Deutsch | English

The WOW-Effect


A paper about how Microsoft's WOW64 technology unintentionally fools IT-Security analysts.

Download Paper

Download Slides

Publication Date

November, 30th 2011


Christian Wojner




You can download the full document in pdf format here.

Presentation Slides

You can download the latest presentation slides (Deepsec 2012) in pdf format here.

Presentation Video

As soon as the recordings of our presentation at Deepsec 2012 (Thanks to the Deepsec folks!) are available you will find an according link here.


The 64-bit version of Microsoft Windows includes file-system virtualization features to run 32-bit programs. File access is transparently redirected to other directories in certain cases.

This feature can easily fool an analyst looking at a running system and can have a massive impact on infection-driven forensics, malware analysis and comparable investigations.

In the worst case this can lead to an entirely wrong interpretation of a case/situation.

While this issue is not entirely new, it is necessary to raise the IT-Security community's awareness, as some of the common tools and procedures in use need to be adapted in the presence of the files system redirector.

Phone: +43 1 5056416 78
more ...
Sextortion Spam Scientifically Scrutinized
2019/08/06 | Sextortion ...
Topinambour & Windows event logs
2019/07/16 | TL;DR: ...
more ...
Last Change: 2013/7/17 - 17:00:10
Haftungsausschluss / Data Protection & Privacy Policy