Booted from ?

OSR_Community_User · April 30, 2004, 8:00pm

Is there a kernel DDI routine I can use to find where the system is
booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Prokash_Sinha-1 · May 1, 2004, 12:34am

MessageIf I do it from usermode then (for now and until I find a better
way), I would be infering from some environment variable like %HomeDrive% or
%SystemRoot%. That is bit scary for me, also I would like to have it at a
fairly early in the boot stage. How early? I dont know it. But as early as
possible!!. Was looking thru some of the Zw*(…) api could not find any
yet…

thanks
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Booted from ?

Is there a kernel DDI routine I can use to find where the system is booted
from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to krnlmode,
but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Mark_Roddy · May 1, 2004, 8:23am

You can read HKLM\System\CurrentControlSet\Control.SystemBootDevice to get
the ArcPath for the boot device. The ArcPath is a symbolic link to the
standard kernel boot device name. (See winobj.) Alternatively "\SystemRoot"
is helpful. Note that if you are looking for the boot device REALLY EARLY in
system initialization, IT DOESN"T EXIST.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Saturday, May 01, 2004 12:33 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

If I do it from usermode then (for now and until I find a better way), I
would be infering from some environment variable like %HomeDrive% or
%SystemRoot%. That is bit scary for me, also I would like to have it at a
fairly early in the boot stage. How early? I dont know it. But as early as
possible!!. Was looking thru some of the Zw*(…) api could not find any
yet…

thanks
-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Booted from ?

Is there a kernel DDI routine I can use to find where the system is booted
from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to krnlmode,
but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hollistech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Prokash_Sinha-1 · May 1, 2004, 10:32am

MessageThanks Mark, This will do it. It would be in a FS filter driver.

Thanks again.
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Mark Roddy
Sent: Saturday, May 01, 2004 5:20 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

You can read HKLM\System\CurrentControlSet\Control.SystemBootDevice to get
the ArcPath for the boot device. The ArcPath is a symbolic link to the
standard kernel boot device name. (See winobj.) Alternatively "\SystemRoot"
is helpful. Note that if you are looking for the boot device REALLY EARLY in
system initialization, IT DOESN"T EXIST.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Saturday, May 01, 2004 12:33 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

If I do it from usermode then (for now and until I find a better way), I
would be infering from some environment variable like %HomeDrive% or
%SystemRoot%. That is bit scary for me, also I would like to have it at a
fairly early in the boot stage. How early? I dont know it. But as early as
possible!!. Was looking thru some of the Zw*(…) api could not find any
yet…

thanks
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Booted from ?

Is there a kernel DDI routine I can use to find where the system is
booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@hollistech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 3, 2004, 7:28pm

Are there any combination of DDI for finding a symLink for a Name in
Object Name space ?. Probably not !, since there could be multiple
symLink for a Name ?. Given a symLink, finding the target object using
DDI is fairly straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice string
(something like multi(0)disk(0)rdisk(1)partition(3) ) and I was
wondering if there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where the system
is booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

OSR_Community_User · May 3, 2004, 8:29pm

Look in the \ArcName object directory.

\arcname\multi(0)disk(0)rdisk(1)partition(3) should be a symlink to the
symlink.

-p

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sinha, Prokash
Sent: Monday, May 03, 2004 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Booted from ?

Are there any combination of DDI for finding a symLink for a Name in
Object Name space ?. Probably not !, since there could be multiple
symLink for a Name ?. Given a symLink, finding the target object using
DDI is fairly straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice string
(something like multi(0)disk(0)rdisk(1)partition(3) ) and I was
wondering if there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where the system
is booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 3, 2004, 8:48pm

This begs the usual question – why would you want to do that?

[asking original poster, not Peter Wieland]

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, May 03, 2004 8:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

Look in the \ArcName object directory.

\arcname\multi(0)disk(0)rdisk(1)partition(3) should be a symlink to the
symlink.

-p

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sinha, Prokash
Sent: Monday, May 03, 2004 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Booted from ?

