• 0

Determine if file is critical system file, HOW


Question

I wanna code to know if file is critical system file (like CONFIG.SYS , NTDETECT.COM , autoexec.bat)

I tried to use code to get file attributes and see if the file has "System" attribute but i found files like autoexec.bat hasn't "system" attribute.

I try to use that C# code but it doesn't work too (Every Time it gives me "True" value)

 public static string isFileSystem(string FileName)
		{
			try
			{
			   Type oType = Type.GetTypeFromProgID("Shell.Application");
			   object objShell = Activator.CreateInstance(oType);
			   object objFolder = oType.InvokeMember("Namespace", System.Reflection.BindingFlags.InvokeMethod, null, objShell, new object[] { new FileInfo(FileName).DirectoryName });
			   object objFolderItem = oType.InvokeMember("ParseName", System.Reflection.BindingFlags.InvokeMethod, null, objFolder, new object[] { new FileInfo(FileName).Name });
			   return oType.InvokeMember("isFileSystem", System.Reflection.BindingFlags.GetProperty, null, objFolderItem , null).ToString();
			}
			catch { return ""; }
		}

The Same code in VB.NET (without Blinding Codes) is

 Public Shared Function isFileSystem(ByVal FileName As String) As String
		Try 
			 Set objShell = CreateObject("Shell.Application")
			 Set objFolder = objShell.Namespace(new FileInfo(FileName).DirectoryName)
			 Set objFolderItem = objFolder.ParseName(new FileInfo(FileName).Name)
			 Return objFolderItem.IsFileSystem.ToString
		Catch
			 Return ""
		End Try
	End Function

I don't know where is the error.

If you have any other code can do the same task without too long codes it'll be good.

12 answers to this question

Recommended Posts

  • 0

This should work in 1.1 or 2.0:

 
	internal class MyMainClass
	{
		public static void Main()
		{
			FileAttributes fas = File.GetAttributes(@"c:\pagefile.sys");
			FileAttributes fa = File.GetAttributes(@"c:\YServer.txt");
			// should be true
			Console.WriteLine("Is System? {0}", (fas & FileAttributes.System) > 0);
			// should be false
			Console.WriteLine("Is System? {0}", (fa & FileAttributes.System) > 0);
		}
	}

In VB

Imports System.IO
Module Module1

	Sub Main()
		Dim fas As FileAttribute
		Dim fa As FileAttribute

		fas = File.GetAttributes("c:\pagefile.sys")
		fa = File.GetAttributes("c:\YServer.txt")

		Console.WriteLine("Is System? {0}", (fas And FileAttribute.System) > 0)
		Console.WriteLine("Is System? {0}", (fa And FileAttribute.System) > 0)
	End Sub

End Module

Edited by azcodemonkey
  • 0
  N_Win_Member said:

Soryy but i think you didn't understand what i was saying.

There is some files like autoexec.bat has no system attributes althouugh it's critical system file.

HOW Can I solve that ?

That IsFileSystem property just determines if it's part of the Windows file system, which is why it returns true all the time.

There must be a way to determine it, but it looks as if it is undocumented. I'll dig around to see what I can find.

  • 0

hi ! Emm, I think i'm correct in saying this, but for Windows versions above 98(2000 and xp) Config.sys , Autoexec.bat are NOT critical system files and hence maybe not marked as system. But i don't think the file attribute 'System' is the way to go about it

take for example, the file (in WinXP) C:\Windows\System32\ntoskrnl.exe i guess we could call it System critical but it has no "System" attribute to it.

I think u should maintain a list of system files and compare from that !

  • 0

I think he means "system file" by the way files are hidden. config.sys and autoexec.bat are hidden in XP. If you uncheck Hide Protected Operating System Files, and select Show Hidden Files and Folders, they show up, and hide when vice versa. I'm kind of curious as to how that is done. So far, I cannot find anything that specifies which files are considered protected OS files.

  • 0

@azcodemonkey

but that would mean that the file i said "ntoskrnl.exe" is not a system file since it does not hide with the "hide protected operating system files"...in any case..i guess, to me maintaining a list of files that we think are system is the only option, i give up !!

  • 0

Well there's SfcIsFileProtected function:

  Quote
Determines whether the specified file is protected (by Windows File Protection). Applications should avoid replacing protected system files.

Sample code, C#:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;

namespace WindowsApplication1
{
	public partial class Form1 : Form
	{

		[DllImport("sfc.dll")]
		static extern int SfcIsFileProtected(int handle, [MarshalAs(UnmanagedType.LPWStr)] string path);

		public Form1()
		{
			InitializeComponent();
		}

		private void button1_Click(object sender, EventArgs e)
		{
			if (SfcIsFileProtected(0, textBox1.Text.ToString()) == 0)
			{
				MessageBox.Show("The: " + textBox1.Text + "\r\nNot protected");
			}
			else
			{
				MessageBox.Show("The: " + textBox1.Text + "\r\nIs protected");
			}
		}
	}
}

  • 0

Ahhh... The consistency of the Win32 API is astounding. :pinch: I don't think it's doable via the API, N_Win.

