diff --git a/src/wufuc/hlpmisc.c b/src/wufuc/hlpmisc.c
index 74f7c88..cb97785 100644
--- a/src/wufuc/hlpmisc.c
+++ b/src/wufuc/hlpmisc.c
@@ -93,7 +93,7 @@ LPBYTE RegQueryValueExAlloc(
         if ( RegQueryValueExW(hSubKey, pValueName, NULL, pType, result, &cbData) != ERROR_SUCCESS )
                 return result;
 
-        length = cbData + sizeof(WCHAR); // make sure it is null-terminated
+        length = cbData + (sizeof UNICODE_NULL * 2);
         result = malloc(length);
 
         if ( !result ) return result;
@@ -132,9 +132,9 @@ PVOID NtQueryKeyAlloc(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClas
         return result;
 }
 
-LPWSTR ExpandEnvironmentStringsAlloc(LPCWSTR src)
+LPWSTR ExpandEnvironmentStringsAlloc(LPCWSTR src, LPDWORD pcchLength)
 {
-        wchar_t *result;
+        LPWSTR result;
         DWORD buffersize;
         DWORD size;
 
@@ -144,6 +144,8 @@ LPWSTR ExpandEnvironmentStringsAlloc(LPCWSTR src)
         if ( !size || size > buffersize ) {
                 free(result);
                 result = NULL;
+        } else if ( pcchLength ) {
+                *pcchLength = buffersize;
         }
         return result;
 }
diff --git a/src/wufuc/hlpmisc.h b/src/wufuc/hlpmisc.h
index 0061d89..ee2888f 100644
--- a/src/wufuc/hlpmisc.h
+++ b/src/wufuc/hlpmisc.h
@@ -21,4 +21,4 @@ LPBYTE RegQueryValueExAlloc(
         LPDWORD pType,
         LPDWORD pcbData);
 PVOID NtQueryKeyAlloc(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PULONG pResultLength);
-LPWSTR ExpandEnvironmentStringsAlloc(LPCWSTR src);
+LPWSTR ExpandEnvironmentStringsAlloc(LPCWSTR src, LPDWORD pcchLength);
diff --git a/src/wufuc/hooks.c b/src/wufuc/hooks.c
index 8b6aa36..37d0f29 100644
--- a/src/wufuc/hooks.c
+++ b/src/wufuc/hooks.c
@@ -22,6 +22,7 @@ LSTATUS WINAPI RegQueryValueExW_hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpR
         LPWSTR fname;
         const WCHAR realpath[] = L"%systemroot%\\system32\\wuaueng.dll";
         wchar_t *expandedpath;
+        DWORD cchLength;
 
         // save original buffer size
         if ( lpData && lpcbData )
@@ -57,12 +58,11 @@ LSTATUS WINAPI RegQueryValueExW_hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpR
                         || !_wcsicmp(fname, L"WuaCpuFix64.dll") // WuaCpuFix
                         || !_wcsicmp(fname, L"WuaCpuFix.dll")) ) {
 
-                        expandedpath = ExpandEnvironmentStringsAlloc(realpath);
+                        expandedpath = ExpandEnvironmentStringsAlloc(realpath, &cchLength);
 
                         trace(L"Fixed path to wuauserv ServiceDll: %ls -> %ls", fname, PathFindFileNameW(expandedpath));
-
                         if ( SUCCEEDED(StringCbCopyW(pBuffer, MaximumLength, expandedpath)) )
-                                *lpcbData = sizeof realpath;
+                                *lpcbData = cchLength * (sizeof *expandedpath);
                         free(expandedpath);
                 }
         }