Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Management Community Blog

Managed Software Delivery Detection Rules and Registry Redirection

Created: 23 Nov 2010 • Updated: 23 Nov 2010
MikeWoodd's picture
+2 2 Votes
Login to vote

This blog relates to deployment of software via Altiris Notification Server 7, using Managed Software Delivery policies, to any Windows 64-bit editions. It applies when the package is a piece of 64-bit software, and you are trying to use a Registry detection rule (e.g. the software installer is not Windows Installer software and you need to use some other detection rule type). 

If you try to use a Registry detection rule to detect a registry key under "HKEY_LOCAL_MACHINE\SOFTWARE", the compliance check/software detection may fail and the software may be unnecessarily reinstalled by the Symantec Management Agent. 

The reason for this could be that the Symantec Management Agent (which does the actual detection) is 32-bit software running under Wow64 (32-bit emulation mode) on the Windows 64-bit host. 

The Symantec Management Agent will be seeing the "HKEY_LOCAL_MACHINE\SOFTWARE" registry entries that are actually located under "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node" - this latter location is presented to 32-bit processes as the former location by 64-bit Windows. In effect, Registry Redirection is blocking the 32-bit Symantec Management Agent from seeing a big chunk of the 64-bit registry.

You can try to work around this by looking for a key that is located in a "Shared" registry location. The shared registry locations are documented on MSDN under "Registry Keys Affected by WOW64" at http://msdn.microsoft.com/en-us/library/aa384253(v=VS.85).aspx. Granted, you could also use a File type detection check.

An example of all this is the 64-bit version of the CutePDF Writer. 

The installation of CutePDF Writer on a 64-bit host creates an Uninstall registry at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CutePDF Writer Installation"

But the 32-bit Symantec Management Agent cannot see that registry key - it is only able to see, in effect,  "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" which does not have the CutePDF Writer Installation sub-key.

A workaround is to use "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\CutePDF Writer", which is visible to both the 32-bit Symantec Management Agent and the 64-bit CutePDF Writer printer. This is because "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print" is a "Shared" registry location for 32-bit and 64-bit processes.