Why does renaming reg.exe on Windows Server 2008 x64 causes it to fail to run?

Question

Hi StackOverflow, I've got a neat question here.

There's a utility called reg.exe thats been shipped with Windows for quite some time. Its very handy to import .reg files from scripts, modify values from scripts, etc, etc. So when making a copy of it for a script scenario ("Why not use the copy in system32?" -> Software Restriction Policies, personal pref, etc) I noticed that renaming it makes it fail silently:

Windows Server 2008 x64:

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>reg.exe
ERROR: Invalid syntax.
Type "REG /?" for usage.

C:\Windows\system32>copy reg.exe reg2.exe
        1 file(s) copied.

C:\Windows\system32>reg2.exe

C:\Windows\system32>reg2.exe /?


C:\Windows\system32>reg.exe /?

REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT  | FLAGS ]

Return Code: (Except for REG COMPARE)

  0 - Successful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?
  REG FLAGS /?

C:\Windows\system32>

But with Windows XP x86:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\chris>cd \WINDOWS\system32

C:\WINDOWS\system32>reg.exe

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved


REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

  0 - Succussful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?

C:\WINDOWS\system32>copy reg.exe reg2.exe
        1 file(s) copied.

C:\WINDOWS\system32>reg2.exe

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved


REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

  0 - Succussful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?

C:\WINDOWS\system32>

WinDbg seems to tell me that the CRT is killing it:

Child-SP          RetAddr           Call Site
00000000`0016f798 00000000`779d2f8b ntdll!ZwTerminateProcess+0xa
00000000`0016f7a0 000007fe`fe97d832 ntdll!RtlExitUserProcess+0x8b
00000000`0016f7d0 00000000`ffe7f710 msvcrt!cinit+0x13b
00000000`0016f810 00000000`778a495d reg!DynArrayGetItemType2+0x1fc
00000000`0016f850 00000000`779d8791 kernel32!BaseThreadInitThunk+0xd
00000000`0016f880 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

But as i'm not too experienced with WinDbg (and this one is 64bit, so, say, Ollydbg fails) i'm sort of at a loss here. Thanks for any information you guys have.

Edit

Thanks to CyberShadow's help and a bit of googling, I found the solution: it looks for .mui (it's translation) in a subfolder of the current language installed.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd en-US

C:\Windows\System32\en-US>copy reg.exe.mui reg2.exe.mui
        1 file(s) copied.

C:\Windows\System32\en-US>cd ..

C:\Windows\System32>reg2
ERROR: Invalid syntax.
Type "REG /?" for usage.

C:\Windows\System32>del en-US\reg2.exe.mui

C:\Windows\System32>reg2

C:\Windows\System32>

Answer 1

Wild guess here, but some apps use the name of the application to determine what it should do - this is an old UNIX trick; for example, /bin/false and /bin/true are identical binaries, but the name determines which result to return.

You do this when you end up writing 2+ programs that are 99.9% identical, and you don't want to maintain separate codebases for each.

Answer 2

By playing around a bit with a debugger, I found that LoadString (which is used to get the usage and error messages) returns ERROR_MUI_FILE_NOT_LOADED. I think that somewhat explains it :)

Notes:

• That stack trace seems to be misleading (or at least we're seeing different problems with the same effect). The application exits normally without printing anything when copied/renamed.
• Other than not being able to display messages, the utility continues to work just fine.
• This also affects the 32-bit version (which you can find in SysWOW64).