I Don't See The Foothold That Was Reported?

We occasionally get questions about a reported foothold not being found on the host. In our experience, this is most often caused by the remote access tool "hiding" the file or registry value. The reason these tools cannot see the item is because the tool is 32-bit and the item is located in a 64-bit area of the file system/registry. In these cases you'll want to use the tools included with Windows to preform the remediation (and demand better support from your tool provider ;).

On Windows, 32-bit applications are isolated from 64-bit applications to prevent file and registry collisions. To illustrate this, in the image below we created a folder "c:\windows\system32\0000__system32_folder" and opened the 32-bit command prompt (c:\windows\syswow64\cmd.exe).

Note that the directory listing from the command prompt does not show the "0000__system32__folder", but rather the folder we created in c:\windows\syswow64. That is because Windows redirects c:\windows\system32 to c:\windows\syswow64 for 32-bit applications. To access the "actual" system32 directory from a 32-bit application you need use a special path, c:\windows\sysnative.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Need help? Click here to Contact Us Click here to Contact Us