Summary#

The following writeup explores the fsutil.exe binary, its functionality, and how some of its features are implemented.

devdrv#

query#

fsutil devdrv query

The query functionality is handled internally by DevdrvQuery function which calls the DevdrvGetEnableRegValue function. From the name we can guess that it should query the registry value to obtain the state of the "Dev Drive". But in reality it just calls GetDeveloperDriveEnablementState which is implemented in kernelBase.dll (redirected from the API set api-ms-win-core-sysinfo-l1-2-6.dll).

The GetDeveloperDriveEnablementState function is the one performing the query to the registry and checks the following locations.

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\FsEnableDevDrive
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\FsEnableDevDrive

FsEnableDevDrive is of type DWORD where 1 indicates that it's enabled, and 0 means it's disabled.

enable#

fsutil devdrv enable
fsutil devdrv enable /allowAv
fsutil devdrv enable /disallowAv

Enabling the "Dev Drive" will update the registry values talked about in the query section. Internally this is handled by the DevdrvEnable function. Which will call DevdrvSetEnableRegKey

Related Articles

Other threads in the archive worth reading next.

Process Anatomy

Windows Process Internals - Fondue.EXE

An in-depth look at Fondue.EXE, CLI options, the "rude app" checks, the handoff to APPWIZ.CPL and a bit of DLL side-loading.

Process Anatomy

Windows Process Internals - Dllhost Explained

A deep dive look at dllhost.exe and how it works.

Process Anatomy

Windows Process Internals - At.EXE

An in-depth look at the At.EXE utility, its functionality, and an exploration of its internal workings.