NanoToolkit Blog

The Way to Keep in Touch.

Why 64-BIT regsvr32 Works on a 32-BIT DLL.

If you have ever had the distinct pleasure of working with Windows Com Objects, Then you know that at some point you have to register your COM Object(s) using regsvr32.exe tool that has shipped with windows since Windows NT days. But the real question that we will examine is that why is it that when you invoke a 32-bit regsvr32.exe process on a 64-bit DLL it still works! And why does running 64-bit regsvr32.exe on a 32-bit DLL works as well!

If you Recall Windows x64-bit computing has been around since Windows XP X4. Since Then there has been a pretty simple rule; The Rule is 32-bit processes can only load 32-bit DLLS(s) and 64-bit DLLS can only load 64-bit DLLS. It is therefore confusing to see a 64-bit regsvr32.exe located in C:\Windows\system32 folder run and register on a 32-bit DLL. Please Refer to Figure1 on how to run regsvr32.

Well if have to come to any conclusions the first rule of thumb is to monitor regsvr32.exe with SysInternals ProcessMonitor. As you can see in Figure 2 Process Monitor shows very clearly what actually happens. The 64-bit regsvr32 process opens (reads) the 32-bit DLL file and checks for some magic bytes. After having checked the magic bytes the system figures out that the DLL is a 32-bit Image; Once the system has determined that the 32-bit regsvr32.exe is needed, a new regsvr32.exe is launched; however this time regsvr32 is located under C:\windows\SySWOW64 which means the regsvr32.exe is 32-bit executable. Let's note that no LoadImage Operation occurs with respect to the 64-bit regsvr32.exe but the LoadImage Operation on the target DLL occurs when invoked with the 32-bit regsvr32.exe.

The File Magic Bytes are sometimes more formally referred to as File Headers. You can see this blog post explaining in much detail what the File Headers consist of. Also see the QA on easiest way to determine a 64-bit or 32-bit dll .

 

Figure 1: how to use 64-bit regsvr32.exe to register a 32-bit DLL.

running a 64-bit regsvr32 against a 32-bit dll.

Figure 2: Process Monitor log showing how 64-bit regsvr32 invokes the 32-bit regsvr32.

SysInternlas Process Monitor showing events associated with 64-bit regsvr32.exe

 

Figure 3: Flow Chart showing regsvr32.exe Binary Load Decision Tree.

Flowchart showing decision-tree of a 64-bit regsvr32.exe into a 32-bit regsvr32.exe