NtQueryDirectoryFile - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTIOAPI_H
/**
* The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle.
*
* \param[in] FileHandle A handle for the file object that represents the directory for which information is being requested.
* \param[in] Event An optional handle for a caller-created event. The event is set to the Signaled state the requested operation is completed.
* \param[in] ApcRoutine An address of an optional, caller-supplied APC routine to be called when the requested operation completes.
* \param[in] ApcContext An address of an optional, caller-supplied APC or I/O completion object associated with the file object.
* \param[out] IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that receives the final completion status, and the number of bytes written to the buffer pointed to by FileInformation.
* \param[out] FileInformation A pointer to a buffer that receives the desired information about the file.
* \param[in] Length The size, in bytes, of the buffer pointed to by FileInformation.
* \param[in] FileInformationClass The type of information to be returned about files in the directory.
* \param[in] ReturnSingleEntry Set to TRUE if only a single entry should be returned, FALSE otherwise.
* \param[in] FileName An optional pointer to a Unicode string search expression containing the name of a file (or multiple files, if wildcards are used) within the directory.
* \param[in] RestartScan Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntquerydirectoryfile
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PCUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PCUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
View code on GitHub// ntifs.h
__kernel_entry NTSYSCALLAPI NTSTATUS NtQueryDirectoryFile(
[in] HANDLE FileHandle,
[in, optional] HANDLE Event,
[in, optional] PIO_APC_ROUTINE ApcRoutine,
[in, optional] PVOID ApcContext,
[out] PIO_STATUS_BLOCK IoStatusBlock,
[out] PVOID FileInformation,
[in] ULONG Length,
[in] FILE_INFORMATION_CLASS FileInformationClass,
[in] BOOLEAN ReturnSingleEntry,
[in, optional] PUNICODE_STRING FileName,
[in] BOOLEAN RestartScan
);
View the official Windows Driver Kit DDI reference// ntifs.h
NTSYSAPI NTSTATUS ZwQueryDirectoryFile(
[in] HANDLE FileHandle,
[in, optional] HANDLE Event,
[in, optional] PIO_APC_ROUTINE ApcRoutine,
[in, optional] PVOID ApcContext,
[out] PIO_STATUS_BLOCK IoStatusBlock,
[out] PVOID FileInformation,
[in] ULONG Length,
[in] FILE_INFORMATION_CLASS FileInformationClass,
[in] BOOLEAN ReturnSingleEntry,
[in, optional] PUNICODE_STRING FileName,
[in] BOOLEAN RestartScan
);
View the official Windows Driver Kit DDI referenceNo description available.
The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle.
FileHandle [in]A handle returned by NtCreateFile or NtOpenFile for the file object that represents the directory for which information is being requested. The file object must have been opened for asynchronous I/O if the caller specifies a non-NULL value for Event or ApcRoutine.
Event [in, optional]An optional handle for a caller-created event. If this parameter is supplied, the caller will be put into a wait state until the requested operation is completed and the given event is set to the Signaled state. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state.
ApcRoutine [in, optional]An address of an optional, caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. If there is an I/O completion object associated with the file object, this parameter must be NULL.
ApcContext [in, optional]An optional pointer to a caller-determined context area if the caller supplies an APC or if an I/O completion object is associated with the file object. When the operation completes, this context is passed to the APC, if one was specified, or is included as part of the completion message that the I/O Manager posts to the associated I/O completion object.
This parameter is optional and can be NULL. It must be NULL if ApcRoutine is NULL and there is no I/O completion object associated with the file object.
IoStatusBlock [out]A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. For successful calls that return data, the number of bytes written to the FileInformation buffer is returned in the structure's Information member.
FileInformation [out]A pointer to a buffer that receives the desired information about the file. The structure of the information returned in the buffer is defined by the FileInformationClass parameter.
Length [in]The size, in bytes, of the buffer pointed to by FileInformation. The caller should set this parameter according to the given FileInformationClass.
FileInformationClass [in]The type of information to be returned about files in the directory. Type of information to be returned about files in the directory. See the FileInformationClass parameter of NtQueryDirectoryFileEx for the list of possible values.
ReturnSingleEntry [in]Set to TRUE if only a single entry should be returned, FALSE otherwise. If this parameter is TRUE, NtQueryDirectoryFile returns only the first entry that is found.
FileName [in, optional]An optional pointer to a caller-allocated Unicode string containing the name of a file (or multiple files, if wildcards are used) within the directory specified by FileHandle. This parameter is optional and can be NULL.
If FileName is not NULL, only files whose names match the FileName string are included in the directory scan. If FileName is NULL, all files are included.
The FileName is used as a search expression and is captured on the very first call to NtQueryDirectoryFile for a given handle. Subsequent calls to NtQueryDirectoryFile will use the search expression set in the first call. The FileName parameter passed to subsequent calls will be ignored.
RestartScan [in]Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call.
