What is C:\$Directory?

procmon

Update: I researched this issue further (since I've noticed the same behavior on my own computer, and was worried that this is some kind of malware), and now I believe my original answer was in fact incorrect. Here's what I found now:

  1. Several different procesess read from this file, and from different offsets, but with the same length: 4K (exactly one memory page).
  2. There are ReadFile operations, but no opening of the file, which makes little sense.
  3. Looking at the stack trace, I see that all requests include a page fault in the trace, e.g. this file read is inside IoPageRead(), kernel function that reads pages from the paging file into memory.
  4. These reads happen on C:\$Directory and V:\$Directory on my system, the two drives that hold paging files on them, and nowhere else.

Based on this research, I strongly believe that this "file read" is some kind of Process Monitor artifact, and the real read happens in the paging file. I have no idea why ProcMon lists the path as C:\$Directory.

I don't think now that this C:\$Directory is a real NTFS metafile. I don't think now that this could be some illegitimate activity (virus or other malware).


$Directory and $MapAttributeValue are most probably code-names for system areas on the NTFS disk, and these references come from programs opening or creating files.

These names probably pertain to Metafiles, defined by wikipedia as :

NTFS contains several files that define and organize the file system. In all respects, most of these files are structured like any other user file ($Volume being the most peculiar), but are not of direct interest to file system clients. These metafiles define files, back up critical file system data, buffer file system changes, manage free space allocation, satisfy BIOS expectations, track bad allocation units, and store security and disk space usage information. All content is in an unnamed data stream, unless otherwise indicated.

$Directory is most probably the Master File Table (MFT) that is the directory for all files and folders, where are stored as metadata the file name, creation date, access permissions (by the use of access control lists) and size. Any program that opens or creates a file or folder accesses this area of the disk.

$MapAttributeValue is most probably the Attribute lists area, described as :

For each file (or directory) described in the MFT record, there's a linear repository of stream descriptors (also named attributes), packed together in one or more MFT records (containing the so called attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.

Related

How to use gpg and SSH together? [duplicate]
Increase granularity, range and curvature of the volume control slider
Does Psexec execute Remote Procedure Calls?
MySQL database across multiple servers
What is Allow multicast from Broadband Network?
View RSS feeds in Chrome instead of downloading it
I've lost access to my encrypted files
How to install .apk on Alpine Linux like .deb in Debian using dpkg
Make AppleScript wait for an Application to finish loading
Solid State Drive Occasionally Freezes For A Minute While OS Is "Beach Balling"
Sublime Text: Disable Find in Selection
accurate cutting of video (+ audio) with ffmpeg