CreateFile fails on opening lsass.exe

Question

I'm working on a program, which collects some statistics about processes, which are running on the system.

I've got a code, which retrieves some routine information, such as executable file version, publisher and so on.

The code works fine for me until I open lsass.exe. When I try to open file for reading, CreateFile fails with error ERROR_FILE_NOT_FOUND.

Here is the code:

auto FileHandle 
    = CreateFile(file_to_process.c_str(), // C:\Windows\System32\lsass.exe
                 GENERIC_READ, 
                 FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE, 
                 NULL, 
                 OPEN_EXISTING, 
                 FILE_ATTRIBUTE_NORMAL, 
                 NULL);

if ( INVALID_HANDLE_VALUE == FileHandle )
{
    int err_v = GetLastError(); // ERROR_FILE_NOT_FOUND
}

This code is a part of a system service, which is running with 'SYSTEM' privileges.

Answer 1

You are probably running afoul of the File System Redirector. 32-bit processes that try to open files in c:\windows\system32 are redirected to c:\windows\syswow64. This is an appcompat feature that gives 32-bit programs a fighting chance to survive on a 64-bit operating system. Lsass.exe is indeed special, there is no 32-bit version of that EXE available on a 64-bit machine.

Possible workarounds are:

• building your program to x64 so you'll run as a 64-bit process and don't get redirected
• opening c:\windows\sysnative\lsass.exe instead
• using Wow64DisableWow64FsRedirection() to disable the redirector. While an obvious solution, beware that it is dangerous since your program might inadvertently load a 64-bit DLL and bomb, the reason the redirector is needed.