Unexpected Results When Analyzing Files in a Windows Installation

Posted | Modified
Author

This is an important article to read if you use HexLasso CLI for analyzing files in a Windows installation.

Symptoms

When you use HexLasso CLI to analyze files in a Windows installation you may experience that the analysis result is unexpected on one or more files.

Cause

You may see unexpected result if you run HexLasso CLI on files that are subject to file system redirection.

The file system redirection is a feature of the 64-bit version of Windows and it redirects file access for backward compatibility reasons.

HexLasso CLI is not aware of this redirection. And therefore, for example, if you intend to analyze C:\Windows\System32\wermgr.exe, Windows will redirect the file access to C:\Windows\SysWOW64\wermgr.exe and so the latter file will be analyzed.

Workaround

  1. Copy the files of the Windows installation into a temporary folder using a copy utility. Most of the copy utilities can handle file system redirection.
  2. You can now run HexLasso CLI on the files of the temporary folder.

Remarks

Although Microsoft provides an API function to disable file system redirection for the application, it would require calling native function from the otherwise fully managed code. Looking ahead, keeping the fully managed code is preferred over addressing this platform specific issue via code change.