install three applications with the same file extension then the last one to be installed will be associated with that extension.

1. Install a 32-bit application that associates itself with the file extension XYZ.

2. Install the 64-bit version of this application that associates itself with the file extension XYZ.

3. Install another 3- bit application that associates itself with the file extension XYZ.

Double-clicking on a file with the extension XYZ in Explorer would load the application installed in step 3, as it was the last one to associate itself with this extension.

All of this is done transparently for 32-bit applications by WOW64, which, in intercepting calls to the operating system, detects references to file paths and registry keys and maps them accordingly.

WOW64 has several limitations

Some but not all 64-bit features are available to 32-bit applications

WOW64 provides 32-bit applications with access to some features of 62-bit systems. For example, applications can have more memory up to 4GB with the correct setting.. Other features are more limited due to overheads and restrictions. For example, 64-bit Windows will support logical 64 processors but 32-bit applications are restricted to the usual 32 logical processors.

Code Injection cannot mix between 32-bit and 64-bit

Under 64-bit Windows it is not possible to inject 32-bit code into a 64-bit process, nor is it possible to inject 64-bit code into a 32-bit process. Applications that rely on code injection to add functionality to existing applications will usually not work.

This explains why most 32-bit shell extensions do not work under Windows 64-bit. The majority of shell extensions rely on code injection to add themselves to Windows Explorer.

WOW64 does not support 16-bit installers

WOW64 provides support for Microsoft's 16-bit installer - by substituting a compatible 32-bit installer - but does not extend this support to third-party products.