FindFirstVolume does not return EFI system partition

By : Naveen
Date : November 21 2020, 11:01 PM
will be helpful for those in need volume GUID path (i.e. \??\Volume{..}) not exist if not returned by FindFirstVolume/FindNextVolume but we can enumerate all volumes in system by different ways. we say can use Virtual Disk Service com api . DISKPART> list volume use exactly this. another way(more 'low' and fast) - use CM_Get_Device_ID_ListW with pszFilter = "{71a27cdd-812a-11d0-bec7-08002be2092f}" (look GUID_DEVCLASS_VOLUME in devguid.h) than obtain a device instance handle by CM_Locate_DevNodeW and query for DEVPKEY_Device_PDOName with CM_Get_DevNode_PropertyW - we got string (like \Device\HarddiskVolume ) which we can use in ZwOpenFile and then use some ioctls (IOCTL_DISK_GET_PARTITION_INFO_EX and other) for get volume properties. code example:
code :
#include <initguid.h>
#include <cfgmgr32.h>
#include <devguid.h>
#include <devpkey.h>
#include <diskguid.h>

void DumpVolume(HANDLE hFile);

void VolEnum()
    STATIC_WSTRING(DEVCLASS_VOLUME, "{71a27cdd-812a-11d0-bec7-08002be2092f}");


    ULONG len;
    ULONG cb = 0, rcb = 64;

    HANDLE hFile;
    UNICODE_STRING ObjectName;
    OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE };

    if (!CM_Get_Device_ID_List_SizeW(&len, DEVCLASS_VOLUME, flags))
        PWSTR buf = (PWSTR)alloca(len << 1);
        if (!CM_Get_Device_ID_ListW(DEVCLASS_VOLUME, buf, len, flags))
            PVOID stack = buf;
            while (*buf)
                DbgPrint("%S\n", buf);
                DEVINST dnDevInst;
                if (!CM_Locate_DevNodeW(&dnDevInst, buf, CM_LOCATE_DEVNODE_NORMAL))
                    DEVPROPTYPE PropertyType;
                    int err;

                    union {
                        PVOID pv;
                        PWSTR sz;
                        PBYTE pb;

                        if (cb < rcb)
                            rcb = cb = RtlPointerToOffset(pv = alloca(rcb - cb), stack);

                        if (!(err = CM_Get_DevNode_PropertyW(dnDevInst, &DEVPKEY_Device_PDOName, &PropertyType, pb, &rcb, 0)))
                            if (PropertyType == DEVPROP_TYPE_STRING)
                                DbgPrint("%S\n", sz);

                                RtlInitUnicodeString(&ObjectName, sz);
                                if (0 <= ZwOpenFile(&hFile, FILE_GENERIC_READ, &oa, &iosb, FILE_SHARE_VALID_FLAGS, 0))

                    } while (err == CR_BUFFER_SMALL);

                buf += 1 + wcslen(buf);

void DumpVolume(HANDLE hFile)
    NTSTATUS status;

    if (0 <= (status = ZwDeviceIoControlFile(hFile, 0, 0, 0, &iosb, IOCTL_DISK_GET_PARTITION_INFO_EX, 0, 0, &pi, sizeof(pi))))
        CHAR PartitionName[40], *szPartitionName;

        PCSTR szps = "??";
        switch (pi.PartitionStyle)
        case PARTITION_STYLE_MBR: szps = "MBR";
        case PARTITION_STYLE_GPT: szps = "GPT";

        DbgPrint("%u %s %I64u(%I64x) %I64u ", 
            pi.StartingOffset.QuadPart, pi.StartingOffset.QuadPart, 

        switch (pi.PartitionStyle)

        case PARTITION_STYLE_MBR: 
            DbgPrint("type=%x boot=%x", pi.Mbr.PartitionType, pi.Mbr.BootIndicator);


            if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_ENTRY_UNUSED_GUID))
                szPartitionName = "UNUSED";
            else if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_SYSTEM_GUID))
                szPartitionName = "SYSTEM";
            else if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_MSFT_RESERVED_GUID))
                szPartitionName = "RESERVED";
            else if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_BASIC_DATA_GUID))
                szPartitionName = "DATA";
            else if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_MSFT_RECOVERY_GUID))
                szPartitionName = "RECOVERY";
            else if (IsEqualGUID(pi.Gpt.PartitionType, PARTITION_MSFT_SNAPSHOT_GUID))
                szPartitionName = "SNAPSHOT";
                sprintf(szPartitionName = PartitionName, "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}", 
            DbgPrint("[%s] %I64x \"%S\"", 


        switch (ZwQueryVolumeInformationFile(hFile, &iosb, pffai, cb, FileFsAttributeInformation))
        case STATUS_SUCCESS:
            DbgPrint(" \"%.*S\"", pffai->FileSystemNameLength >> 1 , pffai->FileSystemName);

        DbgPrint("status=%x\n", status);
2 GPT 315621376(12d00000) 104857600 [SYSTEM] 8000000000000000 "EFI system partition" "FAT32"
1 GPT 1048576(100000) 314572800 [RECOVERY] 8000000000000001 "Basic data partition" "NTFS"
4 GPT 554696704(21100000) 255506513920 [DATA] 0 "Basic data partition" "NTFS"
3 GPT 420478976(19100000) 134217728 [RESERVED] 8000000000000000 "Microsoft reserved partition" "RAW"
1 MBR 32256(7e00) 32017013248 type=7 boot=1 "NTFS"

