Thursday, 23 May 2019

What is the function of question marks in file system paths in Windows registry?


This is about the registry on a 64-bit Windows 7 Home Premium (my friend's computer). I was going to set the system to clear the pagefile at shutdown by setting the REG_DWORD value ClearPageFileAtShutdown in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management to "1".


My question is however about the questions marks in the values ExistingPageFiles and PagingFiles in this registry location.


The question marks are shown in below image.


question marks used in registry values


The questions I wanted to ask are:



  1. Are the paths used in these values supposed to have questions marks in the beginning?

  2. What function do these question marks serve?



Answer



Double-question mark paths are NT Object Manager object names. The Object Manager is a system that organizes lots of different kinds of system resources (e.g. devices, memory sections, window stations, events) into one tree-like structure. You can explore that tree with the WinObj tool.


The \??\ pseudo-directory's contents can be seen in the GLOBAL?? section of WinObj. There are other subtrees, like Device. In fact, every single item in \??\ is a symbolic link - a shortcut or alias - to an object somewhere else. \??\C: is (on my system) a link to \Device\HarddiskVolume4, and the rest of the path shown in your screenshot is a path under the root of that volume. Each drive letter shows up there as a symbolic link to the volume it's on. You might find other kinds of devices that are familiar, like CON and NUL.


Note: You can't use these kinds of paths to access files or directories in most applications. Only certain low-level system components are designed to work with Object Manager paths.


That explains your screenshot's ExistingPageFiles, but not PagingFiles. PagingFiles contains your virtual memory settings with paths to paging files expressed as normal paths. If your system is set to manage all virtual memory settings by itself, that entry doesn't specify a drive letter (only a file name and path), so the ? is just a placeholder for whatever drive the page file does end up on.


In summary, yes, those question marks are supposed to be there.


Further reading: Inside NT's Object Manager, Object Manager (Windows)


Video: NT Object Manager at Microsoft's Channel 9


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...