The case of the SHGet­Folder­Path(CSIDL_COMMON_DOCUMENTS) that returned ERROR_PATH_NOT_FOUND

Raymond Chen


A customer was experiencing a problem with the SHGet­Folder­Path function. Specifically, they had a program that called the function like this:

                SHGFP_TYPE_CURRENT, pathBuffer);

but it failed with error 0x80070003 which is the HRESULT version of ERROR_PATH_NOT_FOUND. The error occurs only when run from a Jenkins pipeline. If they the run the program standalone, then the function succeeds and returns the expected result.

A procmon trace showed that the application tried to access the folder C:\Windows\SysWOW64\autobuild\Documents, which failed with NAME_NOT_FOUND. And that was the clue that broke things open.

The Common Documents folder defaults to %PUBLIC%\Documents. The PUBLIC environment variable’s normal value is C:\Users\Public, but when the program runs as part of a Jenkins pipeline, the environment variable is set to autobuild for some reason.

This means that when the program calls SHGet­Folder­Path and asks for CSIDL_COMMON_DOCUMENTS, the system looks for autobuild\Documents, which doesn’t exist, hence error 0x80070003: “The system cannot find the path specified.”

There are a number of environment variables that have special meaning, and you change them at your peril. You probably know about variables like windir, ProgramFiles, and TEMP, but there are quite a number of other special environment variables, and PUBLIC is one of them.

Armed with this information, the customer went back to see who was messing with the PUBLIC environment variable and try to get them to stop.


Comments are closed. Login to edit/delete your existing comments

    • Avatar
      Stefan Kanthak


      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
      "Common AppData"=expand:"%ProgramData%"
      "Common Desktop"=expand:"%PUBLIC%\\Desktop"
      "Common Documents"=expand:"%PUBLIC%\\Documents"
      "Common Programs"=expand:"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs"
      "Common Start Menu"=expand:"%ProgramData%\\Microsoft\\Windows\\Start Menu"
      "Common Startup"=expand:"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
      "Common Templates"=expand:"%ProgramData%\\Microsoft\\Windows\\Templates"

      Better read these entries beforehand:

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      "!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
      [HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      "!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
      [HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
      "!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
  • Avatar
    Vadim Zeitlin

    How topical, I just wish I had read this yesterday, before spending more than an hour trying to find why CryptAcquireContext() failed with a mysterious NTE_PROVIDER_DLL_FAIL error when launching the program using remote debugger, only to find that it relies on SystemRoot being set in the environment, which wasn’t the case.

    I still wonder why do the API functions like this use the environment variables instead of using the registry, isn’t this what it is for? And is there a full list of required environment variables somewhere?

    • Raymond Chen
      Raymond ChenMicrosoft employee

      I suspect that the API is getting the provider from the registry. What’s happening is that the provider is listed in the registry with a REG_EXPAND_SZ %SystemRoot%. (There is no REG_INSERT_WINDOWS_DIRECTORY_SZ registry value type.)

      • Avatar
        Stefan Kanthak

        “(There is no REG_INSERT_WINDOWS_DIRECTORY_SZ registry value type)”

        OUCH: of course there is!
        *.MSI, processed by the Windows Installer, have symbolic names for that.
        *.INF, interpreted by the SetupAPI, provide the LDID %10% as well as the DIRID %16420% to resolve %SystemRoot% during installation!
        See and for not just these two LDIDs/DIRIDs
        For a demonstration, fetch the scripts and and “install” them. See for a rather short description.

        • Raymond Chen
          Raymond ChenMicrosoft employee

          You’re not contradicting me. There is no REG_INSERT_WINDOWS_DIRECTORY_SZ registry value type. What you provided was ways of substituting the Windows directory before the string even gets added to the registry. But those aren’t of any help for OS components, because OS components aren’t installed via MSI or INF files.

          • Avatar
            Stefan Kanthak

            I doubt that the installer for OS components misses an equivalent (and if it does, that’s yet another design bug): the majority of paths in the registry shipped with current versions of Windows are fix/constant, i.e. they start with C:\
            Since Windows XP Embedded, from which Vista’s Component Based Servicing was largely inspired, SETUP.EXE allows to assign an arbitrary drive letter for the “system drive”, and “fixes” all pathnames beginning with C:\ not just in the registry during deployment.
            Your company and your developers have the tools, but are obviously to lazy/sloppy/clueless/careless to use them properly, and put your customers/users at risk!
            To quote
            “Always specify the fully qualified path when the library location is constant.”
            A pathname containing an environment variable is NOT constant.
            See and among others for this well-known and well-documented weakness.

      • Avatar
        Stefan Kanthak

        “I suspect that the API is getting the provider from the registry.”

