1 Reply Latest reply on Aug 24, 2015 1:59 PM by jbmartin6

    FASL read registry outside WOW6432Node?

    jbmartin6

      How do I get a FASL check to read outside Wow6432Node?  For instance, if I want to check for "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{e1c810aa-f7cc-4aaf-ada1-18186307 5f9b}" the following FASL still looks in Wow6432Node and returns VULNERABLE:

       

      var rmtReg = new RemoteRegistry();

          rmtReg.connect();

          var EMETKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\{e1c810aa-f7cc-4aaf-ada1-1818 63075f9b}";

       

       

      Easy to confirm, just manually add the same key to WOW6432Node and FASL returns NOTVULNERABLE. I understand that the scanner is a 32-bit process but  I don't see why that would return the WOW6432 value when using Remote Registry.