2

While querying reparse points using fsutil, I found out that the substitute name for a mount point started with \??\. I know that an extended path starts with \\?\, and there is also \\.\ and the UNC format, but I've never encountered this prefix before.

I tried some tests to see how it behaves:

  • dir \??\C:\ doesn't work (it is interpreted as a relative path and fails with "file not found").
  • more < \??\C:\file.txt correctly displays the content of the file. Consistent with \\?\.
  • more < \\.\C:\Windows\..\file.txt doesn't find the file. Also consistent with \\?\.
  • more < \??\UNC\localhost\C$\file.txt also works consistently.

From my observations, it looks like \??\ is an alternative to \\?\, but some commands fail to recognize it, probably due to poor implementation.

Why does this syntax exist? Is it some relic from past versions of NTFS? Are there some other differences to \\?\?

IS4
  • 11,945
  • 2
  • 47
  • 86
  • however [this answer](https://stackoverflow.com/a/46019856/6401656) is most correct. if short - the \??\ is native path prefix (used by ntdll and kernel), when \\?\ is win32 layer form prefix wchich converted to \??\ in `ntdll.RtlDosPathNameToRelativeNtPathName_U` api. more info about [Win32 to NT Path Conversion](https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html). the `REPARSE_DATA_BUFFER` used in kernel and because this native path form is used here – RbMm Sep 03 '17 at 07:22
  • I wonder how you did it. I typed "\??\" in the search box here and it gave me nothing. – IS4 Sep 03 '17 at 09:23
  • Harry probably remembered his own answer. Stack Overflow doesn't make it easy to search for "\??". Try [SymbolHound](http://symbolhound.com) with the search narrowed to `stackoverflow.com`. – Eryk Sun Sep 09 '17 at 02:51
  • @eryksun That's really useful, thank you! – IS4 Sep 09 '17 at 17:28

0 Answers0