I'm currently writing some test code in C++ that messes around with PE files to understand its file format structure. My project is set to compile to 64 bit. In my code I open %SystemRoot%\system32\calc.exe and read the IMAGE_DOS_HEADER and IMAGE_NT_HEADERS structures. At the same time I have the same calc.exe opened in Notepad++ with the hex editor plugin. I compared the values my code reads with Notepad++ and noticed they were different. I copied calc.exe from System32 to C:\Temp\calc.exe, and now the values match.
Notepad++ seems to be a 32 bit application (haven't checked the PE file, but since it's installed to Program Files (x86) by default, it seems to be a safe assumption to make).
Is this WinSxS at work? Or what else is causing this? And which file is actually fed to 32-bit applications opening %SystemRoot%\system32\calc.exe?
Just curious. Thanks in advance for any light shed on this.
Yes, this is the WOW redirector. You'll see that there is a calc.exe in C:\Windows\SysWOW64 as well. That's the file that is opened when you use the %SystemRoot%\System32\calc.exe path.
This can be temporarily disabled to access the 64-bit version of the file with Wow64DisableWow64FsRedirection
More details can be found at File System Redirector