On my Windows machine, I had a folder with a name of four dots that acted like some kind of rabbit hole - how did that happen?

196

66

The folder name was listed in File Explorer with just plain four dots .....

When I tried opening it, I came into some kind of endless rabbit hole loop where I opened the exact same folder again and again - I could do this endlessly. Showing the path like C:\ExamplePath\....\....\....\....\...., etc.

It was hanging my TypeScript compilation in one specific project. It took me more than a year before I found this folder and its related problems, because it was rooted deeply in nested folders. I never expected an issue like this, so I never looked for it.

I couldn't delete the folder the normal way because of the special name. In the end, I could remove it by using the command line and deleting the parent folder with rd /s /q path.

Afterward, I tried to create the folder again but was unable to do so with both File Explorer and the command line.

In my 20-plus years of using Windows I have never seen this bug before, so I can imagine that it would really be an annoying and confusing problem for amateur users.

Does anyone know how this could have happened and how to reproduce this issue?

Update

For people who are interested: this path was located deep within a TFS folder. So probably TFS uses the bypass method @grawity explained ("Various file managers, archivers, etc")

Did I stumble on a rare TFS bug?

Dirk Boer

Posted 2018-10-31T08:03:37.993

Reputation: 1 511

5The answers below detail what's happening, how to reproduce it intentionally, and how to fix it, but they don't mention why it happened. Since .. can be used in a path to indicate 'go up one folder', I would hazard a guess that somewhere along the line, some program or script concatenated two strings to create a path, one ended with .., and the next began with .., and since it used one of the techniques mentioned below, it succeeded in creating the path, even though it was missing the folder separator between them. – 3D1T0R – 2018-10-31T20:58:47.977

6strange things will also happen if you create a folder with only spaces in its name – phuclv – 2018-11-01T04:32:50.427

7Is this server on the internet? Just to warn you I regularly see hack attempts on internet facing web servers requesting: GET /....\\....\\....\\....\\....\\....\\....\\....\\....\\winnt\\win.ini. Clearly there is/was some vulnerability somewhere that this attempts to exploit. – Andy Brown – 2018-11-02T16:11:54.987

4@AndyBrown much more likely that's .., not ..... It's simply a way to traverse to \winnt regardless of the depth of the starting point (the web root), so long as the starting point is less than 9 levels deep. It relies on the fact that going .. from the root directory leaves you at the root directory. – hobbs – 2018-11-02T17:32:05.693

@hobbs Yeah but web servers often check for .. – user253751 – 2018-11-03T07:08:46.600

5@hobbs That's a copy and paste from the Apache access log on linux. Definitely 4 dots in there. There are other hack attempts logged that do use .. which was why I found this one rather odd. – Andy Brown – 2018-11-03T09:47:56.180

3

@AndyBrown: There was, nearly two decades ago. The last OS to install to C:\WINNT by default was Windows 2000. But even that would have used .., not any other number of dots.

– user1686 – 2018-11-05T06:29:29.303

3There's a highly relevant xkcd (#981), but given that the title is slightly NSFW, I'm not going to directly link it here... – tonysdg – 2018-11-06T17:30:29.680

Probably unrelated, but as I recall Windows 95 used ... to refer to the grandparent directory, and .... to refer to the great-grandparent directory. – john_e – 2019-06-04T14:58:28.943

Answers

302

Win32 doesn't let you create files or folders with names ending in . – all dots are stripped from the end. Trying to create test. makes test appear instead. (This is for compatibility with 8.3 names in old DOS/Win9x era software.)

As a result, whenever you try to access a folder named ...., its name gets reduced to the empty string, and you're back to the folder you were in before.

The NT kernel, however, does allow such names. There are various mechanisms which bypass filename limitations imposed by Win32 APIs – for example, WSL (Windows Subsystem for Linux) doesn't run on top of Win32 and is unaffected by it. There is also the \\?\ bypass method, a deliberate "backdoor" left in for programs which know what they're doing. Even though you cannot create C:\Example\....\, you can create \\?\C:\Example\....\ just fine.

Likewise you can delete such directories with rmdir \\?\C:\path\... from Cmd (I haven't tested with PowerShell yet).

Various file managers, archivers, etc. might use the \\?\ method in order to be able to use longer path names than usual – and by doing so, they're also unaffected by the compatibility code within Win32; they bypass dot stripping, as well as translation of magic filenames like CON or NUL.

