Not sure if this has been raised in the past but it seems the image path of service inspector gets a bit mixed up if the path is using a environment variable that is subject to wow64 redirection, eg
The actual service path is "C:\Program Files\Windows Defender\MsMpEng.exe" but its being referenced in the registry as "%ProgramFiles%\Windows Defender\MsMpEng.exe" so I suspect that %ProgramFiles% is being subject to wow64 redirection giving the wrong path.
Q: values of variables “PROGRAMFILES” of environments
A: C:\Program Files (x86)
Q: values of x64 variables “PROGRAMFILES” of environments
A: C:\Program Files
This is seen on Win10 endpoints running 9.5 patch 4 client. We don’t run 9.5 patch 5 to test if its still the case in patch 5.
This is an issue but the code never was changed to handle the possible difference. The expansion can give an issue like you mention but its hard to know which path to use.
Have you tried the following:
pathnames of files of services "windefend"
Recent clients (I think 9.5 or greater) will try both WOW64 elements to find the file.
I haven’t tried that, but ideally something like this would work as well, but does not:
(x64 files of it; files of it) of services
There isn’t an equivalent of a generic disable wow redirection for an entire relevance statement like there is for actionscript. The closest is commands that have specific 64bit versions like regset64 and x64 file and x64 folder which seem to do the equivalent of disabling redirection, but only within the context of itself.
This seems to be why image paths of services returns a string with the wrong expansion and why the files of services can’t find the file in cases where the wrong expansion is used.
I do like the idea of the inspector trying one way and then trying the other if it can’t find the file, but it seems like there should also be a way to be more explicit about it.
I thought to take it directly to the registry, but I’m getting odd results for ‘expand x64 environment string’ - in that it doesn’t seem to be expanding at all:
q: (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WinDefend")) of native registry as string)
A: "%25ProgramFiles%25\Windows Defender\MsMpEng.exe"%00
T: 0.222 ms
I: plural string
q: expand environment strings of (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WinDefend")) of native registry as string)
A: "C:\Program Files (x86)\Windows Defender\MsMpEng.exe"
T: 0.231 ms
I: plural string
q: expand x64 environment strings of (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WinDefend")) of native registry as string)
A: "%25ProgramFiles%25\Windows Defender\MsMpEng.exe"%00
T: 65.719 ms
I: plural string
edit: I get this result in the fixlet debugger in 9.5.1 and 9.5.3, but expand x64 environment string seems to work better (but still not completely correct) in 9.5.5.193 - it expands the environment value, but still left the trailing NULL
q: expand x64 environment strings of (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WInDefend")) of native registry as string)
A: "C:\Program Files\Windows Defender\MsMpEng.exe"%00
T: 0.247 ms
I: plural string
q: expand environment strings of (values "ImagePath" of keys (("HKLM\System\CurrentControlSet\Services\" & it) of service names of services ("WInDefend")) of native registry as string)
A: "C:\Program Files (x86)\Windows Defender\MsMpEng.exe"
T: 65.347 ms
I: plural string
q: version of client
A: 9.5.5.193
T: 0.319 ms
I: singular version
