50 comments

[ 2.9 ms ] story [ 79.3 ms ] thread
The cursedness of "€:\" is awesome. It's amazing how much more flexible the NT kernel is vs what's exposed to the user.
It's not flexible enough until we can have a joy face emoji as the drive letter.
I'm pretty sure the kernel would be ok with that, from it's point of view joy face emoji or korean jamo or japanese kenji are all the same

Explorer, not so much ...

> In other words, since RtlDosPathNameToNtPathName_U converts C:\foo to \??\C:\foo, then an object named C: will behave like a drive letter. To give an example of what I mean by that: in an alternate universe, RtlDosPathNameToNtPathName_U could convert the path FOO:\bar to \??\FOO:\bar and then FOO: could behave like a drive letter.

For some reason I remember that the original xbox 360 had "drive letters" which were entire strings. Unfortunately I no longer have access to the developer docs and now I wonder if my mind completely made this up. I think it was something like "Game:\foo" and "Hdd0:\foo".

This all sounds like a wonderful way to write some truly annoying malware. I expect to see hidden mounts on SQL-escape-type-maliciously-named drives soon...
This was a cool article. Learned something new today.
> Drives with a drive-letter other than A-Z do not appear in File Explorer, and cannot be navigated to in File Explorer.

Well there goes my plan to replace all my drive letters with emojis :(

Whenever I get onto a computer that someone left unlocked, the first thing I check is their eggplant- and peach-labelled drives.
Anybody who's had to look through files on multi-disc arrays knows exactly how weird the drive letters can get. Mount the ISOs of thirty six 8.5GB DVDs because someone thought it was a good idea to split zip a single archive into 7.99GB segments and things get very tricky in cmd. If you weren't in the habit of using several layers of quotation marks to separate everything you'll form it very quickly because the operators can be the same symbols as the drive letters, as shown in the article with the "+" example.
Windows drive letters are ridiculous. Use an external drive for e.g. video editing, its letter can be stolen by another drive, you can’t work anymore.
I remember when A and B were commonly used drive letters. C was a luxury. D was outright bourgeois.

But for some reason, drive letters starting with C feel completely natural, too. Maybe it's because C is also the first note in the most widely known musical scale. We can totally afford to waste two drive letters at the start, right?

> I remember when A and B were commonly used drive letters. C was a luxury. D was outright bourgeois.

Our first home computer (1989 or 1990?) was a 386SX with a 40MB hard disk (so maybe we were bourgeois). My dad had to partition it into a 32MB C drive and an 8MB D drive, because the DOS version (3.3?) had a 32MB maximum filesystem size. It had two separate 5.25 inch floppy drives, a 1.2MB and a 360KB - although the 1.2MB drives could read 360KB disks, they couldn’t write them in a form readable by 360KB drives, or something like that. And later (circa 1991) we got a 3.5 inch floppy drive too, which became drive A, the 1.2MB became drive B, and the 360KB was relegated to drive E. The FDC that came with the computer (back then they were ISA cards, hadn’t been integrated with the motherboard yet) only supported two drives, so he had to buy a new one that supported four.

'We have D at home' :)

c:\> subst d: c:

Hmm. This seems like it could be abused rather hilariously (or not, depending on your perspective) by malware...
Windows is not limited to accessing partitions through drive letters either, it's just the existing convention.

You can mount partitions under directories just like you can in Linux/Unix.

PowerShell has Add-PartitionAccessPath for this:

> mkdir C:\Disk

> Add-PartitionAccessPath -DiskNumber 1 -PartitionNumber 2 -AccessPath "C:\Disk"

> ls C:\Disk

It will persist through reboots too.

Many programs (Steam did, last time I checked) will look up the parent disk's free space when you do that and might refuse to install if that space is too small (even if target dir have enough)
Indeed, and if you only have a single drive letter, that drive is always the active one, and so you can just write paths starting with the backslash: \Windows\System32 etc.
From the article:

> Drives with a drive-letter other than A-Z do not appear in File Explorer, and cannot be navigated to in File Explorer.

Reminds me of the old-school ALT + 255 trick on Win9x machines where adding this "illegal trailing character" made the directory inaccessible from the regular file explorer.

