KB43849 - Configuring lock down exception rules for applications running in the system32 directory for 64-bit Windows operating systems

This article provides information how to configure lock down exception rules for applications running in the system32 directory for 64-bit Windows operating systems.

Some lock down exceptions rules may not work on 64-bit operating system, but work on 32-bit operating system.  In the debuglog.log, the following error message may appear:

SYSTEM PulseSecureService.exe ConnectionManager p1552 t63C ConnectionManagerService.cpp:2300 - 
Error while applying Lockdown exception [XXXX]. Error: [FwpmGetAppIdFromFileName0 = 0x00000002]

WFP error code 2 means the filter condition does not exist.

Since the Pulse Secure Service is a 32-bit application, separate lock down exceptions rules will be needed if both 32-bit and 64-bit operating systems are supported in the environment for any applications existing in the system32 directory.

In a 64-bit operating system, the system32 directory is intended for 64-bit binary files. If a 32-bit application attempt to read from the system32 directory, Windows will automatically redirect the application to SysWOW64 directory.  If the application does not exist in the SysWOW64 directory, the following error message (above) will occur as the path does not exist. If a 32-bit application needs to read from the 64-bit system32 directory, it must use SysNative instead of system32.  This is a virtual directory used to access 64-bit system32 folder from a 32-bit application.

An example program path would be the following:

• 32-bit: %windir%\system32\spoolsv.exe
• 64-bit: %windir%\SysNative\spoolsv.exe