What does "windows_view" attribute of registry object in OVAL?

Question

I've seen somewhere that in 32-bit and 64-bit Windows registry structure is different so you need to use flag windows_view="32_bit" in registry object behaviors tag. But i forgot about it and tested my files with OVALdi on 32-bit Windows and then on 64-bit Windows. In both cases i used 32-bit app, so on 64-bit systems i checked WOW6432Node instead of just Software. And OVALdi done scanning just fine. So now i can not understand this attribute.

Answer 1

I've managed to understand what was wrong in my vision of this tag. OVALdi uses system architecture by default to read the registry. So it is expected behavior that my configs worked well and i saw no difference between x32 and x64 Windows. You will understand why in a moment.

In 64-bit Windows there is two registries. One for 64-bit keys (regedit.exe) and one for 32-bit keys (%systemroot%\syswow64\regedit.exe or C:\Windows\SysWOW64\regedit.exe for me). WOW6432Node is a mirror for x32 registry in x64 registry. So if you add key in SOFTWARE through x32 registry, you will see it in x64 registry in SOFTWARE\WOW6432Node (you may actually add key in WOW6432Node in x64 registry and see it in SOFTWARE of x32 registry afterwards which is pretty useful but i do not know if it is can actually break your registry somehow).

But what about OVAL and OVALdi?

If you use behavior windows_view="64_bit" you can read all keys in SOFTWARE (which is 64-bit on Windows x64) and all keys in WOW6432Node, so it is pretty much universal thing.

If you use behavior windows_view="32_bit" you can read all 32-bit keys in SOFTWARE (this is pretty much the content of WOW6432Node if you read it in 64-bit regedit). But you CAN NOT read x64 keys in this mode. Folder WOW6432Node in 32-bit registry contains the same 32-bit keys, not 64-bit keys.

And i have big example of usage here. There if four objects:

<objects>
    <registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="x32 key" id="oval:d.u.ru-registry:obj:2019011" version="1">
        <behaviors windows_view="32_bit"/>
        <hive>HKEY_LOCAL_MACHINE</hive>
        <key>SOFTWARE\X32Application</key>
        <name>DisplayName</name>
    </registry_object>

    <registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="x64 key" id="oval:d.u.ru-registry:obj:2019012" version="1">
        <behaviors windows_view="64_bit"/>
        <hive>HKEY_LOCAL_MACHINE</hive>
        <key>SOFTWARE\X64Application</key>
        <name>DisplayName</name>
    </registry_object>

    <registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="x32 key trough x64 view" id="oval:d.u.ru-registry:obj:2019013" version="1">
        <behaviors windows_view="64_bit"/>
        <hive>HKEY_LOCAL_MACHINE</hive>
        <key>SOFTWARE\Wow6432Node\X32Application</key>
        <name>DisplayName</name>
    </registry_object>

    <registry_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="x64 key trough x32 view (will not work)" id="oval:d.u.ru-registry:obj:2019014" version="1">
        <behaviors windows_view="32_bit"/>
        <hive>HKEY_LOCAL_MACHINE</hive>
        <key>SOFTWARE\Wow6432Node\X64Application</key>
        <name>DisplayName</name>
    </registry_object>
</objects>

And there is the output of OVALdi:

          <registry_item xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" id="1">
            <hive>HKEY_LOCAL_MACHINE</hive>
            <key>SOFTWARE\X32Application</key>
            <name>DisplayName</name>
            <last_write_time datatype="int">132125660223754243</last_write_time>
            <type>reg_sz</type>
            <value>Application with x32 arch</value>
            <windows_view>32_bit</windows_view>
          </registry_item>

          <registry_item xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" id="2">
            <hive>HKEY_LOCAL_MACHINE</hive>
            <key>SOFTWARE\X64Application</key>
            <name>DisplayName</name>
            <last_write_time datatype="int">132125651956984961</last_write_time>
            <type>reg_sz</type>
            <value>Application with x64 arch</value>
            <windows_view>64_bit</windows_view>
          </registry_item>

          <registry_item xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" id="3">
            <hive>HKEY_LOCAL_MACHINE</hive>
            <key>SOFTWARE\Wow6432Node\X32Application</key>
            <name>DisplayName</name>
            <last_write_time datatype="int">132125660223754243</last_write_time>
            <type>reg_sz</type>
            <value>Application with x32 arch</value>
            <windows_view>64_bit</windows_view>
          </registry_item>

          <registry_item xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows" id="4" status="does not exist">
            <hive>HKEY_LOCAL_MACHINE</hive>
            <key status="does not exist"></key>
            <windows_view>32_bit</windows_view>
          </registry_item>

And for the last. What if i do not use behavior tag? There is no need to give additional outputs here. I will only collect the two results with <windows_view>64_bit</windows_view> tag.