Windows Driver Kit: Installable File System Drivers
ZwQueryDirectoryFile
The ZwQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle.
NTSTATUS
ZwQueryDirectoryFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID FileInformation,
__in ULONG Length,
__in FILE_INFORMATION_CLASS FileInformationClass,
__in BOOLEAN ReturnSingleEntry,
__in_opt PUNICODE_STRING FileName,
__in BOOLEAN RestartScan
);
Parameters
- FileHandle
- A handle returned by ZwCreateFile or ZwOpenFile for the file object that represents the directory for which information is being requested. The file object must have been opened for asynchronous I/O if the caller specifies a non-NULL value for Event or ApcRoutine.
- Event
- An optional handle for a caller-created event. If this parameter is supplied, the caller will be put into a wait state until the requested operation is completed and the given event is set to the Signaled state. This parameter is optional and can be NULL. It must be NULL if the caller will wait for the FileHandle to be set to the Signaled state.
- ApcRoutine
- An address of an optional, caller-supplied APC routine to be called when the requested operation completes. This parameter is optional and can be NULL. If there is an I/O completion object associated with the file object, this parameter must be NULL.
- ApcContext
- An optional pointer to a caller-determined context area if the caller supplies an APC or if an I/O completion object is associated with the file object. When the operation completes, this context is passed to the APC, if one was specified, or is included as part of the completion message that the I/O Manager posts to the associated I/O completion object.
This parameter is optional and can be NULL. If ApcRoutine is NULL and there is no I/O completion object associated with the file object, this parameter must also be NULL.
- IoStatusBlock
- A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the operation. For successful calls that return data, the number of bytes written to the OutputBuffer is returned in the structure's Information member.
- FileInformation
- A pointer to a buffer that receives the desired information about the file. The structure of the information returned in the buffer is defined by the FileInformationClass parameter.
- Length
- The size, in bytes, of the buffer pointed to by FileInformation. The caller should set this parameter according to the given FileInformationClass.
- FileInformationClass
- The type of information to be returned about files in the directory. One of the following.
| Value | Meaning |
|---|
| FileBothDirectoryInformation | Return a FILE_BOTH_DIR_INFORMATION structure for each file. |
| FileDirectoryInformation | Return a FILE_DIRECTORY_INFORMATION structure for each file. |
| FileFullDirectoryInformation | Return a FILE_FULL_DIR_INFORMATION structure for each file. |
| FileIdBothDirectoryInformation | Return a FILE_ID_BOTH_DIR_INFORMATION structure for each file. |
| FileIdFullDirectoryInformation | Return a FILE_ID_FULL_DIR_INFORMATION structure for each file. |
| FileNamesInformation | Return a FILE_NAMES_INFORMATION structure for each file. |
| FileObjectIdInformation | Return a FILE_OBJECTID_INFORMATION structure for each file. This information class is valid only for NTFS volumes on Microsoft Windows 2000 and later. |
| FileReparsePointInformation | Return a single FILE_REPARSE_POINT_INFORMATION structure for the directory. |
- ReturnSingleEntry
- Set to TRUE if only a single entry should be returned, FALSE otherwise. If this parameter is TRUE, ZwQueryDirectoryFile returns only the first entry that is found.
- FileName
- An optional pointer to a caller-allocated Unicode string containing the name of a file (or multiple files, if wildcards are used) within the directory specified by FileHandle. This parameter is optional and can be NULL.
If FileName is not NULL, only files whose names match the FileName string are included in the directory scan. If FileName is NULL, all files are included.
The FileName is used as a search expression and is captured on the very first call to ZwQueryDirectoryFile for a given handle. Subsequent calls to ZwQueryDirectoryFile will use the search expression set in the first call. The FileName parameter passed to subsequent calls will be ignored.
- RestartScan
- Set to TRUE if the scan is to start at the first entry in the directory. Set to FALSE if resuming the scan from a previous call. The caller must set this parameter to TRUE when calling ZwQueryDirectoryFile for the first time.
