Registry policy that sets up registry permissions under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node does not work

On a computer that is running one of the following 64-bit operating systems:
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
you attemp to directly configure any registry permissions under the location HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node through group policies. You find that the group policy settings do not work.

Note: You can configure the registry permission permission under one of the location:
  • Computer Configuration\Policies\Windows Settings\Security Settings\Registry
  • Computer Configuration\Preferences\Windows Settings\Registry

Registry permission policy application is handled by client side security policy extension. On 64-bit platforms, for each registry path defined in the security policy, the extension first uses the 64-bit routine. It directly searches for the target key under the default Software key. E.g., if you set up registry permissions for HKLM\Software\Contoso in the policy, the extension will first set the permissions on HKLM\Software\Contoso as expected. Then, the extension starts over again, but uses the 32-bit routine: It searches for “Contoso” under the virtualized 32-bit registry node (HKLM\Software\Wow6432), that is, HKLM\Software\Wow6432\Contoso. If the key exists, it sets the permissions.

Therefore, if you directly set permissions HKLM\SOFTWARE\Wow6432Node in security policy, the extension will try to find the HKLM\Software\Wow6432 registry which obviously does not exist. Then, permissions are not correctly set on the right key.

Directly use the normal registry path in Computer Configuration\Windows Settings\Security Settings\Registry; the client extension will automatically handle the virtualized 32-bit key node under Wow6432Node on x64 platforms.
registry permission policy Wow6432Node
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2565916 - Last Review: 10/25/2011 13:01:00 - Revision: 2.0

Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Microsoft Windows Server 2003 R2 Datacenter x64 Edition

  • KB2565916