← Back to Labs

Windows Compatibility Layer Cake

Trace a 2003 32-bit installer from double-click to syscall through WOW64, the shim engine, and the 64-bit NT kernel.

setup.exe (32-bit PE, 2003)Shim engine + AcGenral.dllkernel32.dll / user32.dll (32-bit)ntdll.dll (32-bit) + IAT thunkswow64.dll / wow64cpu.dll / wow64win.dllNT kernel (64-bit) + ntdll.dll (64-bit)x86_64 CPU (long mode: 32-bit compat + 64-bit)step 1 of 8 · Double-click setup.exe
Step 1 / 8Double-click setup.exe

You double-click a 2003-era installer. The shell reads the PE header, sees a Windows GUI 32-bit executable, and asks the kernel to create a process for it.

Arrow keys to step through · R to reset

Tap dots to jump to any layer

Read the full article →Take the quiz →