Are there any combination of DDI for finding a symLink for a Name in Object
Name space ?. Probably not !, since there could be multiple symLink for a
Name ?. Given a symLink, finding the target object using DDI is fairly
straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice string
(something like multi(0)disk(0)rdisk(1)partition(3) ) and I was wondering if
there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where the system is
booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org To unsubscribe
send a blank email to xxxxx@lists.osr.com

Prokash_Sinha-1 · May 3, 2004, 10:25pm

First much thanks to Peter. Arlie, in this case, we are using documented
stuff. As I mentioned that for sure there is a need for not trying to do any
of it at user space. Once I get it totally in krnl mode, I would be more
than happy to send you (not in this mailing list :), the answer for why I’m
looking to have a solution this way. Actually this is the part I need to do,
other part(s)of this I finished already.

The original question is to know where the system is booted from, and how
could we determine it in kernel mode w/o any usr component, w/o using nasty
hacks :).

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Arlie Davis
Sent: Monday, May 03, 2004 5:47 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

This begs the usual question – why would you want to do that?

[asking original poster, not Peter Wieland]

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, May 03, 2004 8:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

Look in the \ArcName object directory.

\arcname\multi(0)disk(0)rdisk(1)partition(3) should be a symlink to the
symlink.

-p

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sinha, Prokash
Sent: Monday, May 03, 2004 4:28 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Booted from ?

Are there any combination of DDI for finding a symLink for a Name in Object
Name space ?. Probably not !, since there could be multiple symLink for a
Name ?. Given a symLink, finding the target object using DDI is fairly
straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice string
(something like multi(0)disk(0)rdisk(1)partition(3) ) and I was wondering if
there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where the system is
booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org To unsubscribe
send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 4, 2004, 9:31pm

First sorry, because I could not link the emails, due to the some spam
software installed by IT, and obviously not working right :-).

Now I tried different ways to find if I could get to the symLink of the
form (\Device\HarddiskX\PartitionY) from symLink of the form
multi(0)disk(x)rdisk(y)…

If I try to pass multi(0)… as is to ZwOpenSymbolicLinkObject(),
after creating an initing an Object Attribute, I get error code
STATUS_OBJECT_PATH_SYNTAX_BAD.

If I try to prefix the above string with \ArcName, still I get the bad
path syntax, I THINK SOMEHOW IT DOES NOT LIKE THOSE (x) ???.
BUT I USE THE SAME ROUTINE FOR GETTING \Device\Harddisk0\Partiton3 (of
this form) and it is fine to open for later query.

By using ZwQueryDirectoryObject(…) I was getting all the entries for
the names of the form multi(x)disk(y)…, but the infos I was getting
was of the form

struct _DIRECTORY_BASIC_INFORMATION {
UNICODE_STRING ObjName;
UNICODE_STRING ObjType; /// I see these are SYMBOLIC LINK

};

BUT I DONT SEE THE MAPPING THAT GOES FROM multi(x)… TO
\Device\Harddisk(y) …

So essentially, I’m still missing something to get the map right.

Any suggestion !!!

thanks again,
prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Monday, May 03, 2004 4:28 PM
To: Sinha, Prokash; ‘Windows System Software Devs Interest List’
Subject: RE: Booted from ?

Are there any combination of DDI for finding a symLink for a
Name in Object Name space ?. Probably not !, since there could be
multiple symLink for a Name ?. Given a symLink, finding the target
object using DDI is fairly straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice
string (something like multi(0)disk(0)rdisk(1)partition(3) ) and I was
wondering if there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash

-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where
the system is booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it
down to krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Prokash_Sinha-1 · May 4, 2004, 11:05pm

MessageOkay, let me clarify a bit !

Registry query would give me a string of the form multi(x)disk(y)… for the
SystemBootDevice.

