本文探讨了在Windows环境下,使用RegCreateKeyEx+KEY_WOW64_64KEY在HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths下写入时遇到的问题。通过分析注册表重定向和反射机制,揭示了为何在特定情况下,写入操作不会如预期般仅影响非wow6432node部分。
前言
最近遇到个关于注册表的神奇的事情,当使用RegCreateKeyEx+KEY_WOW64_64KEY在win7环境下写HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\123.exe时,发现结果没有达到预期:在wow6432node下没有该项。
解决思路
1、测试自己使用RegCreateKeyEx+KEY_WOW64_64KEY是否错误:即用该函数写HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\APP1\123.exe,发现结果达到预期:在wow6432node下面没有该项。
2、百度搜索App Paths注册表项的作用
3、问老大,发现有点懵,然后决定从最基础的了解,即windows是怎么玩注册表的?接着就解决了我的问题。
正文
1、注册表知识点
参考文章:https://www.onthink.com/2014/07/06/32bit-64bit-registry/
msdn的解释:
重定向:https://docs.microsoft.com/zh-cn/windows/win32/winprog64/registry-redirector?redirectedfrom=MSDN
反射:https://docs.microsoft.com/zh-cn/windows/win32/winprog64/registry-reflection?redirectedfrom=MSDN
注册表项采用何种方式供32位和64位使用:
https://docs.microsoft.com/zh-cn/windows/win32/winprog64/shared-registry-keys
| Key | Windows 7 and Windows Server 2008 R2 | Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP |
|---|---|---|
| HKEY_LOCAL_MACHINE | Shared | Shared |
| ** SOFTWARE** | Redirected | Redirected |
| ** Classes** | Shared | Redirected and reflected |
| ** Appid** | Shared | Redirected and reflected with one exception: the DllSurrogate and DllSurrogateExecutable registry values are not reflected if their value is an empty string. |
| ** CLSID** | Redirected | Redirected and reflected only for CLSIDs that do not specify InprocServer32 or InprocHandler32. |
| ** DirectShow** | Redirected | Redirected and reflected |
| ** HCP** | Shared | Shared |
| ** Interface** | Redirected | Redirected and reflected |
| ** Media Type** | Redirected | Redirected and reflected |
| ** MediaFoundation** | Redirected | Redirected and reflected |
| ** Clients** | Shared | Redirected |
| ** Microsoft**\COM3 | Shared | Redirected and reflected |
| ** Microsoft**\Cryptography\Calais\Current | Shared | Shared |
| ** Microsoft**\Cryptography\Calais\Readers | Shared | Shared |
| ** Microsoft**\Cryptography\Services | Shared | Shared |
| ** Microsoft**\CTF\SystemShared | Shared | Shared |
| ** Microsoft**\CTF\TIP | Shared | Shared |
| ** Microsoft**\DFS | Shared | Shared |
| ** Microsoft**\Driver Signing | Shared | Shared |
| ** Microsoft**\EnterpriseCertificates | Shared | Shared |
| ** Microsoft**\EventSystem | Shared | Redirected and reflected |
| ** Microsoft**\MSMQ | Shared | Shared |
| ** Microsoft**\Non-Driver Signing | Shared | Shared |
| ** Microsoft**\Notepad\DefaultFonts | Shared | Redirected |
| ** Microsoft**\OLE | Shared | Redirected and reflected |
| ** Microsoft**\RAS | Shared | Shared |
| ** Microsoft**\RPC | Shared | Redirected and reflected |
| ** Microsoft**\SOFTWARE\Microsoft\Shared Tools\MSInfo | Shared | Shared |
| ** Microsoft**\SystemCertificates | Shared | Shared |
| ** Microsoft**\TermServLicensing | Shared | Shared |
| ** Microsoft**\TransactionServer | Shared | Shared |
| ** Microsoft**\Windows\CurrentVersion\App Paths | Shared | Redirected |
| ** Microsoft**\Windows\CurrentVersion\Control Panel\Cursors\Schemes | Shared | Shared |
| ** Microsoft**\Windows\CurrentVersion\Explorer\AutoplayHandlers | Shared | Redirected |
| ** Microsoft**\Windows\CurrentVersion\Explorer\DriveIcons | Shared | Redirected |
| ** Microsoft**\Windows\CurrentVersion\Explorer\KindMap | Shared | Redirected |
| ** Microsoft**\Windows\CurrentVersion\Group Policy | Shared | Shared |
| ** Microsoft**\Windows\CurrentVersion\Policies | Shared | Shared |
| ** Microsoft**\Windows\CurrentVersion\PreviewHandlers | Shared | Redirected |
| ** Microsoft**\Windows\CurrentVersion\Setup | Shared | Shared |
| ** Microsoft**\Windows\CurrentVersion\Telephony\Locations | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Console | Shared | Redirected |
| ** Microsoft**\Windows NT\CurrentVersion\FontDpi | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\FontLink | Shared | Redirected |
| ** Microsoft**\Windows NT\CurrentVersion\FontMapper | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Fonts | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\FontSubstitutes | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Gre_Initialize | Shared | Redirected |
| ** Microsoft**\Windows NT\CurrentVersion\Image File Execution Options | Shared | Redirected |
| ** Microsoft**\Windows NT\CurrentVersion\Language Pack | Shared | Redirected |
| ** Microsoft**\Windows NT\CurrentVersion\NetworkCards | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Perflib | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Ports | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Print | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\ProfileList | Shared | Shared |
| ** Microsoft**\Windows NT\CurrentVersion\Time Zones | Shared | Shared |
| ** Policies** | Shared | Shared |
| ** RegisteredApplications** | Shared | SharedWindows Server 2003 and Windows XP: This key was added in Windows Vista. |
| HKEY_CURRENT_USER | Shared | Shared |
| ** SOFTWARE** | Shared | Shared |
| ** Classes** | Shared | Redirected and reflected |
| ** Appid** | Shared | Redirected and reflected with one exception: the DllSurrogate and DllSurrogateExecutable registry values are not reflected if their value is an empty string. |
| ** CLSID** | Redirected | Redirected and reflected |
| ** DirectShow** | Redirected | Redirected and reflected |
| ** Interface** | Redirected | Redirected and reflected |
| ** Media Type** | Redirected | Redirected and reflected |
| ** MediaFoundation** | Redirected | Redirected and reflected |
2、问题的原因
由上述可知,HKLM\** Microsoft**\Windows\CurrentVersion\App Paths在Win7下是采用注册表共享方式,因此用RegCreateKeyEx+KEY_WOW64_64KEY写也不能达到只写在非wow6432node下。
扫一扫
2064
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
