Open-AudIT
http://www.open-audit.org/phpBB3/

Problem with RemCom in a 64-bit Windows environment
http://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=4438
Page 1 of 1

Author:  smorloc [ Fri Feb 25, 2011 12:46 pm ]
Post subject:  Problem with RemCom in a 64-bit Windows environment

Because of an assumption built into the WinAPI for registering services, the RemCom service (RemComSvc) may not be able to run on a 64-bit machine, so audit.exe / audit.pl will not be able to audit the target 64-bit Windows machine.

The problem manifests itself with the following messages when audit.exe trys to audit a W64 machine:

Quote:
Couldn't start remote service
The system cannot find the file specified.

The issue is documented in several places on the net. Basically, when the service is registered, Windows addeds a WOW64 flag to the service definition in the target machine's registry. This flags tell Windows to look for the service binary. Here is a discussion by another person that that encountered this behavoir:

http://social.msdn.microsoft.com/forums ... 948de8cf19

Possible solutions are:
  • Modify RemCom to delete the WOW64 key before starting the service. Unfortunately this approach would reguire the Remote Registry service to be running, which is not the case on most systems.
  • Create a 64-bit version of RemCom. Have the 32-bit version of RemCom check the architecture and have it invoke the 64-bit version when appropriate.
  • Create a 64-bit version of RemCom. Modify audit.pl/audit.exe to invoke the 32- or 64-bit RemCom when appropriate.

My approach was the last one. I didn't want to modify RemCom since it hasn't been changed since 2006. Building a 64-bit binary from the source was easy enough.

Modifying audit.pl & creating a new audit.exe was a bit of a pain since it required additional ActiveState tools that I didn't have immediate access to.

If anyone else has an alternative means of working around this issue, please pass it along!

Regards,
Steve

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/