none
Determine case sensitivity of a Windows volume in kernel mode RRS feed

  • Question

  • The Windows API supports a GetVolumeInformation function. This function provides information about a Windows volume.  Specifically, it returns a FILE_CASE_SENSITIVE_SEARCH switch. In the kernel there are FltQueryVolumeInformation and ZwQueryVolumeInformationFile, but I don't see any way to derive the case sensitivity information from the available information classes.

    Am I correct in understanding that the FILE_CASE_SENSITIVE_SEARCH switch only specifies that a case sensitive search is possible (not that it is done by default)?  Is it correct that you only know about case sensitivity based on the way the file is opened (i.e. you must call CreateFile with the FILE_FLAG_POSIX_SEMANTICS flag, otherwise Win32 case-insensitive behavior is used)?


    Static

    Tuesday, April 26, 2016 10:12 PM

Answers

  • ZwQueryVolumeInformationFile and FltQueryVolumeInformation both support this, look at the FILE_FS_ATTRIBUTE_INFORMATION structure.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 26, 2016 11:09 PM
  • Yes. FILE_CASE_SENSITIVE_SEARCH, specified for a volume, indicates that file case-sensitive searches (lookup in a directory) is supported by the volume's file system. On such a volume, if you really want to differentiate between two files solely on case, then you must specify FILE_FLAG_POSIX_SEMANTICS (which just clears the OBJ_CASE_INSENSITIVE bit in the object attributes passed to NtCreateFile). Files of the same name that only differ in case will give lots of apps problems, and some files may not be accessible. It is also possible to enable case sensitivity globally, using a registry setting.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, April 27, 2016 7:24 PM
    Moderator

All replies

  • ZwQueryVolumeInformationFile and FltQueryVolumeInformation both support this, look at the FILE_FS_ATTRIBUTE_INFORMATION structure.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, April 26, 2016 11:09 PM
  • Wow, thanks!, I don't know how I missed that.

    Is my understanding correct in that FILE_CASE_SENSITIVE_SEARCH only indicates that a case sensitive search is possible.  In order to differentiate two files that only have case differences in their names you still have to specify FILE_FLAG_POSIX_SEMANTICS to CreateFile?   So even if the FILE_CASE_SENSITIVE_SEARCH flag is set on a volume, the default is to treat files as non-case sensitive? 


    Static

    Wednesday, April 27, 2016 5:47 PM
  • Yes. FILE_CASE_SENSITIVE_SEARCH, specified for a volume, indicates that file case-sensitive searches (lookup in a directory) is supported by the volume's file system. On such a volume, if you really want to differentiate between two files solely on case, then you must specify FILE_FLAG_POSIX_SEMANTICS (which just clears the OBJ_CASE_INSENSITIVE bit in the object attributes passed to NtCreateFile). Files of the same name that only differ in case will give lots of apps problems, and some files may not be accessible. It is also possible to enable case sensitivity globally, using a registry setting.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, April 27, 2016 7:24 PM
    Moderator
  • Thanks!

    Static

    Wednesday, April 27, 2016 7:26 PM