@Wilhelmus, I think that's for files that are stored in windows/system32/dllcache as part of the Windows File Protection scheme. But, good find, nonetheless.

@Andareed, I'm pretty sure that GetAttributesOf is the equivalent of using FileAttributes. If you only select Show hidden files and folders, config.sys/autoexec.bat/boot.ini, et al, don't show. They only show if you uncheck Hide protected operating system files(Recommended) as well. To boot, config.sys, autoexec.bat, etc, are only tagged as Archive, not Hidden nor System.

I think you're full on correct, ~InstaShock~. A list was actually my initial thought, and I figured it would be in the registry, but I cannot find a thing that declares config.sys as a critical file, which I agree with you on about it not being so.

N_Win, you may want to head over to SysInternals' forum and ask there. Those guys know everything. LOL

  • 0

If you check the description for IShellFolder::GetAttributesOf, for SFGAO_HIDDEN, it says the following:

  Quote
The item is hidden and should not be displayed unless the Show hidden files and folders option is enabled in Folder Settings.

You could try contacting a shell MVP to see if they can shed more light on how shell knows what files to hide.

  • 0

Sorry For my wait replay and Thanks for all these replies and tries. But We are still having the problem here.

First for Wilhelmus Replay that was taking about SfcIsFileProtected sub it doesn't work for all system files it only works with protected files.

About Andareed idea which i was trying to use from the beginning ( Using Shell Method ) but with less complicate way. i was tring to use isfilesystem property that i have found in the following Microsoft link http://msdn2.microsoft.com/en-us/ms723191.aspx It was giving true in each time.

Another way by using shell i found and is working properly but with too long codes can be found in the project http://www.codeproject.com/vb/net/ExpCombo.asp. There is an item called Cshitem in previous explorer project which you can give a path then it will give you a lot of this file or folder properties. By using property called 'IsFileSystem' (one Cshitem properties) you can determine if this file is critical system file and if windows will hide or not. But as I said That is too long and complicated way.

If anyone can fix the first code or have another small code, it will be so good.

Thanks

Edited by N_Win_Member
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • And we think AI can take over lower level programmers jobs? Just search for the SHA hash for the "rogue" sound file and delete it.
    • Meta will use AI to summarize your WhatsApp messages by David Uzondu Recently, Meta announced that ads are coming to WhatsApp, appearing in Status and Channels. Now, another update is on its way, this time in the form of a new feature called "Message Summaries", that leverages Meta's AI to summarize your chats for you. For those moments when you are drowning in unread messages, you can choose to have the AI generate a quick summary to get the gist of a conversation. To address the immediate privacy alarms this sets off, Meta says that its "Private Processing technology" will be used. This supposedly ensures that neither Meta nor WhatsApp can see your original messages or the private summaries the AI generates. To prove its sincerity, Meta published a deep technical white paper that explains how this privacy is supposed to be maintained. In the technical documentation, Meta explains the way it works is built on "Trusted Execution Environments (TEEs)". These TEEs are essentially secure, isolated black boxes running on a server, powered by hardware like NVIDIA H100 GPUs. Your phone establishes a direct, encrypted connection to one of these TEEs, sends the message data for processing, and receives the summary. Meta's own administrators and other systems supposedly cannot peek inside this box. And when the job is done, no message is retained. The security of the entire system hinges on being able to trust that this TEE is what it claims to be. Meta's system uses a process called remote attestation. Before your phone sends any data, it demands proof from the server. This proof is a cryptographic report, signed by the hardware itself, verifying that the TEE is running the exact, unmodified software that Meta has publicly logged with a third party like Cloudflare. Only if that proof checks out does the connection proceed. Users will have control over this process. The feature is off by default, and a setting under "Advanced Chat Privacy" will let you specify which chats can be shared for AI features. Message Summaries is currently rolling out in English for users in the US, with Meta planning for a global expansion sometime next year.
    • It's never a good sign when the developer is gaslighting its customers.
    • Unpopular (or maybe popular?) opinion: I prefer Windows Vista's startup chime than W11.
    • Well I tried New Outlook a bit in the past, But was concerned on the privacy aspect with Gmail Imap and Comcast.net email going to Microsoft Servers. I've been using Outlook Classic since 1997 on my Personal systems, so for now think will stick with that, but i could get used to New Outlook i think fairly quickly if i forced to in the future. Anyhow who knows maybe it will be as good as Outlook Classic in the future, never know
  • Recent Achievements

    • First Post
      solidox earned a badge
      First Post
    • First Post
      BA the Curmudgeon earned a badge
      First Post
    • One Year In
      blissa jayden earned a badge
      One Year In
    • One Month Later
      blissa jayden earned a badge
      One Month Later
    • Week One Done
      blissa jayden earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      578
    2. 2
      ATLien_0
      216
    3. 3
      +FloatingFatMan
      170
    4. 4
      Michael Scrip
      155
    5. 5
      Som
      151
  • Tell a friend

    Love Neowin? Tell a friend!