You are on page 1of 3

3/21/2017 WOW64ImplementationDetails(Windows)

WOW64 Implementation Details

The WOW64 emulator runs in user mode. It provides an interface between the 32bit version of Ntdll.dll and the kernel
of the processor, and it intercepts kernel calls. The WOW64 emulator consists of the following DLLs:

Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entrypoint functions.
Wow64Win.dll provides thunks for the Win32k.sys entrypoint functions.
Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor.
Intel Itanium only IA32Exec.bin contains the x86 software emulator.
Intel Itanium only Wowia32x.dll provides the interface between IA32Exec.bin and WOW64.

These DLLs, along with the 64bit version of Ntdll.dll, are the only 64bit binaries that can be loaded into a 32bit

At startup, Wow64.dll loads the x86 version of Ntdll.dll and runs its initialization code, which loads all necessary 32bit
DLLs. Almost all 32bit DLLs are unmodified copies of 32bit Windows binaries. However, some of these DLLs are
written to behave differently on WOW64 than they do on 32bit Windows, usually because they share memory with 64
bit system components. All usermode address space above the 32bit limit is reserved by the system. For more
information, see Performance and Memory Consumption under WOW64.

Instead of using the x86 systemservice call sequence, 32bit binaries that make system calls are rebuilt to use a custom
calling sequence. This calling sequence is inexpensive for WOW64 to intercept because it remains entirely in user mode.
When the custom calling sequence is detected, the WOW64 CPU transitions back to native 64bit mode and calls into
Wow64.dll. Thunking is done in user mode to reduce the impact on the 64bit kernel and to reduce the risk of a bug in
the thunk that might cause a kernelmode crash, data corruption, or a security hole. The thunks extract arguments from
the 32bit stack, extend them to 64 bits, then make the native system call.

Environment Variables
When a 32bit process is created by a 64bit process, or when a 64bit process is created by a 32bit process, WOW64
sets the environment variables for the created process as shown in the following table.

Process Environment variables





CommonProgramW6432=%CommonProgramFiles% 1/3
3/21/2017 WOW64ImplementationDetails(Windows)

Windows Server2008, WindowsVista, Windows Server2003, and WindowsXP:The

ProgramW6432 and CommonProgramW6432 environment variables were added starting with
Windows7 and Windows Server2008R2.






Global Hooks
The SetWindowsHookEx function can be used to inject a DLL into another process if the following conditions are met:

A 32bit DLL can be injected only into a 32bit process, and a 64bit DLL can be injected only into a 64bit process.
It is not possible to inject a 32bit DLL into a 64bit process or vice versa.
The 32bit and 64bit DLLs must have different names.

For more information, see SetWindowsHookEx.

Be aware that the WH_MOUSE, WH_KEYBOARD, WH_JOURNAL*, WH_SHELL, and lowlevel hooks can be called on
the thread that installed the hook rather than the thread processing the hook. For these hooks, it is possible that both
the 32bit and 64bit hooks will be called if a 32bit hook is ahead of a 64bit hook in the hook chain. For more
information, see Using Hooks.

Community Additions

In the 32 bits process paragraph, it is said that:


3/21/2017 WOW64ImplementationDetails(Windows)

So, in that case, %PROCESSOR_ARCHITEW6432% = x86 ?

In many other sources, PROCESSOR_ARCHITEW6432 should just be "NOT DEFINIED" under native 32 bits or native 64 bits or, in other
words,not underWoW.

Who can shed a better light on this?

Yves B_




ProgramFilesW6432 & CommonProgramFilesW6432 not available under Windows XP/2003/Vista/2008

See MSKB article 976039!

Alfred E. Neumann

2017 Microsoft 3/3