我如何知道要返回哪个实际的dll（x86 v x64）？

Question

Let's focus on one dll: C:\\Windows\\System32\\wbem\\wmiutils.dll. Why? Because it's the file in which I personally discovered Windows delivers a different dll depending on process architecture.

TLDR; Is there a way to programmatically determine the actual path of the dll that was returned by the file system redirector?

I understand that if launched as a x86 process, I get C:\\Windows\\SysWOW64\\wbem\\wmiutils.dll. And, if launched as a x64 process, I get C:\\Windows\\System32\\wbem\\wmiutils.dll.

I need to determine which wmiutils.dll I'm actually looking at. The redirector makes system32\\wbem\\wmiutils.dll look and feel identical but it's not. If I use parent path, I get C:\\Windows\\System32\\wbem even though I may/may not be looking at C:\\Windows\\SysWOW64\\wbem.

Any sweet python magic to make this happen? I can't seem to see anything from other languages I can port. Based on my use case, I've come up with a couple hacks but they're just that. Hoping somebody has found a solution as easy as parent path that actually works in this case.

Answer 1

import ctypes, hashlib

k32 = ctypes.windll.kernel32
oldValue = ctypes.c_long(0)
k32.Wow64DisableWow64FsRedirection(ctypes.byref(oldValue)) # Should open 32-bit
with open(r"C:\Windows\System32\wbem\wmiutil.dll", "rb") as f:
    checksum32 = hashlib.md5(f.read()).hexdigest() 

k32.Wow64RevertWow64FsRedirection(oldValue) # Should use what Windows thinks you need
with open(r"C:\Windows\System32\wbem\wmiutil.dll", "rb") as f:
    checksum64 = hashlib.md5(f.read()).hexdigest() 

if (checksum32 != checksum64):
    print("You're running 64bit wmiutil dll")

I don't have Windows Python to test this, but it should work according to https://msdn.microsoft.com/en-us/library/windows/desktop/aa365745%28v=vs.85%29.aspx .

I think an easier way would be to just do some test like creating a struct and seeing if it's 8 bytes or 4 bytes. Then you can assume that Windows is using the 64-bit version of DLLs if it's 8 bytes.