So it could be that one of your programs:

  1. always uses \\?\ to access files,
  2. accidentally tried to create a folder named .... – but it's not really possible to know for sure after the fact.

user1686

Posted 2018-10-31T08:03:37.993

Reputation: 283 655

Another way to create files/folders with "BAD" names is from a Linux or Mac machine on a file-share hosted on the Windows machine. – Tonny – 2018-10-31T12:38:41.767

13another way to create such a folder is by using alternate data streams. On the cmd: echo "" > ....::$INDEX_ALLOCATION. This will create a folder named .... (still pointing to the current folder). – WorldSEnder – 2018-10-31T12:53:58.870

Interesting, now someone just have to set this up in a Windows 98 VM.. – pipe – 2018-10-31T12:55:49.640

2

@DirkBoer I found this: https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#skipping-normalization

– user31389 – 2018-10-31T13:17:52.520

124

Microsoft calls this the "Extended Path Prefix", and paths with that prefix are called "extended-length paths". (funny: when you search for \\?\" in the .NET reference source, it causes a runtime error on their server).

– dlatikay – 2018-10-31T13:29:17.183

2@grawity So . . . how should I go about deleting this folder now? – Shadow503 – 2018-10-31T13:56:44.730

1

@DirkBoer http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx

– user1686 – 2018-10-31T13:59:17.143

1@WorldSEnder: Well that's just evil. – user1686 – 2018-10-31T14:08:15.753

1Enjoy your directory named . (Yeah it's possible but not by \?\ alone.) – Joshua – 2018-10-31T17:31:10.590

21I had a curious 'computer repair' client case where anytime the client made an account on any windows machine, it would work just fine but once he logged/rebooted it wouldn't let him into his account, instead making a temp account for the session. The local pc-repair shop was stumped (charged him still). Turns out his actual name is Con & he always used his name for his windows account.....on that day I learned there was more than just com1 as a magic filename – RozzA – 2018-11-02T05:26:36.850

2

@RozzA - Interesting. Here's an SU question about that same problem: https://superuser.com/questions/915779/cannot-create-user-account-named-con-under-windows-7

– Pikamander2 – 2018-11-02T23:47:29.533

Windows 8 don't let me name my folder .... :( – Black Thunder – 2018-11-03T02:54:13.227

2

i imagine the NtCreateFile() function can create this folder without problems.

– hanshenrik – 2018-11-03T09:34:24.057

@dlatikay Looking at the traceback, it should be fixed in this commit.

– user202729 – 2018-11-03T11:39:01.350

@BlackThunder Did you read the answer? You're not supposed to be able to create it in normal ways. – wizzwizz4 – 2018-11-04T18:01:05.303

@wizzwizz4 Yes. – Black Thunder – 2018-11-04T18:50:40.553

1Weirdly enough, my Dad had to deal with a similar issue many years back. My brother installed DOOM (from 1993) on the home PC. This was probably around 1995 when this happened. The installer somehow introduced corruption. My Dad ended up finding that C:\ contained all the regular folders (C:\DOS, C:\WIN etc) along with hundreds of identical C:\DOOMDATA folders. Every subfolder then also had a "copy" of every other folder (so C:\WIN had a copy of C:\WIN, C:\DOS, and all the DOOMDATA folders). It's weird to think we had symlinks before symlinks were a thing. xD – zaTricky – 2018-11-05T12:00:31.507

21

In addition to @grawity's answer, a Win32 program can also do this by calling "native" API directly. If I'm not mistaken, in the present case, that would be NtCreateDirectoryObject. Those calls are fairly well documented nowadays, especially their kernel counterpart (which you cannot call from a Win32 program), in this case, ZwCreateDirectoryObject .

Regarding the "endless depth", an easy way to achieve this is to use links. Create a directory, then inside it, create a junction to it (you can use mklink /j for instance), and you will end up with a very deep structure. Last time I did this was on Windows 2000, there was an end to the recursion though (you couldn't "dig infinitely"). Possibly on newer OS the limit is bigger or removed, also you could create let's say 10 directories each being a child of the previous one, and in the 10th one, create a link back to the first one.

user1532080

Posted 2018-10-31T08:03:37.993

Reputation: 506

4That's very possibly evil genius material right there ... – Agi Hammerthief – 2018-11-01T14:35:24.983

1I have copied full directories similarly to this to artificially fill up the disc for testing being able to determine when it was close to a set limit. – UnconditionallyReinstateMonica – 2018-11-01T16:08:37.240

It's also possible to reproduce using cygwin's mkdir .... – lucidbrot – 2018-11-02T11:20:49.103

18

There is an easier way to create the directory. From the command prompt type:

MD ....\

and hit enter, it will create a directory with four dots. This directory is also viewable with explorer.

There is a flaw in MS-DOS that goes way back to version 1.0. MS has known about it for some time but could not or would not fix it. They have corrected the problem with PowerShell.

