Physical Disks, Objects and the Boot sector

Objects in NT, 2k and XP

Native Windows NT objects are a key component of the Operating System. Different bits of the object space represent I/O devices, file systems,  the Registry and much else. You can view the object tree with Program Files\Microsoft SDK\bin\winnt\winobj.exe from the Platform SDK or, better, with http://www.sysinternals.com/ntw2k/freeware/winobj.shtml by Mark Russinovich.

For the present discussion, the key part of the object hierarchy is below 

\??

This is the part that can be called from WIN32 programs by opening suitably named files; it allows you to do in Windows what you would do with the /dev files under UNIX/Linux. In order to access these objects, you open a file with the name \\.\device or //./device That is, you replace \?? with \\.

All normal files can be accessed in this way, using strings such as \\.\c:\dir\dir\file.ext or (except at the CMD command prompt, where / is used for switches) //./c:/dir/dir/file.exe The second form is particularly useful as it also works from within the Cygwin UNIX emulation, so the same file names can be used in both environments. It is also possible to access physical devices. Thus \\.\a: behaves just like /dev/fd0 would under Linux, and reading the first 512 bytes gives you the floppy boot sector. The short program below outputs the boot sector in hex to the console:

#include <stdlib.h>
#include <stdio.h>
#define DEVICE "\\\\.\\a:"
main() {
  FILE * dev;
  int byte=0;
  unsigned char buf[512];
  dev = fopen(DEVICE, "r");
  fread(buf, 512, 1, dev);
  while (byte < 512) {
    printf("%2x", buf[byte++]);
    printf("%c",(byte % 16)?' ':'\n');
  }
}

Actually, 

#define DEVICE "//./a:"

 would work too. Note that the same program would run under Linux if we used 

#define DEVICE "/dev/fd0"

There are also devices for entire hard drives, so using

#define DEVICE "\\\\.\\PhysicalDrive0"

would output the Master Boot Record (holding partition information) for the first drive.

 


dan@ecs.soton.ac.uk