Empty Directory Name

Hi Folks,

I have a computer with OS windows 2008 R2, there are sub folder name is empty, the weird thing is to enter the empty name folder, there are the same files as the empty name folder’s parent folder.

Here is the example:

___ (empty folder)
|
|— folder1
|----folder2
|----file1
___ (empty folder) – |----file2
|
F:\myFolder —|— folder1
|----folder2
|----file1
|----file2

the files inside the empty folder security tab is empty, it can’t be deleted.

Anyone knows why this happen and how to fix it?

Thanks
Tsang

I suspect the name isn’t really empty, but rather whatever characters are in its name are not displaying. Try looking at the short name version (“dir /x” from the command line). That should permit you to delete it assuming you can see that short name.

Tony
OSR

Thanks Tony,

I run “dir /x” from command line, it shows the empty folder as following:

03/11/2014 12:33 PM

9519~1

when I go in that folder, it shows a folder there, I try to delete the folder "delete subfolder", it can't be deleted.

The weird thing is that there are different view from windows explorer, if I create a new file in f:\myFolder, from windows explorer, go in the empty folder, it will shows that new created file, but from command line, it won't show that file.

What do you mean that it cannot be deleted? Are you getting access denied?

Typically, this sort of pattern is seen with malware as cleaning up from these things can be difficult given the normal tools. Indeed, while NTFS without short names is substantially faster, without short names it becomes much more difficult to clean up from such programs. I could argue this is something wrong with the malware, but it’s also an issue of the limitations of the standard tools.

Look at the file attributes. That sounds like typical “system/hidden” attributes bits. I verified this on my Windows 8.1 machine just now:

C:\Testdir> mkdir foo
C:\Testdir> dir
Volume in drive C has no label.
Volume Serial Number is EA1B-4DCA

Directory of C:\Testdir

06/24/2014 03:26 PM

.
06/24/2014 03:26 PM ..
06/24/2014 03:26 PM 0 foo.txt
1 File(s) 0 bytes
2 Dir(s) 1,709,581,225,984 bytes free

C:\Testdir> attrib +s foo
C:\Testdir> dir
Volume in drive C has no label.
Volume Serial Number is EA1B-4DCA

Directory of C:\Testdir

06/24/2014 03:26 PM .
06/24/2014 03:26 PM ..
0 File(s) 0 bytes
2 Dir(s) 1,709,573,906,432 bytes free

Explorer on the other hand will display that directory. (I typed "start ." and indeed it lists it).

Don't confuse the file system with the application interpreting the data provided by the application.

Oh, here's a completely different utility you can use to look at directories from the command line (done by a valuable but mostly silent member of this list): https://sdir.codeplex.com/

Tony
OSR

Does it not appear to be empty but actually contains a space?

It reminds me of an issue I came across years ago, whereby files created
in the kernel which end in a space (totally valid in NT) can=B9t be deleted
using explorer as it=B9s not valid in win32.

Ged.

On 24/06/2014 23:01, “xxxxx@hotmail.com” wrote:

>Thanks Tony,
>
>I run “dir /x” from command line, it shows the empty folder as following:
>
>03/11/2014 12:33 PM 9519~1
>
>when I go in that folder, it shows a folder there, I try to delete the
>folder “delete subfolder”, it can’t be deleted.
>
>The weird thing is that there are different view from windows explorer,
>if I create a new file in f:\myFolder, from windows explorer, go in the
>empty folder, it will shows that new created file, but from command line,
>it won’t show that file.
>
>
>
>
>
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=3DListServer

I don’t understand it is why I create the new file “test.txt”, it will show in the empty name folder in windows explorer, but not shows in “9519~1” folder from command line.

all folders and files in myFolder, it shows in the empty name folder.

F:\myFolder>sdir.exe -dsn -dfa
9519~1

----------
. . A--S------
.. .. A--S------
archive archive ----------
test.txt test.txt 0b ----------

F:\myFolder\9519~1>sdir.exe -dsn -dfa
. . ----------?archive archive ----------
.. .. ----------?

If you type “attrib *” what do you see?

Tony
OSR

Here is the output:

F:\myFolder>attrib *
A F:\myFolder\desktop.ini
A F:\myFolder\test.txt

> It reminds me of an issue I came across years ago,

whereby files created in the kernel which end in
a space (totally valid in NT)

If that space is at the end, it gets removed
by RtlDosPathNameToNtPathName_U, which is called when translating
from CreateFileW to NtCreateFile, as well as from SetCurrentDirectoryW
to NtOpenFile.

Latest versions of ZeroAccess rootkit created such directory
on purpose, it had thre spaces in its name.

When you start dealing with a file with such name, forget
about standard tools. You can use FileTest for playing with it -
If you run it with a directory name as parameter and do NtCreateFile
on it, you can query the directory and see what the name actually is.

Or, write your own little testprogram, based on native NT calls,
which will be able to handle non-Win32-valid names.

L.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ged Murphy
Sent: Wednesday, June 25, 2014 1:16 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Empty Directory Name

Does it not appear to be empty but actually contains a space?

It reminds me of an issue I came across years ago, whereby files created in
the kernel which end in a space (totally valid in NT) can?t be deleted using
explorer as it?s not valid in win32.

Ged.

On 24/06/2014 23:01, “xxxxx@hotmail.com” wrote:

>Thanks Tony,
>
>I run “dir /x” from command line, it shows the empty folder as following:
>
>03/11/2014 12:33 PM 9519~1
>
>when I go in that folder, it shows a folder there, I try to delete the
>folder “delete subfolder”, it can’t be deleted.
>
>The weird thing is that there are different view from windows explorer,
>if I create a new file in f:\myFolder, from windows explorer, go in the
>empty folder, it will shows that new created file, but from command
>line, it won’t show that file.
>
>
>
>
>
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Likely you have leading NULL character in the name. It is possible to create
files/dirs with NULL characters in kernel mode or in usermode by using the
native API because the interfaces use counted unicode strings that are not
NULL terminated.

