Why does a batch file executed from a WinRAR SFX not work on accessing hosts file?

Question

This batch code works on running the batch file directly:

set %windir%\system32\drivers\etc\hosts
attrib -r %hosts%
pause

But it does not work as expected on packing this batch file into a WinRAR self-extracting archive and running it automatically during extraction.

Answer 1

You are creating a 32-bit RAR self-extracting archive. Therefore the batch file is processed by 32-bit cmd.exe which results in accessing %SystemRoot%\SysWOW64 instead of %SystemRoot%\System32 according to Microsoft's File System Redirector documentation. You should also take a look on WOW64 Implementation Details and Registry Keys Affected by WOW64.

The directory %SystemRoot%\SysWOW64 does not contain drivers\etc\hosts. The hosts file exists on 64-bit Windows only in subdirectory of System32 for 64-bit applications.

Sysnative redirector existing only for 32-bit applications running on 64-bit Windows can be used to determine in which environment the batch file is running to access the hosts file which usually only malware modifies, but no friendly application installed with a RAR self-extracting archive.

@echo off
set "SystemPath=%SystemRoot%\System32"
if exist "%SystemRoot%\Sysnative\cmd.exe" set "SystemPath=%SystemRoot%\Sysnative"
set "HostsFile=%SystemPath%\drivers\etc\hosts"
%SystemPath%\attrib.exe -r %HostsFile%
pause

Please note that %SystemRoot%\Sysnative is neither a directory nor a link in file system. It is a redirector for 32-bit applications on 64-bit Windows. So with 64-bit Windows Explorer as started by default on 64-bit Windows or any other 64-bit application %SystemRoot%\Sysnative does not exist at all. And 32-bit applications can only check if there is any file in %SystemRoot%\Sysnative, but can't check if a directory %SystemRoot%\Sysnative exists.