CURRENT WORK ITEM - PREVIEW ONLY

CURDIR

The CURDIR structure (formally _CURDIR) is a small structure that is known only within the RTL_USER_PROCESS_PARAMETERS. It there models its process’s notion of a current directory.

The CURDIR is 0x0C and 0x18 bytes in 32-bit and 64-bit Windows, respectively.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
UNICODE_STRING DosPath;
 all
0x08 0x10 
HANDLE Handle;
 all

The Handle member records that Windows ordinarily keeps an open file handle to a process’s current directory. This is a useful optimisation for programs that are aware of having a current directory and may use relative pathnames when working with files. It can be problematic for programs that have no such awareness or do not provide easy means of changing the current directory. For instance, open a Command Prompt, create a directory, make it the current directory, run a simple program such as Notepad, change the Command Prompt to some other current directory and then try to remove the created directory: 

md path\test
cd path\test
notepad
cd ..
rd test

You can expect to be told something like 

The process cannot access the file because it is being used by another process.

In this case, Notepad has the created directory open as Notepad’s current directory. In real-world use of Windows it can be far from obvious what can be this “another process.”

This page was created on 4th August 2022.

Copyright © 2022. Geoff Chappell. All rights reserved. Conditions apply.