NtDeleteFile - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTIOAPI_H
/**
* The NtDeleteFile routine deletes the specified file.
*
* \param[in] ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that contains the file's attributes, including file name.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwdeletefile
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDeleteFile(
_In_ PCOBJECT_ATTRIBUTES ObjectAttributes
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwDeleteFile(
_In_ PCOBJECT_ATTRIBUTES ObjectAttributes
);
View code on GitHub// ntifs.h
NTSYSAPI NTSTATUS ZwDeleteFile(
[in] POBJECT_ATTRIBUTES ObjectAttributes
);
View the official Windows Driver Kit DDI referenceNo description available.
The ZwDeleteFile routine deletes the specified file.
ObjectAttributes [in]A pointer to an OBJECT_ATTRIBUTES structure that contains the attributes supplied by the caller to be used for the file object. These attributes would include the ObjectName and the SECURITY_DESCRIPTOR, for example. This parameter is initialized by calling the InitializeObjectAttributes macro.
ZwDeleteFile returns STATUS_SUCCESS or an appropriate error status representing the final completion status of the operation. Possible error status codes include the following:
| Return code | Description |
|---|---|
| STATUS_INSUFFICIENT_RESOURCES | A temporary buffer required by this function could not be allocated. |
| STATUS_INVALID_PARAMETER | The specified ObjectAttributes parameter was a NULL pointer, not a valid pointer to an OBJECT_ATTRIBUTES structure, or some of the specified ObjectAttributes structure members were invalid. |
| STATUS_OBJECT_NAME_INVALID | The ObjectAttributes parameter contained an ObjectName in the OBJECT_ATTRIBUTES structure that was invalid because an empty string was found after the OBJECT_NAME_PATH_SEPARATOR character. |
| STATUS_OBJECT_NAME_NOT_FOUND | The ObjectAttributes parameter contained an ObjectName member in the OBJECT_ATTRIBUTES structure that could not be found. |
| STATUS_OBJECT_PATH_NOT_FOUND | The ObjectAttributes parameter contained an ObjectName member in the OBJECT_ATTRIBUTES structure with an object path that could not be found. |
| STATUS_OBJECT_PATH_SYNTAX_BAD | The ObjectAttributes parameter did not contain a RootDirectory member, but the ObjectName member in the OBJECT_ATTRIBUTES structure was an empty string or did not contain an OBJECT_NAME_PATH_SEPARATOR character. This indicates incorrect syntax for the object path. |
ZwDeleteFile deletes the specified file object.
The ZwDeleteFile function is called after the InitializeAttributes macro is used to set attributes in the OBJECT_ATTRIBUTES structure for the file object to be deleted.
There are two alternate ways to specify the name of the file to be deleted with ZwDeleteFile:
Callers of ZwDeleteFile must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled.
If the call to the ZwDeleteFile function occurs in user mode, you should use the name "NtDeleteFile " instead of "ZwDeleteFile".
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
This function is documented in Windows Driver Kit.
It's very interesting NT System Call... Normally, file deletion is realised as FileDispositionInformation class in a call to NtSetInformationFile. When you use NtDeleteFile, file will be deleted immediately after call (system isn't waiting for close last HANDLE to file).
You can manipulate ObjectName and RootDirectory members.
Example:
If you have only file name as Unicode string, use it as ObjectName.
If you have only a HANDLE to file, set it as RootDirectory. Set ObjectName as empty string.
DeleteFile (Although it does more than just forwarding the arguments and invoking this procedure.)