Registry policy that sets up registry permissions under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node does not work
On a computer that is running one of the following 64-bit operating systems:
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
Note: You can configure the registry permission permission under one of the location:
- Computer Configuration\Policies\Windows Settings\Security Settings\Registry
- Computer Configuration\Preferences\Windows Settings\Registry
Registry permission policy application is handled by client side security policy extension. On 64-bit platforms, for each registry path defined in the security policy, the extension first uses the 64-bit routine. It directly searches for the target key under the default Software key. E.g., if you set up registry permissions for HKLM\Software\Contoso in the policy, the extension will first set the permissions on HKLM\Software\Contoso as expected. Then, the extension starts over again, but uses the 32-bit routine: It searches for “Contoso” under the virtualized 32-bit registry node (HKLM\Software\Wow6432), that is, HKLM\Software\Wow6432\Contoso. If the key exists, it sets the permissions.
Therefore, if you directly set permissions HKLM\SOFTWARE\Wow6432Node in security policy, the extension will try to find the HKLM\Software\Wow6432 registry which obviously does not exist. Then, permissions are not correctly set on the right key.
Directly use the normal registry path in Computer Configuration\Windows Settings\Security Settings\Registry; the client extension will automatically handle the virtualized 32-bit key node under Wow6432Node on x64 platforms.
registry permission policy Wow6432Node
Article ID: 2565916 - Last Review: 10/25/2011 13:01:00 - Revision: 2.0
Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Microsoft Windows Server 2003 R2 Datacenter x64 Edition