NtQueryDirectoryFile - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTIOAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_writes_bytes_(Length) PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
View code on GitHubThis function is documented in Windows Driver Kit here and here.
NtQueryDirectoryFile is used to enumerate entries (files or directories) placed into file container object (directory). Win32 API use it in FindFirstFile-FindNextFile routines.
HANDLE to File Object opened with FILE_DIRECTORY_FILE option and FILE_LIST_DIRECTORY access.
Optional HANDLE to Event Object signaled after query complete.
Optional pointer to user's APC routine queued after query complete.
Parameter for ApcRoutine.
Pointer to IO_STATUS_BLOCK structure. After enumeration complete, Information member of this structure contains number of bytes written into FileInformation buffer. Status member contains IO result of call, and can be one of:
STATUS_SUCCESS - Enumeration has results in FileInformation buffer.STATUS_NO_MORE_FILES - FileInformation buffer is empty, and next call isn't needed.STATUS_NO_SUCH_FILE - Returned when FileMask parameter specify exactly one file (don't contains '*' or '?' characters), and queried directory don't contains that file.User's allocated buffer for output data.
Length of FileInformation buffer, in bytes.
Information class. Can be one of:
FileDirectoryInformationFileFullDirectoryInformationFileBothDirectoryInformationFileNamesInformationFileOleDirectoryInformationIf set, only one entry is returned.
If specified, only information about files matches this wildchar mask will be returned.
WARNING: There's no rule specifying what to do when caller makes two calls to NtQueryDirectoryFile both with different masks. Typically FileMask specified in second call will be ignored, and results will match the first (for example: NTFS.SYS). The best solution is to close directory HANDLE after every call with FileMask parameter specified.
Used with ReturnSingleEntry parameter. If set, NtQueryDirectoryFile continue enumeration after last enumerated element in previous call. If no, returns the first entry in directory.
For detailed information about results, see FILE_INFORMATION_CLASS with information classes specified above.
NtCreateFileNtOpenFileNtQueryInformationFileNtQueryOleDirectoryFileNtQueryVolumeInformationFile