What is MROOT?

ilho_Ye · August 7, 2007, 10:02am

Hi everyone,

I am currently intercepting NtCreateFile and NtOpenFile calls to understand its impact and I was testing EDIT.com in the CMD window.
Then, I saw that at times I am getting a path that starts with 'MROOT=C:\Windows'.
So I searched for the word ‘MROOT’ in google and here but I could not find any relevant information so I would like to ask if anyone knows what MROOT means and why I am getting such a path instead of the path without ‘MROOT’.

I thank you for any answer in advance. Have a good one!

Ilho <><

anton_bassov · August 7, 2007, 11:48am

It is obvious that ‘MROOT’ is ‘SYSTEMROOT’ , which, for this or that reason, got stripped of its first 5 letters…

Anton Bassov

ilho_Ye · August 7, 2007, 11:56am

Hi Anton,

Thank you for your answer. Let me quickly ask you just one more and I hope you don’t mind.
Do you know why then Windows passes the path like that?
If the path is \SYSTEMROOT\somedirectory, it makes sense to me but I can’t really understand why Windows passes the path such as this. ‘SYSTEMROOT=\Windows\somedirectory’
Thank you.

Ilho <><

anton_bassov · August 7, 2007, 1:59pm

I am afraid you have to address all your questions to designers of monitoring tool that you use for “intercepting” calls - it seems to be purely the question of presentation…

Anton Bassov

ilho_Ye · August 7, 2007, 2:11pm

FYI, I do not use any montoring tools. I intercept several system calls and process the path according to the needs that I have.
Yet, some of the path names that I get has interesting prefixes. i.e. MROOT=C:
I’ve never seen those pathnames until I experimented edit.com so I was hoping that someone may have an insight into these path names.

Perhaps I am coming from linux kernel background so I am not familiar with these path names. Anyway Windows is a quite interesting OS.

Best,

Ilho <><

David_R_Cattley · August 7, 2007, 2:36pm

Out of curiosity, does the NtCreateFile (or whatever it was you intercepted)
succeed when this call is made with the path you are reporting?

It looks like a string from the environment (chopped up like Anton said).
Who knows why this might show up when running EDIT.COM (which, as I recall,
is an MSDOS program running in NTVDM, right?)

What would be interesting is if the path was actually accepted by the OS as
‘valid’.

-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@trigence.com
Sent: Tuesday, August 07, 2007 2:11 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] What is MROOT?

FYI, I do not use any montoring tools. I intercept several system calls and
process the path according to the needs that I have.
Yet, some of the path names that I get has interesting prefixes. i.e.
MROOT=C:
I’ve never seen those pathnames until I experimented edit.com so I was
hoping that someone may have an insight into these path names.

Perhaps I am coming from linux kernel background so I am not familiar with
these path names. Anyway Windows is a quite interesting OS.

Best,

Ilho <><

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

ilho_Ye · August 7, 2007, 3:01pm

Yes, OS accepts that path so this is qute interesting.
It seems to me that OS gets rid of ‘MROOT=’ part in front of the path and processes it.

The only problem I have is that I need to process the path. For example, I put some predefined path in front of the given path at times and because of this path, I may have to add more lines but before I do that I wanted to know what MROOT means which Anton answered and why I am getting this kind of path in the first place.

I guess I can move on even if I don’t have the answer but I will be happy to know the reason. Thank you.

Ilho <><

Don_Burn_1 · August 7, 2007, 3:05pm

Well depending on which of the various hooking samples you took to start
your effort you will see crap like this. Microsoft is not doing it, the
code you are running is messing up. Of couse since a lot of us dislike
“hookers” do not expect help.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
> Yes, OS accepts that path so this is qute interesting.
> It seems to me that OS gets rid of ‘MROOT=’ part in front of the path and
> processes it.
>
> The only problem I have is that I need to process the path. For example,
> I put some predefined path in front of the given path at times and
> because of this path, I may have to add more lines but before I do that I
> wanted to know what MROOT means which Anton answered and why I am getting
> this kind of path in the first place.
>
> I guess I can move on even if I don’t have the answer but I will be happy
> to know the reason. Thank you.
>
> Ilho <><
>