RTL_DRIVE_LETTER_CURDIR

The RTL_DRIVE_LETTER_CURDIR structure (formally _RTL_DRIVE_LETTER_CURDIR) is a small structure that is presently thought to be defined in all Windows versions but not used in any.

From the name, the intended purpose is for keeping a current directory for each drive (letter). This is consistent with the two known references to this structure in definitions of other structures.

The better known, e.g., from public symbol files for the kernel, is that the RTL_USER_PROCESS_PARAMETERS has an RTL_DRIVE_LETTER_CURDIR array as a member named CurrentDirectores. Yes, this misspelling is Microsoft’s and there are 32 in the array, not 26. Nesting even one RTL_DRIVE_LETTER_CURDIR in the RTL_USER_PROCESS_PARAMETERS means that the former’s definition must be available for the latter’s—and the latter is in turn well known for being pointed to from the PEB. Public symbols for the kernel, starting with Windows 8, confirm that the RTL_DRIVE_LETTER_CURDIR is defined in a header named pebteb.h. But no code is (yet) known that uses this array—not in the kernel or NTDLL or even further afield, in any version.

Much less well known is that a structure named RTL_PERTHREAD_CURDIR has a member named CurrentDirectories which is defined as pointing to an RTL_DRIVE_LETTER_CURDIR (or, surely, to an array of them). All known versions of 32-bit Windows have code that prepares an RTL_PERTHREAD_CURDIR but no code is yet known that initialises the CurrentDirectories pointer to anything but NULL. All known versions of Windows, both 32-bit and 64-bit, have code that will read an RTL_PERTHREAD_CURDIR (from the SubSystemTib pointer in the NT_TIB at the start of a TEB), but no code is yet known that reads the CurrentDirectories.

Thus is the RTL_DRIVE_LETTER_CURDIR thought to be defined in all Windows versions but not used in any. That a structure is still defined without having ever been used is certainly not impossible, but the waste of it suggests that more research is required.

Layout

The RTL_DRIVE_LETTER_CURDIR is 0x10 and 0x18 bytes in 32-bit and 64-bit Windows, respectively, in all known versions. The structure’s name and the names and definitions of its members are known from public symbol files for the kernel, starting from Windows 2000 SP3. That the definitions apply also to earlier versions is a guess based on nothing more than the apparent reservation of the right amount of space in the RTL_USER_PROCESS_PARAMETERS all the way back to version 3.10.

Offset Definition Versions
0x00 
USHORT Flags;
 all
0x02 
USHORT Length;
 all
0x04 
ULONG TimeStamp;
 all
0x08 
STRING DosPath;
 all

What any of these members mean—or were ever meant to mean—is not known, no code having yet been found that accesses the structure whether in the CurrentDirectores array or through the CurrentDirectories pointer.

This page was created on 12th January 2023 and was last modified on 22nd February 2023.

Copyright © 2023. Geoff Chappell. All rights reserved. Conditions apply.