NtQueryAttributesFile - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTIOAPI_H

/**
 * The NtQueryAttributesFile function retrieves basic attributes for the specified file.
 *
 * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that supplies the attributes to be used for the file object.
 * @param FileInformation A pointer to a FILE_BASIC_INFORMATION structure to receive the returned file attribute information.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntqueryattributesfile
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryAttributesFile(
    _In_ PCOBJECT_ATTRIBUTES ObjectAttributes,
    _Out_ PFILE_BASIC_INFORMATION FileInformation
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryAttributesFile(
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _Out_ PFILE_BASIC_INFORMATION FileInformation
    );

#endif

View code on GitHub

This function is documented in Windows SDK.

ObjectAttributes

Contains file name, in NT Objects Namespace format.

FileAttributes

Because only four bytes at offset 0x20 are used, this may be any buffer at least 0x24 bytes length. Time information fields from FILE_BASIC_INFORMATION are skipped.

Use of NtQueryAttributesFile is the easiest and the best way to check if file exist. NtOpenFile isn't good for this, because it modifies last access time for opened file. See NtQueryDirectoryFile for details.

Documented by

See also

Edit description on GitHub