locked
IsWow64Process() returning incorrect information on elevated process RRS feed

  • Question

  • I have a 32 bit process running in Admin mode. A second process running in non-admin mode then queries its WOW64 state. The data return by IsWow64Process() indicate the Admin mode process is not a WOW64 process implying it's a 64 bit process. This is highly disruptive. Is there a way round this problem other than to elevate the query'er process? Thanks.

    Pretend the following is c++ code ;)

    PHandle = Win32.OpenProcess ( Win32.PROCESS_QUERY_INFORMATION | Win32.PROCESS_VM_READ, false, Pid );
    
    Win32.IsWow64Process ( PHandle, out Is32Bit );

    On an un-elevated  query'er, Is32Bit receives a FALSE.

    On an elevated  query'er, Is32Bit receives a TRUE.



    • Edited by Dev10110110 Thursday, September 27, 2018 9:10 AM
    Thursday, September 27, 2018 9:06 AM

Answers

  • I have a 32 bit process running in Admin mode. A second process running in non-admin mode then queries its WOW64 state. The data return by IsWow64Process() indicate the Admin mode process is not a WOW64 process implying it's a 64 bit process. This is highly disruptive. Is there a way round this problem other than to elevate the query'er process? Thanks.

    Pretend the following is c++ code ;)

    PHandle = Win32.OpenProcess ( Win32.PROCESS_QUERY_INFORMATION | Win32.PROCESS_VM_READ, false, Pid );
    
    Win32.IsWow64Process ( PHandle, out Is32Bit );

    On an un-elevated  query'er, Is32Bit receives a FALSE.

    On an elevated  query'er, Is32Bit receives a TRUE.



    I don't see any error checking here.  In my test using native C++, calling OpenProcess from an unelevated 32 bit process to obtain a handle from an elevated 32 bit process fails with an access denied error when requesting PROCESS_QUERY_INFORMATION | PROCESS_VM_READ.

    When the OpenProcess call is changed to only request PROCESS_QUERY_LIMITED_INFORMATION, the call succeeds and passing the returned handle to the IsWow64Process function yields the correct result.

    • Marked as answer by Dev10110110 Thursday, September 27, 2018 11:55 AM
    Thursday, September 27, 2018 11:37 AM

All replies

  • I have a 32 bit process running in Admin mode. A second process running in non-admin mode then queries its WOW64 state. The data return by IsWow64Process() indicate the Admin mode process is not a WOW64 process implying it's a 64 bit process. This is highly disruptive. Is there a way round this problem other than to elevate the query'er process? Thanks.

    Pretend the following is c++ code ;)

    PHandle = Win32.OpenProcess ( Win32.PROCESS_QUERY_INFORMATION | Win32.PROCESS_VM_READ, false, Pid );
    
    Win32.IsWow64Process ( PHandle, out Is32Bit );

    On an un-elevated  query'er, Is32Bit receives a FALSE.

    On an elevated  query'er, Is32Bit receives a TRUE.



    I don't see any error checking here.  In my test using native C++, calling OpenProcess from an unelevated 32 bit process to obtain a handle from an elevated 32 bit process fails with an access denied error when requesting PROCESS_QUERY_INFORMATION | PROCESS_VM_READ.

    When the OpenProcess call is changed to only request PROCESS_QUERY_LIMITED_INFORMATION, the call succeeds and passing the returned handle to the IsWow64Process function yields the correct result.

    • Marked as answer by Dev10110110 Thursday, September 27, 2018 11:55 AM
    Thursday, September 27, 2018 11:37 AM
  • Slap forehead. Many thanks RLW32. You are absolutely right. I do have error checking. Except I defaulted to my own value on error. Wasn't expecting the call to fail.
    Thursday, September 27, 2018 11:59 AM