NimbUs said:
......
Like others said, this is cool. Raises immediate questions
however; maybe you or others can tell :
- does write access work the same or is that read only ?
- is data accessed in this way going thru the Windows cache or
is caching bypassed (even for read only access) ?
- do known applications, and/or Windows itself, routinely use
driveletter-less access for their own purpose ?
Reason I am asking you (you all!) is because I used to believe
that Windows will not access, even less cache, data from
partitions without a drive letter assigned "behind our back" so
to say. I relied on this belief while accessing parts of my main
hard disk(s) in "raw" mode from within virtual machines (I use
mostly VMware on Windows XP 3, could as well be Virtual Box or
similar). Now I'm worried !
A volume name like Volume{06588845-39a4-11e0-8027-806d6172696f}
is exactly the same thing as a drive letter like "C:". Both
are symbolic links which point to the volume's kernel object,
something like \Device\HarddiskVolume1.
The \\?\ prefix is for skipping the resolving of relative
paths. This is required because Volume{UUID} is a pretty valid
file name and without the prefix Windows would look for a
file with this name in the current directory. For drive letters
this is hard coded. Therefore you cannot access an NTFS stream
in a file named with a single letter. C:X would be a valid name
for an stream X in file C but C: makes it resoved as drive spec
plus X.
Back to your question... It's about a volume being mounted or
not. Windows does not mount volumes without a drive letter
because no one is accessing it in real live. But if indeed
someone comes and accesses e.g.
\\?\Volume{06588845-39a4-11e0-8027-806d6172696f}\boot.ini
then even a volume without a drive letter is auto-mounted.
But all the nasty Windows background stuff relies on
drive letters, therefore this does not happen in real life.
And VMWARE should just dismount the accessed volumes and
warn you if this fails.
You can try yourself:
http://www.uwe-sieber.de/files/createfiletest.zip
Determine your volume's volume name, and open a file like
\\?\Volume{06588845-39a4-11e0-8027-806d6172696f}\boot.ini
VMWARE should complain then when it tries to dismount the
volume.
Uwe