BTW, if you try:

RD ....

It will fail to delete. You need to use this specific syntax to remove it.

RD ....\

I use this on certain servers that I admin. I often create a user folder on the root of the disk and I don't want another administrator to come along and remove it.

So I will go inside my folder and create a subfolder named CON, AUX, or LPT, etc...

If another Admin wants to remove my folder they need to know how to remove this subfolder first.

EDIT: I was thinking about this discussion this morning and I decided to take this one step further. I assume the mods will decide if this is relevant.

I am unable to CD in to the folder.

Consider, if I MD c:\test then CD C:\test and MD ....\ I end up with C:\test....

and all is well.

But CD .... fails and kicks me back to C:\test. (CD ....\ does the same.)

However I can DIR .... and get a dir listing. I can also

MD C:\test....\temp and it creates that sub-dir in ....

I can also CD C:\test....\temp and go into that sub-sub directory.

But while in C:\test....\temp , if I CD .. I am back in C:\test.

I cannot cd into that directory, but I can manipulate the folder by creating subfolders, and interesting enough something like

ECHO "Testing" >> C:\test....\test.txt

also works and creates a file in that folder. So I can create a folder with four dots, I can add files and folders to it, I can get dir listings of it, but I cannot CD into it. Could there be some kind of evil genius use for this? My apologies to the mods if I have strayed too far off course.

Larryc

Posted 2018-10-31T08:03:37.993

Reputation: 814

6That rather sounds like a Win32 API flaw, given that the command prompt hasn't been "MS-DOS" anymore for about twenty years now. – user1686 – 2018-11-02T05:39:24.713

2Interestingly, If I try to delete the directory in windows explorer, it crashes when I created it with your version. When I created it with cygwin, it simply fails and says so. – lucidbrot – 2018-11-02T11:26:12.367

I have a DOS 3.3 and a DOS 6.0 machines and the commands work on them. When they switched to 32 bit the issue was still there. it works in the CMD window from win95 all the way up to today, including all server versions. Now that we're switching to Powershell It no longer works. I realized after I wrote that that it does create the directory but it doesn't provide the effect that the OP was seeing. If I try to CD into the directory with four dots it just kicks me back out. – Larryc – 2018-11-02T21:33:33.013

On my Windows 7 machine MD ....\ only creates ....\.... tree - there is only one step of recursion. – Tomáš Zato - Reinstate Monica – 2018-11-07T16:07:15.480

Curiously FAR manager doesn't see this as special in any way, and creates / renames / deletes / lists the contents of directories named "lots of dots" with no issues at all.

– RomanSt – 2018-11-11T11:41:17.777

Do you get the same result with ..\.., i.e., a file with name prefix ..\. and empty suffix that DOS would render as "...."? – Eric Towers – 2018-11-11T16:02:49.093

-1

I had the same problem. In my case, it was a typo in command for .NET Core publish:

dotnet publish "Api.csproj" --output "....\output\"

It created the directory with name '....', which I couldn't remove or rename. This directory acted like reference to parent directory. If I go inside that folder, I still was in parent folder, but path was appended by '....\'.

I tried all of the commands mentioned in this topic, but none of them worked. In my understanding, it acted like that, because I had other files and directories in parent directory, so I had to use parameters that can recursively deletes all the content.

I found out, that this command:

rmdir /s /q ....\

can remove the '....' directory. It only deletes the reference to parent directory, which this '....' directory actually is, nothing more, nothing less. Despite the command arguments:

  • /s - removes all the content inside removed directory,
  • /q - removes without confirmation,

the parent directory remained untouched.

Mateusz

Posted 2018-10-31T08:03:37.993

Reputation: 11

Can you clarify why the second command worked for you? – Burgi – 2019-06-04T13:29:23.570

Voting down because you didn't give any explication why the command works or what it does, such as deletes the directory, subdirectories, and files. – Winter Faulk – 2019-06-04T14:31:07.850

This actually deletes the directory with a name of '....'. It only deletes the reference to parent directory, which this '....' directory actually is, nothing more, nothing less. I tried all of the commands mentioned in this topic, but none of them works. In my understanding, this command worked, because I had other files and directories in parent directory, so I had to use parameters that can recursively deletes all the content. Despite the command arguments, the parent directory remained untouched. – Mateusz – 2019-06-04T14:39:56.563

I got into this exact same situation somehow with Visual Studio and this command saved my bacon after hours of frustration trying to figure out what was going on. – NPNelson – 2019-06-15T11:49:05.497

Asked: 2018-10-31T08:03:37.993

Viewed: 35 892 times

Active: 2019-06-04T14:48:54.370