Important The RestartScan parameter is currently ignored (see Comments section).
Return Value
The ZwQueryDirectoryFile routine returns STATUS_SUCCESS or an appropriate error status. Note that the set of error status values that can be returned is file-system-specific. ZwQueryDirectoryFile also returns the number of bytes actually written to the given FileInformation buffer in the Information member of IoStatusBlock.
Comments
The ZwQueryDirectoryFile routine returns information about files that are contained in the directory represented by FileHandle.
The first call to ZwQueryDirectoryFile determines the set of entries to be included in the directory scan for all subsequent calls, based on the values of ReturnSingleEntry, FileName, and RestartScan. If there is at least one matching entry, ZwQueryDirectoryFile creates a FILE_XXX_INFORMATION structure for each entry in turn and stores the structure into the buffer.
Assuming that at least one matching directory entry is found, the number of entries for which information is returned is the smallest of the following:
- One entry, if ReturnSingleEntry is TRUE and FileName is NULL.
- The number of entries that match the FileName string, if FileName is not NULL. (Note that if the string contains no wildcards, there can be at most one matching entry.)
- The number of entries whose information fits into the specified buffer.
- The number of entries contained in the directory.
On the first call to ZwQueryDirectoryFile, if the structure created for the first entry found is too large to fit into the output buffer, only the fixed portion of the structure is returned. (The fixed portion consists of all fields of the structure except the final FileName string. On the first call, but not on subsequent ones, the I/O system ensures that the buffer is large enough to hold the fixed portion of the appropriate FILE_XXX_INFORMATION structure.) When this happens, ZwQueryDirectoryFile returns an appropriate status value such as STATUS_BUFFER_OVERFLOW.
On each call, ZwQueryDirectoryFile returns as many FILE_XXX_INFORMATION structures (one per directory entry) as can be contained entirely in the buffer pointed to by FileInformation. As long as the output buffer contains at least one complete structure, the status value returned is STATUS_SUCCESS. No information about any remaining entries is reported. Thus, except in the cases listed above where only one entry is returned, ZwQueryDirectoryFile must be called at least twice to enumerate the contents of an entire directory.
The final call to ZwQueryDirectoryFile returns an empty output buffer and reports an appropriate status value such as STATUS_NO_MORE_FILES.
Note that when ZwQueryDirectoryFile is called multiple times on the same directory, it is possible that the number of entries for which information is returned will be less than expected. This is because the set of entries to be included in the directory scan is fixed on the first call to ZwQueryDirectoryFile. In subsequent calls, ZwQueryDirectoryFile resumes the directory scan wherever it left off in this same enumeration. However, between calls to ZwQueryDirectoryFile, the actual directory entries can change so that they are no longer in sync with the original enumeration.
Important The RestartScan parameter is currently ignored. To start a new search, the directory handle must be closed and reopened with a new FileName pattern.
ZwQueryDirectoryFile returns zero in any member of a FILE_XXX_INFORMATION structure that is not supported by the file system.
Callers of ZwQueryDirectoryFile must be running at IRQL = PASSIVE_LEVEL and with APCs enabled.
For information about other file information query routines, see File Objects.
Requirements
Versions: This routine is available on Microsoft Windows XP and later versions of all Windows operating systems.
IRQL: PASSIVE_LEVEL (see Comments section)
Headers: Declared in Ntifs.h. Include Ntifs.h.
Library: Contained in Ntoskrnl.lib.
See Also
FILE_BOTH_DIR_INFORMATION, FILE_DIRECTORY_INFORMATION, FILE_FULL_DIR_INFORMATION, FILE_ID_BOTH_DIR_INFORMATION, FILE_ID_FULL_DIR_INFORMATION, FILE_NAMES_INFORMATION, FILE_OBJECTID_INFORMATION, FILE_REPARSE_POINT_INFORMATION, UNICODE_STRING, ZwCreateFile, ZwOpenFile