Situation
How does the "Use 64 bit registry view on 64 bit Windows" setting affect my detection rule?
Description
LANDESK allows configuring custom Patch and Compliance rules to check on patch information for applications LANDESK doesn’t provide definitions for.
We will not cover this in great detail here. For more Information How to configure Patch and Compliance rules please vistit https://help.landesk.com/docs/help/en_US/LDMS/9.6/default.htm#cshid=Patch_Property.
We will discuss the effects that come from ticking the box within the Registry settings. This box changes the view the LANDESK client has on the registry of 64bit Windows machine drastically.
Because The LANDESK client is a native 32-bit application. Under 64-bit Windows all 32-bit applications are kept inside the Windows 32-bit on Windows 64-bit sandbox system.
This is called the WoW64 subsystem. The WoW64 subsystem also handles registry aspects owned by 32-bit applications. The registry entries of 32-bit applications are kept within the the following registry path:
HKEY_LOCAL_MACHINE\Software\Wow6432Node
This path is unknown to 32-bit applications. For 32-bit applications this path is presented as the following:
HKEY_LOCAL_MACHINE\Software\
That way 32-bit clients only see the 32-bit part of the registry, while the 64-bit part of the registry is hidden from 32-bit application. So the 32-bit LANDESK client would normally not being able to access, or check, any 64-bit part of the registry.
Solution
The LANDESK client uses a loophole with the WoW64 subsystem to access the 64-bit part of the registry. This has to be configured for every single rule, where this is necessary. To do so just check the box "Use 64-bit registry view on 64-bit windows within the rule settings and the LANDESK client will get access to the whole registry of the 64-bit Windows. This implies that if the 64-bit registry view has been enabled, registry keys of 32-bit application will now be accessible only via the HKEY_LOCAL_MACHINE\Software\Wow6432Node path. The HKEY_LOCAL_MACHINE\Software path now holds only the registry setting of 64bit applications.
Usage Example:
- If writing a rule for 32-bit applications that targets only 32-bit clients, you do not need to activate the 64-bit view.
- If writing a rule for 32-bit applications that targets 32-bit and 64-bit Windows, you also do not need to activate the 64bit view.
- If writing a rule for 64-bit applications which targets 64-bit Windows, you need to activate the 64-bit view to be able to see the 64-bit portion of the registry.
- If writing a rule for 32bit application which targets 64-bit Windows and the 64-bit view is enabled, it is crucial to add WoW6432Node to the Registry path to access the 32-bit portion of the registry.