Registry policy that sets up registry permissions under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node does not work

Symptoms

On a computer that is running one of the following 64-bit operating systems:
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
you attemp to directly configure any registry permissions under the location HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node through group policies. You find that the group policy settings do not work.

Note: You can configure the registry permission permission under one of the location:
  • Computer Configuration\Policies\Windows Settings\Security Settings\Registry
  • Computer Configuration\Preferences\Windows Settings\Registry



Cause

Registry permission policy application is handled by client side security policy extension. On 64-bit platforms, for each registry path defined in the security policy, the extension first uses the 64-bit routine. It directly searches for the target key under the default Software key. E.g., if you set up registry permissions for HKLM\Software\Contoso in the policy, the extension will first set the permissions on HKLM\Software\Contoso as expected. Then, the extension starts over again, but uses the 32-bit routine: It searches for “Contoso” under the virtualized 32-bit registry node (HKLM\Software\Wow6432), that is, HKLM\Software\Wow6432\Contoso. If the key exists, it sets the permissions.

Therefore, if you directly set permissions HKLM\SOFTWARE\Wow6432Node in security policy, the extension will try to find the HKLM\Software\Wow6432 registry which obviously does not exist. Then, permissions are not correctly set on the right key.


Resolution

Directly use the normal registry path in Computer Configuration\Windows Settings\Security Settings\Registry; the client extension will automatically handle the virtualized 32-bit key node under Wow6432Node on x64 platforms.
Properties

Article ID: 2565916 - Last Review: Oct 25, 2011 - Revision: 1

Feedback