If I look at the \ArcName object directory, I can see the names of the
objects of above form (ie., multi(x)disk(y), their types are Symbolic link,
and the symlink’s are of the form of \Device\HarddiskX\PartitionY … If I
take this later form (ie. \Device\HarddiskX.… ) and try to get the
target for it , I get what I need, and from there to get to the C:, D: or
whatever is fine and dandy.

If I open the \ArcName object directory, and query, I see exactly the same
number of entries as those of the forms multi(0)disk(n) … and their
respective types, in this case all of them are symbolic link(s). But I dont
see any apparent way to cast the buffer to get to the image of the map side,
ie \Device\Harddisk… Also the raw buffer does not have those forms.

Hoping that multi(n)… this form might take in an
ZwOpenSymbolicLinkObject(), I see the PATH_SYNTAX_ERROR. So pre-patching
with \ArcName to it, does not help either, and gives the same error.

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sinha, Prokash
Sent: Tuesday, May 04, 2004 6:31 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Booted from ?

First sorry, because I could not link the emails, due to the some spam
software installed by IT, and obviously not working right :-).

Now I tried different ways to find if I could get to the symLink of the
form (\Device\HarddiskX\PartitionY) from symLink of the form
multi(0)disk(x)rdisk(y)…

If I try to pass multi(0)… as is to ZwOpenSymbolicLinkObject(),
after creating an initing an Object Attribute, I get error code
STATUS_OBJECT_PATH_SYNTAX_BAD.

If I try to prefix the above string with \ArcName, still I get the bad
path syntax, I THINK SOMEHOW IT DOES NOT LIKE THOSE (x) ???.
BUT I USE THE SAME ROUTINE FOR GETTING \Device\Harddisk0\Partiton3 (of
this form) and it is fine to open for later query.

By using ZwQueryDirectoryObject(…) I was getting all the entries for the
names of the form multi(x)disk(y)…, but the infos I was getting was of the
form

struct _DIRECTORY_BASIC_INFORMATION {
UNICODE_STRING ObjName;
UNICODE_STRING ObjType; /// I see these are SYMBOLIC LINK
};

BUT I DONT SEE THE MAPPING THAT GOES FROM multi(x)… TO
\Device\Harddisk(y) …

So essentially, I’m still missing something to get the map right.

Any suggestion !!!

thanks again,
prokash
-----Original Message-----
From: Sinha, Prokash
Sent: Monday, May 03, 2004 4:28 PM
To: Sinha, Prokash; ‘Windows System Software Devs Interest List’
Subject: RE: Booted from ?

Are there any combination of DDI for finding a symLink for a Name in
Object Name space ?. Probably not !, since there could be multiple symLink
for a Name ?. Given a symLink, finding the target object using DDI is
fairly straight forward …

As per Mark Roddy’s advice, I could get the SystemBootDevice string
(something like multi(0)disk(0)rdisk(1)partition(3) ) and I was wondering if
there is a way to get to the symlink ( for example
\Device\Hardisk0\Partition3 ). If I get to this, then I can get back the
target of the sym link …

thanks again
-prokash
-----Original Message-----
From: Sinha, Prokash
Sent: Friday, April 30, 2004 5:00 PM
To: ‘Windows System Software Devs Interest List’
Subject: Booted from ?

Is there a kernel DDI routine I can use to find where the system is
booted from in a multiple boot volume system ?

Alternatively, I can find it out on usrMode, and pass it down to
krnlmode, but ideally looking for krnlmode.

thanks
-prokash

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Prokash_Sinha-1 · May 5, 2004, 10:24pm

MessageFinally I got it, opening the obj dir and passing the handle does the
job to get the \Device\Harddisk.… symlink. But the problem is that one or
two of these Zw*() api’s are (semi)(un)doumented … Hmm, need to look at
diskperf ( as per some old ntfsd doc’s ref.).

Thank again to Peter and Mark!

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Prokash Sinha
Sent: Tuesday, May 04, 2004 8:04 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Booted from ?

Okay, let me clarify a bit !

Registry query would give me a string of the form multi(x)disk(y)… for
the SystemBootDevice.