Check for suspicious registry keys in WOW6432Node (#2595)

DataDog · Mar 25, 2022 · 69f7095 · 69f7095
1 parent afaea88
commit 69f7095
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 11 deletions.
diff --git a/tracer/src/Datadog.Trace.Tools.Runner/Checks/ProcessBasicCheck.cs b/tracer/src/Datadog.Trace.Tools.Runner/Checks/ProcessBasicCheck.cs
@@ -156,12 +156,17 @@ internal static bool CheckRegistry(IRegistryService? registry = null)
 
                 bool foundKey = false;
 
-                foreach (var name in registry.GetLocalMachineValueNames(@"SOFTWARE\Microsoft\.NETFramework"))
+                var parentKeys = new[] { @"SOFTWARE\Microsoft\.NETFramework", @"SOFTWARE\WOW6432Node\Microsoft\.NETFramework" };
+
+                foreach (var parentKey in parentKeys)
                 {
-                    if (suspiciousNames.Contains(name))
+                    foreach (var name in registry.GetLocalMachineValueNames(parentKey))
                     {
-                        Utils.WriteWarning(SuspiciousRegistryKey(name));
-                        foundKey = true;
+                        if (suspiciousNames.Contains(name))
+                        {
+                            Utils.WriteWarning(SuspiciousRegistryKey(parentKey, name));
+                            foundKey = true;
+                        }
                     }
                 }
 

diff --git a/tracer/src/Datadog.Trace.Tools.Runner/Checks/Resources.cs b/tracer/src/Datadog.Trace.Tools.Runner/Checks/Resources.cs
@@ -50,7 +50,7 @@ internal static class Resources
 
         public static string ErrorCheckingRegistry(string error) => $"Error trying to read the registry: {error}";
 
-        public static string SuspiciousRegistryKey(string key) => $@"The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\{key} is defined and could prevent the tracer from working properly. Please check that all external profilers have been uninstalled properly.";
+        public static string SuspiciousRegistryKey(string parentKey, string key) => $@"The registry key HKEY_LOCAL_MACHINE\{parentKey}\{key} is defined and could prevent the tracer from working properly. Please check that all external profilers have been uninstalled properly.";
 
         public static string MissingRegistryKey(string key) => $@"The registry key {key} is missing. Make sure the tracer has been properly installed with the MSI.";
 

diff --git a/tracer/test/Datadog.Trace.Tools.Runner.IntegrationTests/Checks/ProcessBasicChecksTests.cs b/tracer/test/Datadog.Trace.Tools.Runner.IntegrationTests/Checks/ProcessBasicChecksTests.cs
@@ -197,18 +197,22 @@ public void GoodRegistry()
             console.Output.Should().NotContain(MissingProfilerRegistry(ClsidKey, ProfilerPath));
         }
 
-        [SkippableFact]
-        public void BadRegistryKey()
+        [SkippableTheory]
+        [InlineData(true)]
+        [InlineData(false)]
+        public void BadRegistryKey(bool wow64)
         {
-            var registryService = MockRegistryService(new[] { "cor_profiler" }, ProfilerPath);
+            var registryService = MockRegistryService(new[] { "cor_profiler" }, ProfilerPath, wow64);
 
             using var console = ConsoleHelper.Redirect();
 
             var result = ProcessBasicCheck.CheckRegistry(registryService);
 
             result.Should().BeFalse();
 
-            console.Output.Should().Contain(SuspiciousRegistryKey("cor_profiler"));
+            var netFrameworkKey = wow64 ? @"SOFTWARE\WOW6432Node\Microsoft\.NETFramework" : @"SOFTWARE\Microsoft\.NETFramework";
+
+            console.Output.Should().Contain(SuspiciousRegistryKey(netFrameworkKey, "cor_profiler"));
         }
 
         [SkippableFact]
@@ -255,10 +259,13 @@ public void WrongProfilerRegistry()
             console.Output.Should().Contain(Resources.WrongProfilerRegistry(ClsidKey, "wrongProfiler.dll"));
         }
 
-        private static IRegistryService MockRegistryService(string[] frameworkKeyValues, string profilerKeyValue)
+        private static IRegistryService MockRegistryService(string[] frameworkKeyValues, string profilerKeyValue, bool wow64 = false)
         {
             var registryService = new Mock<IRegistryService>();
-            registryService.Setup(r => r.GetLocalMachineValueNames(It.Is(@"SOFTWARE\Microsoft\.NETFramework", StringComparer.Ordinal)))
+
+            var netFrameworkKey = wow64 ? @"SOFTWARE\WOW6432Node\Microsoft\.NETFramework" : @"SOFTWARE\Microsoft\.NETFramework";
+
+            registryService.Setup(r => r.GetLocalMachineValueNames(It.Is(netFrameworkKey, StringComparer.Ordinal)))
                 .Returns(frameworkKeyValues);
             registryService.Setup(r => r.GetLocalMachineValue(It.Is<string>(s => s == ClsidKey || s == Clsid32Key)))
                 .Returns(profilerKeyValue);