System32 Discovery #4 - The secret behind the System32 folder

⚠️ Warning!

Messing around with system32 files without knowing what you’re doing can damage your system! The author doesn’t take any responsibility for damaged systems and installations.


You may know the System32 folder as the folder where all the system files are located. But that’s not necessarily true. All these applications, dll files and other stuff are so called hard links.

You surely know shortcuts in Windows. These can also be called soft links. If you remove or rename a softlink file it will not have any affect on the other file. It’s just a pointer to where the file is located.


A hard link for comparsion is two times the same file, just at different location. If you rename the file on one end it will also get renamed on the other end.



So, why are these files all hardlinks?

Because you can execute all the commands from this folder directly. You don’t have to go first into the folder where they are really located and then execute explorer logonui, etc.

With all these files in one folder it’s easier to index them all.

Where are they really?

They are mostly in package folders in the %windir%/WinSxS folder.

The package name has the following pattern:

[target platform]_([platform])_[name]_[id]_[version]_[language]_[hash]

[target platform]

The targeted platform: x86, wow64, msil or amd64


Optional indicator of the platform. For example:

  • system
  • Microsoft-Windows
  • bth


The package name. If the name is too long ... will replace a part of the name.


  • basicrender.inf.resources
  • syncres.resources




The version of the system


The language of a package



Written on January 29, 2022