6

When using GetModuleFileNameEx to query the image path of a running process, some processes have an image path that starts with "\??\". For example, while most processes start "C:\WINDOWS", some processes start "\??\C:\WINDOWS".

What does the leading \??\ mean on a windows path?

Daniel DiPaolo
  • 55,313
  • 14
  • 116
  • 115
kdt
  • 27,905
  • 33
  • 92
  • 139

2 Answers2

8

It's a Unicode extended-length pathname - see Naming Files, Paths, and Namespaces in MSDN (the "Maximum Path Length Limitation" section).

(By the way, do you mean \\?\ rather than \??\?)

RichieHindle
  • 272,464
  • 47
  • 358
  • 399
  • Sort of, in practice, but that's not really explaining much. Fully-qualified Windows paths get converted to an NT path by prefixing them with "\??\" for drive letters and replacing the leading "\\" with "\??\UNC\" for UNC paths. For a Unicode "\\?\" path, it simply replaces the "\\?\" prefix with "\??\". This is the Object Manager's virtual "DosDevices" directory in the object namespace, for which it first searches the local logon-session devices defined in "\Sessions\0\DosDevices\\[Logon_AuthenticationId]" and then the global devices defined in "\Global??". – Eryk Sun Sep 08 '17 at 01:46
-1

2 question marks in front of drive letter, ie \??\c: means it is running in Kernal mode. (in the PICK or Multivalue OS, we would call this level "monitor mode" where an instruction can address memory directly or perform disk IO.) Kernal mode is better explained on this post: What do "\\.\", "\??\", "\\?\", "\\" mean? which was pointed to by symbolhound dot com

Another way of putting it; user mode runs out of workspace for a user/window while kernal mode uses memory space common to everyone meaning you might halt the machine instead of aborting just one Windows window/tab.

I leave it to you to search (engine) kernel mode

Community
  • 1
  • 1
CliffOnTheRoad
  • 11
  • 1
  • Many native APIs exist in kernel and user mode (ntoskrnl.exe and ntdll.dll respectively). So your claim is wrong. – 0xC0000022L Jun 15 '16 at 07:11