2

Windows internals makes it clear than winlogon.exe after authenticating with lsass.exe launches the contents of the UserInit key, which by default is c:\windows\system32\userinit.exe to set up the environment and then launches whatever is specified in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell which by default is explorer.exe but why is there a wow64 version of userinit? ( ie c:\windows\syswow64\userinit.exe) Specifically the question is revolving around the fact that the native binaries for staturp, lsass,winlogon and the like are already 64 bit and will use a 64 bit version, so what is the need for a 32 bit version of userinit?

Dan
  • 123
  • 1
  • 6

2 Answers2

4

For the same reason there's a SysWOW64 version of almost every other Microsoft binary: compatibility with 32bit applications. Maybe no one will ever use it, but as soon as Microsoft stops distributing the 32bit version of the binary, be it calc.exe or ping.exe or Bubbles.scr, someone, somewhere, using some crappy old 32bit app, will complain.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 2
    I know of 1 example where I've seen this first hand. TrendMicro Antivirus (one of the 10.0 versions) threw a fit if you removed the 32-bit version of either userinit.exe or winlogon.exe. TM thought a rootkit tried to take over the machine. I had a user with a full C: drive that tried to delete the entire folder to make room. That's how we discovered this. – Tonny Apr 26 '13 at 21:49
3

That would be the 32-bit version. Believe it or not, SysWOW64 is where the 32-bit binaries are. WOW64 stands for Windows-on-windows64, i.e. the 32-bit stuff that can on top of the real 64-bit system.

C:\windows\system32 is where the 64-bit binaries are, just because that's the age-old path that was always included in everyone's path. I figured this out by trying to force powershell to launch from SysWOW64 instead of System32 and then discovered my 64-bit stuff wouldn't work...

So, in summary:

System32 = 64-bit versions
SysWOW64 = 32-bit versions

Thank Microsoft!

static
  • 141
  • 7
  • I'm aware of wow64 , how it's implemented( it's pretty f'n cool at that) and the purpose of the path. my question which I failed to make sufficiently clear is that since the startup process should be 100% native/64 bit on logon, what need is there for a 32 bit version of user init. – Dan Apr 26 '13 at 20:59
  • Cool implementation maybe, but the naming convention is not. Just posting for anyone landing on this question who may not know. – static Apr 30 '13 at 16:59