The Mystery of Run -> "firefox"

The why is a long story, but this morning I became obsessed with finding out how Windows's Run command knew to launch Firefox when I typed in firefox.  In other words, how was the mapping done from the string firefox to the executable file C:\Program Files (x86)\Mozilla Firefox\firefox.exe (if you're wondering about the (x86) part there, it's because I'm running 64-bit Vista).


The obvious place to look was my PATH variable. No dice.

I figured the next most likely place would be a registry setting, but I had no idea where to look.  So I googled around for a while, and finally came across this forum thread, which contained some interesting information.

According to this information, there are five magic places Run will look for things:

  • The current working directory
  • The Windows directory (usually C:\Windows)
  • The Windows\System32 directory (usually C:\Windows\System32)
  • Directories listed in the PATH environment variable
  • The App Paths registry key (visible in regedit at

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths)

Thinking I had solved the mystery, I eagerly launched regedit and navigated to the aforementioned registry key.  Much to my chagrin, nothing related to Firefox was present.

I tweeted a little bit about this deepening mystery I was trying to solve, and one of my friends replied mentioning RegMon, a Windows tool that allows one to monitor registry activity and has recently been rolled into Process Monitor.

I downloaded Process Monitor, and after familiarizing myself with what it could do, I configured it to show me only registry activity.  I then went through the motions of starting Firefox via Run (Windows+R -> firefox -> Enter).  I then stopped Process Monitor from logging anything further and used its search feature to find mentions of firefox in the activity log.  This immediately led me to the following two lines that told me everything I needed to know:

Eureka!  You can see in the screenshot that a process tried to read a registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe, which resulted in NAME NOT FOUND.  It then tried to read the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe and was successful.  After pulling up regedit and navigating to that key, I could see that the value was set to C:\Program Files (x86)\Mozilla Firefox\firefox.exeMystery solved!  That's how the mapping is done.  If you look at this screenshot, you'll also see some other interesting things, like excel.exe (which explains how Run knows to launch Excel's executable when you type excel):

But what's up with the weird registry key location with Wow6432Node in there?  After a little more googling around, I found this buried in a blog post:

It turns out that 64-bit Windows performs 'registry redirection' where it presents 32-bit programs another view of the registry to make them co-exist with 64-bit applications. This is done by redirecting 32-bit applications to the HKEY_LOCAL_MACHINE\Software\WOW6432node sub key when they request for HKEY_LOCAL_MACHINE\Software.

That's why the registry key I was looking for was not in the expected place.  Since I run a 64-bit version of Windows, we've got this redirection thing going on, hence the disappearing act of the magical registry key I was looking for but couldn't find earlier.

It took some digging (more than I expected) to solve this mystery, but I'm glad I saw it through, and I learned some interesting and unexpected things in the process.


thebook said...

I'm not really into the technical stuff but I appreciate the Sherlock Holmes outfit.