![]() ![]() To get further information, we need to look at the object with a “symbolic link lenses” by using the data structure the kernel uses to represent symbolic links: lkd> dt nt!_OBJECT_SYMBOLIC_LINK ffff828b10659510 ![]() This is the flag indicating the symbolic link is a dynamic one. Target String is '*** target string unavailable ***'Ĭlearly, there is target, but notice the flags value 0x10. ObjectHeader: ffff828b106594e0 (new version)ĭirectory Object: ffff828b10656ce0 Name: HighMemor圜ondition Let’s see if we can see something in the debugger: lkd> !object \kernelobjects\highmemorycondition I asked Mark Russinovich, could there be a bug in Windows? Mark remembered that this is not a bug, but a feature of symbolic links, where objects can be created/resolved dynamically when accessing the symbolic link. Maybe it’s a bug in the NtQueryDirectoryObject used to query a directory object for an object. What’s going on? I debugged it in WinObj, and indeed the reported object type is a symbolic link. ObjectHeader: ffff988110ec0bf0 (new version)ĭirectory Object: ffff828b10689530 Name: HighCommitConditionĭefinitely an event and not a symbolic link. Maybe a bug in Process Explorer? Let’s see in the kernel debugger: lkd> !object 0xFFFF988110EC0C20 I tried other tools with similar functionality, and still got the same results. I ran an old WinObj version, but the result was the same. My first instinct was that there is a bug in WinObj (I rewrote it recently for Sysinternals, so was certain I introduced a bug). It seems these objects are events, and not symbolic links! To add to the confusion, searching for any of them with Process Explorer yields something like this: Double-clicking any one of them confirms no target, and also shows a curious zero handles, as well as quota change of zero: Symbolic link properties The weird thing that is fairly obvious is that these symbolic link objects have empty targets. You’ll notice some symbolic link objects that look weird: MemoryErrors, PhysicalMemor圜hange, HighMemor圜ondition, LowMemor圜ondition and a few others. The weird situation in question was when running WinObj from Sysinternals and navigating to the KenrelObjects object manager directory. Symbolic links are Windows kernel objects that point to another object. While teaching a Windows Internals class recently, I came across a situation which looked like a bug to me, but turned out to be something I didn’t know about – dynamic symbolic links. ![]()
0 Comments
Leave a Reply. |