Now somebody will uses this to hide their malware, somehow...
The NT paths are how the object manager refers to things. For example the registry hive HKEY_LOCAL_MACHINE is an alias for \Registry\Machine

https://learn.microsoft.com/en-us/windows-hardware/drivers/k...

In this way, NT is similar to Unix in that many things are just files part of one global VFS layout (the object manager name space).

Paths that start with drive letters are called a "DOSPath" because they only exist for DOS compatibility. But unfortunately, even in kernel mode, different sub systems might still refer to a DOSPath.

Powershell also exposes various things as "drives", pretty sure you could create your own custom drive as well for your custom app. For example, by default there is the 'hklm:\' drive path:

https://learn.microsoft.com/en-us/powershell/scripting/sampl...

Get-PSDrive/New-PSDrive

You can't access certificates in linux/bash as a file path for example, but you can in powershell/windows.

I highly recommend getting the NtObjectManager powershell module and exploring about:

https://github.com/googleprojectzero/sandbox-attacksurface-a...

ls NtObject:\",

> You can't access certificates in linux/bash as a file path for example, but you can in powershell/windows.

sure you can, /usr/share/ca-certificates tho you do need to run 'update-ca-certificates' (in debian derivatives) to update some files, like hashed symlinks in /etc/ssl/certs

there is also of course /sys|/proc for system stuff, but yes, nowhere near as integrated as windows registry

> You can't access certificates in linux/bash as a file path for example

Fuse and p9 exist... If anyone wants certs by id in the filesystem, it will exist.

This topic would make a good post on The Old New Thing.
(comment deleted)
This is an interesting reference about how drive letters are stored in the Windows Registry: http://www.goodells.net/multiboot/partsigs.shtml

I never tried, but I wonder if you could use direct registry editing to create some really strange drive letters.

I hope this article gets archived in a computer history, so people in the future can read how today's default operating system persisted in requiring its vict..., umm, users, to honor an archaic practice long past any imaginable justification, while free alternative operating systems don't have this handicap.

I regularly have this conversation with my end-user neighbor -- I explain that he has once again written his backup archive onto his original because he plugged in his Windows USB drives in the wrong sequence. His reply is, more or less, "Are computers still that backward?" "No," I reply, "Windows is still that backward."

The good news is that Linux is more sophisticated. The bad news is that Linux users must be more sophisticated as well. But this won't always be true.

Perhaps instead you could teach your neighbor how to assign drive letters to drives so that the same thing always ends up on the same letter. Because it can do that.

OTOH on Linux out of the box they'd get /media/usb0, /media/usb1 etc. Which has the same exact problem. And the same exact solution - if you need stable names, mount them as such (except on Windows you can do it with a few clicks with a mouse).

Similar corner cases are the bedrock of security flaws.

If anyone adds this behaviour as a bet on a market about a future CVE or severity, can they add a link to the bet here?

Seems like a great way to hide a bunch of files from users for a malware payload
In my first DOS, the drive letter after Z was AA. I created a series of small RAM drives to find out.

That may have been DOS 3.3, not later. IDK when it changed.

I remember Netware had some kind of drive letter mapping that went way past z:
I never knew Λ was the upper case version of λ.
> drive letters are essentially just a convention borne out of the conversion of a Win32 path into a NT path

CMD also has the concept of a current drive, and of a per-drive current directory. (While “X:\” references the root directory of drive X, “X:” references whatever the current directory of drive X is. And the current directory, i.e. “.”, is the current directory of the current drive.) I wonder how those mesh with non-standard drive letters.

For anyone curious there is a somewhat similar thing in Linux called Abstract Domain Sockets. These are Unix domain sockets where the first character is NUL ('\0')

I am working on a game where every player has system resources on a Linux computer. The basic idea is that some resources need to be shared or protected in some ways, such as files, but the core communication of the game client itself needs to be preserved without getting in the way of the real system environment.

I am using these abstract data sockets because they sidestep most other permissions in Linux. If you have the magic numbers to find the socket, you get access.

> If you have the magic numbers

or find it in /proc/net/unix

> Non-ASCII drive letters are even case-insensitive like A-Z are

I wonder, does `subst I: .` create i: or ı: under the Turkish locale?