When the NtQueryDirectoryFile routine is called for a particular handle, the RestartScan parameter is treated as if it were set to TRUE, regardless of its value. On subsequent NtQueryDirectoryFile calls, the value of the RestartScan parameter is honored.
The NtQueryDirectoryFileroutine returns STATUS_SUCCESS or an appropriate error status. The set of error status values that can be returned is file-system-specific. NtQueryDirectoryFilealso returns the number of bytes actually written to the given FileInformation buffer in the Information member of IoStatusblock. See NtQueryDirectoryFileEx for a list of some possible error codes.
The NtQueryDirectoryFile routine returns information about files that are contained in the directory represented by FileHandle.
If provided, the value of the FileName parameter determines the entries that are included in the directory scan for all subsequent calls to NtQueryDirectoryFile for a given FileHandle.
If there is at least one matching entry, NtQueryDirectoryFile creates a FILE_XXX_INFORMATION structure for each entry and stores them in the buffer.
Assuming that at least one matching directory entry is found, the number of entries for which information is returned is the *smallest of the following:
On the first call to NtQueryDirectoryFile, if the structure created for the first entry found is too large to fit into the output buffer, the routine writes the fixed portion of the structure to the output buffer. The routine then writes to the output buffer as much of the FileName string as will fit. (The fixed portion of the structure consists of all fields except the final FileName string. On the first call, but not on subsequent calls, the I/O system ensures that the buffer is large enough to hold the fixed portion of the appropriate FILE_XXX_INFORMATION structure.) When this happens, NtQueryDirectoryFile returns an appropriate status value such as STATUS_BUFFER_OVERFLOW.
On each call, NtQueryDirectoryFile returns as many FILE_XXX_INFORMATION structures (one per directory entry) as can be contained entirely in the buffer pointed to by FileInformation. On the first call, NtQueryDirectoryFile returns STATUS_SUCCESS only if the output buffer contains at least one complete structure. On subsequent calls, if the output buffer contains no structures, NtQueryDirectoryFile returns STATUS_SUCCESS but sets IoStatusblock->Information = 0 to notify the caller of this condition. In this case, the caller should allocate a larger buffer and call NtQueryDirectoryFile again. No information about any remaining entries is reported. Thus, except in the cases listed above where only one entry is returned, NtQueryDirectoryFile must be called at least twice to enumerate the contents of an entire directory.
When calling NtQueryDirectoryFile, you may see changes made to the directory that occur in parallel with NtQueryDirectoryFile calls. This behavior is dependent on the implementation of the underlying file system.
The final call to NtQueryDirectoryFile returns an empty output buffer and reports an appropriate status value such as STATUS_NO_MORE_FILES.
If NtQueryDirectoryFile is called multiple times on the same directory and some other operation changes the contents of that directory, any changes may or may not be seen, depending on the timing of the operations.
NtQueryDirectoryFilereturns zero in any member of a FILE_XXX_INFORMATION structure that is not supported by the file system.
Callers of NtQueryDirectoryFile must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled.
For information about other file information query routines, see File Objects.
[!NOTE] If the call to the NtQueryDirectoryFile function occurs in user mode, you should use the name "NtQueryDirectoryFile" instead of "ZwQueryDirectoryFile".
For calls from kernel-mode drivers, the Nt*XXX* and Zw*XXX* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*XXX* and Zw*XXX* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
FILE_REPARSE_POINT_INFORMATION
The ZwQueryDirectoryFile routine returns various information about files in the directory specified by a given file handle.
FileHandle [in]A handle returned by ZwCreateFile or ZwOpenFile for the file object that represents the directory for which information is being requested. The file object must have been opened for asynchronous I/O if the caller specifies a non-NULL value for Event or ApcRoutine.
Event [in, optional]An optional handle for a caller-created event. If this parameter is supplied, the caller will be put into a wait state until the requested operation is completed and the given event is set to the Signaled state. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state.
ApcRoutine [in, optional]An address of an optional, caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. If there is an I/O completion object associated with the file object, this parameter must be NULL.
ApcContext [in, optional]An optional pointer to a caller-determined context area if the caller supplies an APC or if an I/O completion object is associated with the file object. When the operation completes, this context is passed to the APC, if one was specified, or is included as part of the completion message that the I/O Manager posts to the associated I/O completion object.
This parameter is optional and can be NULL. It must be NULL if ApcRoutine is NULL and there is no I/O completion object associated with the file object.
IoStatusBlock [out]A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. For successful calls that return data, the number of bytes written to the FileInformation buffer is returned in the structure's Information member.
FileInformation [out]A pointer to an output buffer that receives the desired information about the file. The structure of the information returned in the buffer is defined by the FileInformationClass parameter.
Length [in]The size, in bytes, of the buffer pointed to by FileInformation. The caller should set this parameter according to the given FileInformationClass.
FileInformationClass [in]The type of information to be returned about files in the directory. See the FileInformationClass parameter of NtQueryDirectoryFileEx for the list of possible values.
