What is the function of question marks in file system paths in Windows registry?

This is about the registry on a 64-bit Windows 7 Home Premium (my friend's computer). I was going to set the system to clear the pagefile at shutdown by setting the REG_DWORD value ClearPageFileAtShutdown in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management to "1".

My question is however about the questions marks in the values ExistingPageFiles and PagingFiles in this registry location.

The question marks are shown in below image.

The questions I wanted to ask are:

Are the paths used in these values supposed to have questions marks in the beginning?
What function do these question marks serve?

x457812

Posted 2016-04-23T23:30:37.170

Reputation: 2 219

2forum post – TOOGAM – 2016-04-24T04:33:51.577

Answers

Double-question mark paths are NT Object Manager object names. The Object Manager is a system that organizes lots of different kinds of system resources (e.g. devices, memory sections, window stations, events) into one tree-like structure. You can explore that tree with the WinObj tool.

The \??\ pseudo-directory's contents can be seen in the GLOBAL?? section of WinObj. There are other subtrees, like Device. In fact, every single item in \??\ is a symbolic link - a shortcut or alias - to an object somewhere else. \??\C: is (on my system) a link to \Device\HarddiskVolume4, and the rest of the path shown in your screenshot is a path under the root of that volume. Each drive letter shows up there as a symbolic link to the volume it's on. You might find other kinds of devices that are familiar, like CON and NUL.

Note: You can't use these kinds of paths to access files or directories in most applications. Only certain low-level system components are designed to work with Object Manager paths.

That explains your screenshot's ExistingPageFiles, but not PagingFiles. PagingFiles contains your virtual memory settings with paths to paging files expressed as normal paths. If your system is set to manage all virtual memory settings by itself, that entry doesn't specify a drive letter (only a file name and path), so the ? is just a placeholder for whatever drive the page file does end up on.

In summary, yes, those question marks are supposed to be there.

Further reading: Inside NT's Object Manager, Object Manager (Windows)

Video: NT Object Manager at Microsoft's Channel 9

Ben N

Posted 2016-04-23T23:30:37.170

Reputation: 32 973

I seem to remember when using DOS cmd file queries, a question mark means single character wildcard. The double question mark I'm clueless to, unless it simply means a part of a path with 2 sequential wildcard characters. Hope this helps.

i.e. ?: could be C: or D: unlike \d*\ which means d char with any number and type of letters or numbers following e.g. \dr\ or \d2165thingy\

Trying to be helpful, since the ?: notation would refer to any drive recognised at the time the command was run in DOS 3 onward, in my experience.

Prestaeus

Posted 2016-04-23T23:30:37.170

Reputation: 9

3Sadly, I don't believe this information is the correct answer to the question. The interpretation of the ? will depend on which registry key is being used, and I don't think it is meant to refer to the common "command line" standard of a single character. e.g, DOS doesn't support "?:" to mean "any drive". – TOOGAM – 2016-04-24T04:33:28.733

In the PagingFiles entry, the ? does indicate that the paging file isn't bound to a specific drive (i.e. all virtual memory is automatically configured by the system). The \??\ path, however, is an NT Object Manager object name. – Ben N – 2016-07-04T16:29:59.607

I have seen the \?\C:\... path used a lot to get access to files/paths longer than 260 characters. At least when dealing with Win32 API calls. Although the structure in your screenshot varies slightly, I would feel safe assuming it is similar in behavior. Or, it could also be that the Win32 API (when reading values from this Registry key) will automatically replace those 'variables' with the appropriate values.

Naming Files, Paths, and Namespaces (on MSDN)

The Windows API has many functions that also have Unicode versions to permit an extended-length path for a maximum total path length of 32,767 characters. This type of path is composed of components separated by backslashes, each up to the value returned in the lpMaximumComponentLength parameter of the GetVolumeInformation function (this value is commonly 255 characters). To specify an extended-length path, use the "\\?\" prefix. For example, "\\?\D:\very long path".

Kody Brown

Posted 2016-04-23T23:30:37.170

Reputation: 249

1You're right in that \\?\ paths (with one question mark) are indeed extended-length literal paths. This \??\ path, however, has two question marks and is a different kind of path - an NT Object Manager object name, specifically. – Ben N – 2016-07-04T16:27:15.130