dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

System users profile path only checks system32 not syswow64

Open lhaagsma opened this issue 10 months ago • 2 comments

For system users, (IE: systemprofile) its files are stored not in /users/ but in: sysvol\Windows\*system32*\config\systemprofile'>.

However, these these system users also seem to exist in: /sysvol/Windows/*SysWOW64*/config/systemprofile/.

I have encountered that some files would not be collected by for example acquire or target-query as the system users are only collected for the system32 is not the syswow64 path.

For example the following file is not acquired as a result of this: /sysvol/Windows/SysWOW64/config/systemprofile/AppData/Roaming/AnyDesk/ad.trace

The home path variable from target-query -f users for the systemprofile user was in this case: home='%systemroot%\system32\config\systemprofile'>

And this might be were the issue lies, that both system32 and syswow64 need to be checked for files for these kind of users.

lhaagsma avatar Feb 27 '25 09:02 lhaagsma

I vaguely remember ARM Windows installations to have something similar, but named slightly different. We should check for that too.

Schamper avatar Mar 18 '25 10:03 Schamper

Documentation suggest no such folder for arm: https://learn.microsoft.com/en-us/windows/arm/arm64x-pe

lhaagsma avatar Mar 19 '25 07:03 lhaagsma