ReturnSingleEntry [in]Set to TRUE if only a single entry should be returned, FALSE otherwise. If this parameter is TRUE, ZwQueryDirectoryFile returns only the first entry that is found.
FileName [in, optional]An optional pointer to a caller-allocated Unicode string containing the name of a file (or multiple files, if wildcards are used) within the directory specified by FileHandle. This parameter is optional:
The FileName is used as a search expression and is captured on the very first call to ZwQueryDirectoryFile for a given handle. Subsequent calls to ZwQueryDirectoryFile will use the search expression set in the first call. The FileName parameter passed to subsequent calls will be ignored.
RestartScan [in]Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call.
When the ZwQueryDirectoryFile routine is called for a particular handle, the RestartScan parameter is treated as if it were set to TRUE, regardless of its value. On subsequent ZwQueryDirectoryFile calls, the value of the RestartScan parameter is honored.
The ZwQueryDirectoryFile routine returns STATUS_SUCCESS or an appropriate error status. The set of error status values that can be returned is file system-specific. ZwQueryDirectoryFile also returns the number of bytes actually written to the given FileInformation buffer in the Information member of IoStatusBlock. See NtQueryDirectoryFileEx for a list of some possible error codes.
The ZwQueryDirectoryFile routine returns information about files that are contained in the directory represented by FileHandle.
If provided, FileName determines the entries that are included in the directory scan for all subsequent calls to ZwQueryDirectoryFile for a given FileHandle.
If there is at least one matching entry, ZwQueryDirectoryFile creates a FILE_XXX_INFORMATION structure for each entry and stores them in the buffer.
Assuming that at least one matching directory entry is found, the number of entries for which information is returned is the smallest of the following:
On the first call to ZwQueryDirectoryFile, if the structure it creates for the first entry found is too large to fit into the output buffer, this routine does the following:
On each call, ZwQueryDirectoryFile returns as many FILE_XXX_INFORMATION structures (one per directory entry) as can be contained entirely in the buffer pointed to by FileInformation:
When calling ZwQueryDirectoryFile, you might see changes made to the directory that occur in parallel with ZwQueryDirectoryFile calls. This behavior is dependent on the implementation of the underlying file system.
The final call to ZwQueryDirectoryFile returns an empty output buffer and reports an appropriate status value such as STATUS_NO_MORE_FILES.
If ZwQueryDirectoryFile is called multiple times on the same directory and some other operation changes the contents of that directory, any changes might or might not be seen, depending on the timing of the operations.
ZwQueryDirectoryFile returns zero in any member of a FILE_XXX_INFORMATION structure that is not supported by the file system.
Callers of ZwQueryDirectoryFile must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled.
For information about other file information query routines, see File Objects.
[!NOTE] If the call to the ZwQueryDirectoryFile function occurs in user mode, you should use the name "NtQueryDirectoryFile" instead of "ZwQueryDirectoryFile".
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
FILE_REPARSE_POINT_INFORMATION
Using Nt and Zw Versions of the Native System Services Routines
This function is documented in Windows Driver Kit here and here.
NtQueryDirectoryFile is used to enumerate entries (files or directories) placed into file container object (directory). Win32 API use it in FindFirstFile-FindNextFile routines.
HANDLE to File Object opened with FILE_DIRECTORY_FILE option and FILE_LIST_DIRECTORY access.
Optional HANDLE to Event Object signaled after query complete.
Optional pointer to user's APC routine queued after query complete.
Parameter for ApcRoutine.
Pointer to IO_STATUS_BLOCK structure. After enumeration complete, Information member of this structure contains number of bytes written into FileInformation buffer. Status member contains IO result of call, and can be one of:
STATUS_SUCCESS - Enumeration has results in FileInformation buffer.STATUS_NO_MORE_FILES - FileInformation buffer is empty, and next call isn't needed.STATUS_NO_SUCH_FILE - Returned when FileMask parameter specify exactly one file (don't contains '*' or '?' characters), and queried directory don't contains that file.User's allocated buffer for output data.
Length of FileInformation buffer, in bytes.
Information class. Can be one of:
FileDirectoryInformationFileFullDirectoryInformationFileBothDirectoryInformationFileNamesInformationFileOleDirectoryInformationIf set, only one entry is returned.
If specified, only information about files matches this wildchar mask will be returned.
WARNING: There's no rule specifying what to do when caller makes two calls to NtQueryDirectoryFile both with different masks. Typically FileMask specified in second call will be ignored, and results will match the first (for example: NTFS.SYS). The best solution is to close directory HANDLE after every call with FileMask parameter specified.
Used with ReturnSingleEntry parameter. If set, NtQueryDirectoryFile continue enumeration after last enumerated element in previous call. If no, returns the first entry in directory.
For detailed information about results, see FILE_INFORMATION_CLASS with information classes specified above.
NtCreateFileNtOpenFileNtQueryInformationFileNtQueryOleDirectoryFileNtQueryVolumeInformationFile