Hello all
I’ve registered a callback with PsSetLoadImageNotifyRoutine but sometimes a
relative pathname rather than a full path is returned as with the following
two examples…
\Windows\System32.…
\SystemRoot\System32..
Could anybody suggest a method for resolving these to the full pathname ???
Regards
Mark
Mark,
IIRC the image path is resolvable by the Object Manager. For instance, the
\SystemRoot\System32.. path fragment below is *not* a relative path, it is
an absolute path starting from the Object Manager root, next passing through
the well known ‘Link’ SystemRoot, etc.
The ‘full path’ you seek is probably something more like C:\WINNT\System32
or some-such. Take a look at ZwOpenSymbolicLinkObject() and
ZwQuerySymbolicLinkObject() in the DDK docs and see if that suits your
needs. If not, perhaps another list member will provide some guidance on
directly using the Object Manager (ObXxxx) routines to crack the image path.
Keep in mind that drive letters are just symbolic links from the object
manager \DosDevices object directory. You may need to reconsider just what
you think the absolute pathname syntax is that you are looking for. One
problem that jumps to mind is going backwards from a perfectly reasonable
object manager path (\SystemRoot\foo.bar) to one that looks like a DOS path
(C:\WINDOWS\foo.bar).
As an example, on my system the translation steps the Object Manager would
go through to figure out the path \SystemRoot\foo.bar are:
Now similarly for C:\WINDOWS\foo.bar
So depending on your purpose for needing a path in some canonical form, it
may be a significant bit of processing to calculate your particular
canonical form.
Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Cook
Sent: Saturday, September 03, 2005 7:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsSetLoadImageNotifyRoutine and relative paths
Hello all
I’ve registered a callback with PsSetLoadImageNotifyRoutine but sometimes a
relative pathname rather than a full path is returned as with the following
two examples…
\Windows\System32.…
\SystemRoot\System32..
Could anybody suggest a method for resolving these to the full pathname ???
Regards
Mark
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@msn.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
…Thanks Oliver - you’re correct of course but perhaps this wasn’t the
best example to include. Another example is \Program Files\Microsoft
Office.… (that is, a reference to the program files folder on the
system volume but with no volume prefix) which typically appears in the
fully qualified version of \Device\HardDiskVolume1\Program files\Microsoft
Office.… and only occasionally appears without the volume name.
“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
>> \SystemRoot\System32..
> This one is a full name, it is based in the object manager’s namespace.
> For example on my system SystemRoot is a SymbolicLink to
> \Device\Harddisk3\Partition1\WINNT
>
> The other one looks strange, though.
>
> Oliver
>
> –
> ---------------------------------------------------
> May the source be with you, stranger 
>
> ICQ: #281645
> URL: http://assarbad.net
>