//Daniel

Actually, neither NTFS nor FAT will permit you to embed NULL characters within the name.

The key to verifying this is the FsRtlLegalAnsiCharacterArray. I pulled this up from a random crash dump I have laying around:

0: kd> dp nt!FsRtlLegalAnsiCharacterArray l1
fffff801aec2cc20 fffff801aec1b820
0: kd> db fffff801aec1b820 fffff801aec1b820 00 10 10 10 10 10 10 10-10 10 10 10 10 10 10 10 …
fffff801aec1b830 10 10 10 10 10 10 10 10-10 10 10 10 10 10 10 10 ................ fffff801aec1b840 17 07 18 17 17 17 17 17-17 17 18 16 16 17 07 00 …
fffff801aec1b850 17 17 17 17 17 17 17 17-17 17 04 16 18 16 18 18 ................ fffff801aec1b860 17 17 17 17 17 17 17 17-17 17 17 17 17 17 17 17 …
fffff801aec1b870 17 17 17 17 17 17 17 17-17 17 17 16 00 16 17 17 ................ fffff801aec1b880 17 17 17 17 17 17 17 17-17 17 17 17 17 17 17 17 …
fffff801`aec1b890 17 17 17 17 17 17 17 17-17 17 17 17 10 17 17 17 …

In the FAT code you can see where it checks this on the final name component:

if (!FatIsNameLongUnicodeValid( IrpContext, &FinalName, FALSE, FALSE, FALSE ))

and from fatprocs.h you can see the macro used to define this it walks the string:

for (i=0; i < Name->Length/sizeof(WCHAR); i++) {

if ((Name->Buffer[i] < 0x80) &&
!(FsRtlIsAnsiCharacterLegalHpfs(Name->Buffer[i], CanContainWildcards))) {

return FALSE;
}
}

And from ntifs.h, the macro for FsRtlIsAnsiCharacterLegalHpfs:

#define FSRTL_HPFS_LEGAL 0x02

So… the point is that it looks at entry 0 of this array to see if bit 1 is set. Since it is not set, L’\0’ is not a valid character and the name would be rejected.

In fact, none of the first 32 values would be legitimate characters in a file name.

I remember trying this out many years ago. I found you could embed NULL characters in the registry, but you could not do so in the file systems.

Tony
OSR

I tried with filetest.exe to query the directory “myFolder” with FileBothIdBothDirectoryInformation, it got the shortName with “9519~1”, the filename is " ".

the weird thing is why I created a files or folders in “myFolder”, it will shows up in this empty name folder when I click the empty folder from windows explorer, but if I open the empty folder with file Id and query the directory information with filetest.exe, it doesn’t get those files or folders which shows up in the windows explorer.

Hi,

Anyone knows how to delete this empty name folder? there are a subfolder (“archive”) inside this folder, it is a empty folder, I tried to delete this sub folder, it can’t be deleted,
no error message, the folder still there.

I got the folder(“archive”) file Id, then open the folder (“archive”) via file Id with “DELETE_ON_CLOSE” in filetest.exe, after open and close, the folder still there.

F:\myFolder\9519~1>dir
Volume in drive F is DATA
Volume Serial Number is DE8B-2FE3

Directory of F:\myFolder\9519~1

03/11/2014 12:33 PM

.
03/11/2014 12:33 PM ..
06/25/2014 04:42 PM archive
0 File(s) 0 bytes
3 Dir(s) 2,507,033,808,896 bytes free

F:\myFolder\9519~1>dir archive
Volume in drive F is DATA
Volume Serial Number is DE8B-2FE3

Directory of F:\myFolder\9519~1\archive

06/25/2014 04:42 PM .
06/25/2014 04:42 PM ..
0 File(s) 0 bytes
2 Dir(s) 2,507,033,808,896 bytes free

F:\myFolder\9519~1>del archive
F:\myFolder\9519~1\archive\*, Are you sure (Y/N)? y

F:\myFolder\9519~1>dir
Volume in drive F is DATA
Volume Serial Number is DE8B-2FE3

Directory of F:\myFolder\9519~1

03/11/2014 12:33 PM .
03/11/2014 12:33 PM ..
06/25/2014 04:42 PM archive
0 File(s) 0 bytes
3 Dir(s) 2,507,033,808,896 bytes free

DEL only removes files. You need RD/RMDIR (RD is an alias to RMDIR) to ReMove a DIRectory.

Phil

Not speaking for LogRhythm
Phil Barila | Senior Software Engineer
720.881.5364 (w)
LogRhythm, Inc.
A LEADER in the 2013 SIEM Magic Quadrant
Perfect 5-Star Rating in SC Magazine for 5 Consecutive Years

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, June 26, 2014 9:25 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Empty Directory Name

F:\myFolder\9519~1>del archive
F:\myFolder\9519~1\archive*, Are you sure (Y/N)? y

F:\myFolder\9519~1>dir
Volume in drive F is DATA
Volume Serial Number is DE8B-2FE3

Directory of F:\myFolder\9519~1

03/11/2014 12:33 PM

.
03/11/2014 12:33 PM ..
06/25/2014 04:42 PM archive
0 File(s) 0 bytes
3 Dir(s) 2,507,033,808,896 bytes free

Since this is our customer’s computer, Is there a way to prove that this empty name folder was generated by malware?

Thanks