"Special Windows folders" filesystem inspectors

mwolff · September 24, 2015, 6:44pm

I’m trying to look for the folder “C:\Windows\System32\oobe\info\backgrounds” and I’m running into a strange behaviour where the relevance debugger doesn’t see the \info folder and below.

Even though there is both an \en-US and a \info folder on the machine I’m using to write the relevance, the debugger returns the following, in both local and client debug modes:
Q: folders of folders "C:\Windows\System32\oobe"
A: C:\Windows\System32\oobe\en-US
T: 0.198 ms
I: plural folder

Looking at the Filesystem Objects inspectors reference page (https://support.bigfix.com/inspectors/Filesystem%20Objects_Any.html) I notice that there is mention of “special Windows folders” and that more information can be found in the Resources section. However, I seem to be unable to locate this section.

Does anyone have any tips on how to use BigFix relevance to check for the above folder, and/or links to the Resources section discussing “special Windows folders”?

Cheers,
Martin

jgstew · September 24, 2015, 6:51pm

The folders inspector doesn’t give you all of the descendant folders of a particular folder. It only gives you all of the direct subfolders of the folder you specify.

This doesn’t seem to be the issue you are having at the moment now that I take another look.

You may need to specify x64 folder

x64 folders of x64 folders "oobe" of system x64 folder

Seems like that doesn’t work quite right.

folders of folders "oobe" of (system x64 folders;system folders)

jgstew · September 24, 2015, 7:00pm

What Operating System are you looking for this folder on?

I don’t actually see a C:\Windows\System32\oobe\info\backgrounds folder on Windows 10 at all.

strawgate · September 24, 2015, 7:47pm

This folder doesn’t typically exist by default.

You often have to create the folder to get the functionality this folder provides (setting the lock screen background).

jgstew · September 24, 2015, 7:57pm

Oh, that sounds familiar now.

JasonWalker · September 25, 2015, 1:35am

Although it doesn’t really sound like the “special Windows folders” inspector is actually your issue, for completeness:
https://support.bigfix.com/inspectors/World%20Objects_Any.html#csidl folder

Declaration Description Platforms (?)
csidl folder Returns the csidl folder corresponding to the specified integer. The windows SHGetSpecialFolderLocation API is used to look up paths to special folders, which are identified by passing the specified integer as the second argument of the API call. These values and their meaning are described in the windows ShlObj.h include file found in the development sdk.Note that some of these folders do not exist in the Local System context.

Example: pathname of csidl folder 26 - Returns the path corresponding to CSIDL folder 26 (the application shared data folder, CSIDL_APPDATA).
Win, WM

Microsoft’s (rather lacking) explanation (it doesn’t enumerate the actual integer values):
https://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx

And a third-party site that spells out the numbers:
http://www.installmate.com/support/im9/using/symbols/functions/csidls.htm

And, as usual, the best references are found by trying it out. Note that many of these CSIDL folders are user-specific and may not exist for the LocalSystem account in which BigFix is executing, but here’s a start listing the first 50:

q: pathname of csidl folder 20
A: C:\Windows\Fonts


q: (it, pathnames of csidl folders (it)) of integers in (0, 50)
A: 0, C:\Users\Jason\Desktop
A: 2, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
A: 5, C:\Users\Jason\Documents
A: 6, C:\Users\Jason\Favorites
A: 7, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
A: 8, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Recent
A: 9, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\SendTo
A: 11, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu
A: 13, C:\Users\Jason\Music
A: 14, C:\Users\Jason\Videos
A: 16, C:\Users\Jason\Desktop
A: 19, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Network Shortcuts
A: 20, C:\Windows\Fonts
A: 21, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Templates
A: 22, C:\ProgramData\Microsoft\Windows\Start Menu
A: 23, C:\ProgramData\Microsoft\Windows\Start Menu\Programs
A: 24, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
A: 25, C:\Users\Public\Desktop
A: 26, C:\Users\Jason\AppData\Roaming
A: 27, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
A: 28, C:\Users\Jason\AppData\Local
A: 29, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
A: 30, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
A: 31, C:\Users\Jason\Favorites
A: 32, C:\Users\Jason\AppData\Local\Microsoft\Windows\INetCache
A: 33, C:\Users\Jason\AppData\Local\Microsoft\Windows\INetCookies
A: 34, C:\Users\Jason\AppData\Local\Microsoft\Windows\History
A: 35, C:\ProgramData
A: 36, C:\Windows
A: 37, C:\Windows\System32
A: 38, C:\Program Files (x86)
A: 39, C:\Users\Jason\Pictures
A: 40, C:\Users\Jason
A: 41, C:\Windows\SysWOW64
A: 42, C:\Program Files (x86)
A: 43, C:\Program Files (x86)\Common Files
A: 44, C:\Program Files (x86)\Common Files
A: 45, C:\ProgramData\Microsoft\Windows\Templates
A: 46, C:\Users\Public\Documents
A: 47, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
A: 48, C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

mwolff · September 28, 2015, 10:48am

@jgstew Much appreciated; using folders of “system x64 folders” as the target seems to work, despite being a 64-bit operating system with the target folder residing in system32 and not syswow64.

For full reference in this particular case:
Q: exists folders “oobe\info\backgrounds” of system x64 folders
A: True
T: 0.156 ms
I: singular boolean

Q: folders of folders of folders “oobe” of (system x64 folders)
A: C:\WINDOWS\system32\oobe\info\backgrounds
T: 11.514 ms
I: plural folder

Directory listing of system32\oobe folder:
\en-us
\info

Directory listing of syswo64\oobe folder:
\en-us

@strawgate Right on the money; our company uses this folder (along with the necessary registry key) to change the lock screen on Windows 7.

@JasonWalker Much appreciated; the “special windows folder” inspector was a shot in the dark as far as I’m concerned, as I figured this might be used for system32. Thank you for the reference.

Thanks for the assistance everyone!

Cheers,
Martin

strawgate · September 28, 2015, 11:04am

One thing to remember is the following:

On 32-bit windows the system32 folder is the x86 system folder.

On 64-bit windows the system32 folder is the x64 system folder and syswow64 is the x86 system folder.

You can remember that Syswow64 stands for system, Windows on windows 64 (I.e. Windows x86 on x64).

Because besclient and QnA are native 32-bit applications windows redirects file reads to system32 (the 64-bit folder) to syswow64 automatically. Using x64 folders in relevance essentially tells the client to ignore the redirection.

mwolff · September 28, 2015, 11:15am

@strawgate Ah, that makes a lot more sense, then. Learn something new every day

Cheers!

jgstew · September 28, 2015, 2:14pm

I was going to add what @strawgate already has about Windows on Windows redirection. The names are definitely confusing. The same goes for the 32bit registry on a 64bit system, but yet ProgramFiles is a bit different.