This must be easy, but I’m chasing around in circles:
I open the symbolic link to \SystemRoot (see A) below.
and I get back something that looks like
“\Device\Harddisk0\Partition1\WINDOWS”
which I understand is another symbolic link (?).
and the harddisk is really named:
\Device\HarddiskVolume1\
When I query to get an Image Name with ZwQueryInformationProcess for the explorer I get a string prefixed with \Device\HarddiskVolume1\ .
So what do I need to do to discover they are referring to the same disk, volume …?
TIA
Larry
(A)
RtlInitUnicodeString(&SysRoot,L"\SystemRoot");
OA.Length = sizeof(OBJECT_ATTRIBUTES);
OA.RootDirectory = NULL;
OA.ObjectName = &SysRoot;
OA.Attributes = OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE ;
OA.SecurityDescriptor = NULL;
OA.SecurityQualityOfService = NULL;
Path = (UNICODE_STRING*)Buffer;
Path->Buffer = (WCHAR*) (Buffer + sizeof(UNICODE_STRING));
Path->MaximumLength = 300;
Path->Length = 0;
Status = ZwOpenSymbolicLinkObject(&LinkHandle,GENERIC_READ,&OA);
Status = ZwQuerySymbolicLinkObject(LinkHandle, Path, &RetLen);