Ben, I think you have it right. If you look at tools like the Rootkit Revealer from Sysinternals (well, Microsoft now), it worked by using Win32 API to get a list of files, and then using kernel routines (NT native API) to get a listing of files, and comparing the two. Rootkits typically hid their files from user mode processes that used Win32, so this was a way of detecting those "hidden" files.
This page has some information on how a Win32 app communicates with a Win32 server to get things done (their example is creating a Window) http://www.microsoft.com/technet/archive/winntas/training/ntarchitectoview/ntarc_5.mspx?mfr=true The implementation details of the Win32 server will then affect what can/can't be done using that particular API. This is one reason why POSIX tools can be used to delete files that you can't delete though, say, Explorer (the famous COM1 files created when your FTP server gets cracked :-)), because certain filenames are reserved in Win32, but not necessarily in other subsystems. Cheers Ken > -----Original Message----- > From: Ben Scott [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 29 April 2008 1:49 PM > To: NT System Admin Issues > Subject: Re: rsync/Delta Copy help... > > On Mon, Apr 28, 2008 at 7:34 PM, Sam Cayze <[EMAIL PROTECTED]> > wrote: > >>>It is a limitation of the Win32 API. > > > > Doesn't that mean then that all Copy utilites that are used on Win32 > > will crap out on these paths? I have tried many copy utility > programs > > on these files, and never had an issue. > > Well, to be honest, I'm not exactly sure. I'm at the edge of my > understanding here. My understanding is that there is the "NT native > API", which is the core of the OS, down at a very low level. It was > created from scratch for the NT kernel, and doesn't necessarily > resemble anything from Microsoft before then. > > Then there are various subsystems which layer on top of the NT > kernel. There is a "Win32 subsystem", which provides an environment > designed to be similar to and somewhat compatible with the Win16 API > that came from Windows 3.x. There is also a "POSIX subsystem", > intended to provide a Unix-like environment on top of the NT kernel. > There used to be an OS/2 subsystem; I'm guessing that's gone by now. > > I suspect the issue is that "Win32 API" may be loosely defined -- it > may mean different things to different people. As I understand it, > "Win32 API" may technically refer to just the NT subsystem which > provides Win32 system call support. But it also see it used to refer > to "anything Microsoft packages with Windows, which is built on top of > that Win32 API", including the shell libraries, etc. > > I do know that if you give Windows Explorer a deep path, it will > fall apart, as will the roaming profile routines. > > It may also be that some nominally Windows utilities actually use > the "native NT API" rather than the "Win32 API", but that's pure > speculation on my part. > > Or I could be completely wrong about all of this. :-) > > -- Ben > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
