I Don't See The Foothold That Was Reported?

We occasionally get questions about a reported foothold not being found on the host. Often when we check and it turns out the remote access tool used to manage the host is "hiding" the file or registry value. The reason these tools cannot see the item is because the tool is 32-bit and the item is located in a 64-bit area of the file system/registry. In these cases you'll want to use the tools included with Windows to preform the remediation.

On Windows, 32-bit applications are isolated from 64-bit applications to prevent file and registry collisions. To illustrate this, in the image below we created a folder "c:\windows\system32\0000__system32_folder" and opened a 32-bit command prompt (c:\windows\syswow64\cmd.exe).

Note that the directory listing from command prompt does not show the "0000__system32__folder", but rather the folder we created in c:\windows\syswow64. That is because Windows redirects c:\windows\system32 to c:\windows\syswow64 for 32-bit applications. To access the "actual" system32 directory from a 32-bit application you need use a special path, c:\windows\sysnative.

Still need help? Contact Us Contact Us