What is C:\$Directory?

Question

When I run Process Monitor, I see ReadFile requests sent to C:\$Directory.

What exactly does this mean?

Update:

I also see $MapAttributeValue, which looks unfamiliar as well.

The `$` represents a hidden or administrative/system folder/file. looks like `$recycle.bin` folder. — αғsнιη, Feb 03 '15 at 10:09

haimg · Answer 1 · 2011-11-12T03:51:02.100

Update: I researched this issue further (since I've noticed the same behavior on my own computer, and was worried that this is some kind of malware), and now I believe my original answer was in fact incorrect. Here's what I found now:

Several different procesess read from this file, and from different offsets, but with the same length: 4K (exactly one memory page).
There are ReadFile operations, but no opening of the file, which makes little sense.
Looking at the stack trace, I see that all requests include a page fault in the trace, e.g. this file read is inside IoPageRead(), kernel function that reads pages from the paging file into memory.
These reads happen on C:\$Directory and V:\$Directory on my system, the two drives that hold paging files on them, and nowhere else.

Based on this research, I strongly believe that this "file read" is some kind of Process Monitor artifact, and the real read happens in the paging file. I have no idea why ProcMon lists the path as C:\$Directory.

I don't think now that this C:\$Directory is a real NTFS metafile. I don't think now that this could be some illegitimate activity (virus or other malware).

I'm pretty sure it's not #3 or #2. So it's probably #1. It doesn't really tell me anything, though... — user541686, Nov 11 '11 at 23:30
normally this is assigned to the explorer.exe. So, I also guess, it isn`t #2 or #3. — Diskilla, Nov 11 '11 at 23:48
I added a bounty. If there's any official/unofficial docs or any other findings, it would be great. It's something rather hard to google this stuff. — Stefano Borini, Feb 03 '15 at 09:57

score 4 · Answer 2 · answered Feb 03 '15 at 12:57

4

$Directory and $MapAttributeValue are most probably code-names for system areas on the NTFS disk, and these references come from programs opening or creating files.

These names probably pertain to Metafiles, defined by wikipedia as :

NTFS contains several files that define and organize the file system. In all respects, most of these files are structured like any other user file ($Volume being the most peculiar), but are not of direct interest to file system clients. These metafiles define files, back up critical file system data, buffer file system changes, manage free space allocation, satisfy BIOS expectations, track bad allocation units, and store security and disk space usage information. All content is in an unnamed data stream, unless otherwise indicated.

$Directory is most probably the Master File Table (MFT) that is the directory for all files and folders, where are stored as metadata the file name, creation date, access permissions (by the use of access control lists) and size. Any program that opens or creates a file or folder accesses this area of the disk.

$MapAttributeValue is most probably the Attribute lists area, described as :

For each file (or directory) described in the MFT record, there's a linear repository of stream descriptors (also named attributes), packed together in one or more MFT records (containing the so called attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.

answered Feb 03 '15 at 12:57

harrymc

455,459
31
526
924

I don't get it, you're saying `$Directory` is the same as `$MFT`? Also, attribute lists belong to individual file records and are stored inside the individual records; they're not global files stored on the root of the disk... – user541686 Feb 07 '15 at 05:39
Okay I deleted mine too, although my first comment still stands (I still don't understand what you mean by phrases like "the MFT that is the directory for all files and folders". – user541686 Feb 07 '15 at 14:47
1

@Mehrdad: I was trying to say that all files and folders are defined in it, so when a program opens or creates a file, that's where the operating system needs to access. – harrymc Feb 07 '15 at 16:28
1

I still can't make sense of your comment. The only file that has *all* files and folders defined in it is `\$MFT`. There is no metafile or other location on the disk named `\$Directory`. I don't understand what you're talking about. – user541686 Feb 08 '15 at 01:33
@Mehrdad: MFT = $MFT. The word "directory" in the text is part of the description of MFT, not the name of it. – harrymc Feb 08 '15 at 08:09
1

I've seen `C:\$MFT` listed there plenty of times too, though. Are you saying both refer to the same thing? I don't see why they would but ok... – user541686 Feb 08 '15 at 08:16
I neither see that $MFT and $Directory are equivalents at all. $Directory is usually written even at offset 0. If they were the same, that means the system is usually overwriting the metadata of the same $MFT file. Well, that does not makes too much sense. – Gonmator Jul 03 '19 at 08:41
The purpose of $Directory looks more related to memory file mapping. – Gonmator Jul 03 '19 at 10:55

What is C:\$Directory?

Update:

2 Answers2