        And said “provider” is most likely located in the “system directory”, so every sane developer would have changed their implementation to use LoadLibraryEx(L”‹provider›.dll”, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32) instead of fiddling with either %SystemRoot% or GetWindowsDirectory()/GetSystemDirectory()
        JFTR: LOAD_LIBRARY_SEARCH_SYSTEM32 is available since Windows 8 out-of-the-box, and with update KB2533623 also available for Windows Vista and 7

          • Avatar
            Stefan Kanthak

            OUCH¹: please ask your colleagues who implemented LoadLibraryEx() how it works when called with both a fully qualified path and the LOAD_LIBRARY_SEARCH_SYSTEM32 flag.
            OUCH²: please ask your colleagues who implemented the consumer why they load DLLs from arbitrary user-controlled paths.
            OUCH³: please ask your colleagues who implemented the installer of the provider whether they intended to add another weakness to Windows!
            And don’t forget to ask your colleagues who published the documentation of CryptAcquireContext() (and any other consumer or provider) why they failed to specify their dependency from %SystemRoot% and its security implications!

  • Avatar
    Stefan Kanthak

    Thanks for posting about one of Windows many design bugs.
    This one was introduced with Vista.
    Before Vista, the “All Users” profile was used to store “Common Desktop”, “Common Documents” etc.
    The base path to this profile is provided by the function GetAllUsersProfileDirectory() (, from which the environment variable ALLUSERSPROFILE is set during user login.
    The Directory Shuffle performed for Vista introduced the “Public” profile and C:\ProgramData, accompanied by the new environment variables PUBLIC and ProgramData
    Some short-sighted developers but either forgot to implement a function GetPublicProfileDirectory() which retrieves the fully qualified path of this new profile from

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]

    and use it in SHGetFolderPath() etc., or to use GetProfilesDirectory() ( and append “\Public” to it.
    Instead they introduced yet another vulnerability and query a user-controlled environment variable to retrieve an administrator-controlled path.
    JFTR: since GetDefaultUserProfileDirectory() ( exists and retrieves the fully qualified path of the “Default” user profile from

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]

    GetPublicUserProfileDirectory() would be a logical extension to that scheme.

    In case you need proof that referencing user-controlled environment variables to resolve paths is braindead, see or run the following commands:

    SET CommonProgramFiles=%CD%
    MKDIR "System\OLE DB"
    COPY "%SystemRoot%\System32\SHUNIMPL.DLL" "System\OLE DB\OLEDB32.DLL"
    SET ProgramFiles=%CD%
    MKDIR "Windows Photo Viewer"
    COPY "%SystemRoot%\System32\SHUNIMPL.DLL" "Windows Photo Viewer\PhotoViewer.dll"
    FTYPE TIFImage.Document
    SET ProgramFiles=%SystemRoot%\System32\CALC.EXE^" ^"*
    FTYPE rtffile
    SET SystemRoot=%SystemRoot%\System32\CALC.EXE^" ^"*
    FTYPE Microsoft.System.Update.1
    FTYPE rlefile
    RMDIR /S /Q System
    RMDIR /S /Q "Windows Photo Viewer"
    • Avatar
      Danielix Klimax

      Looks like you are just exploiting yourself. What is gained by attacker that wouldn’t be available otherwise. Big talk and no evidence so far (applies to your previous “vulnerability” assertions too)

  • Avatar
    Matthew Jackson

    I recently came across something certainly related to this. I was surprised that scripts running under Jenkins jobs were accessing user profile information from C:\Windows\ instead of C:\Users\. I chalked it up to the fact that we were running Jenkins as a Windows Service.

    • Avatar
      Stefan Kanthak

      Normal behaviour if the profile used is C:\Windows\System32\Config\SystemProfile, C:\Windows\ServiceProfiles\LocalService or C:\Windows\ServiceProfiles\NetworkService
      The latter two are the profiles for the “NT AUTHORITY\LOCAL SERVICE” alias “LocalService” and the “NT AUTHORITY\NETWORK SERVICE” alias “NetworkService” accounts, both introduced with Windows XP, initially stored in the directories “C:\Documents and Settings\LocalService” and “C:\Documents and Settings\NetworkService”, relocated to their current locations with Vista.
      The first profile, introduced with Windows 2000, is for the “NT AUTHORITY\SYSTEM” alias “LocalSystem” account.
      Its location is yet another design bug, since it is subject to File System Redirection on 64-bit installations!
      Admire the result of the “lobotomy” or “schizophrenia” in C:\Windows\SysWoW64\Config\SystemProfile

      And while you are here take a look into the registry hive of the “LocalSystem” account:


      Then verify whether C:\Windows\System32\Config\SystemProfile\AppData\Local\Temp and eventually C:\Windows\SysWoW64\Config\SystemProfile\AppData\Local\Temp exist…
      Also don’t forget to inspect the environment variables TEMP and TMP of processes running under the “LocalSystem” account…
      Oh what a lovely mess!

  • skSdnW

    %ProgramData% relative special folders have the same issue.

    The strange thing is, this expansion issue only applies to the older special folders. Even if you use the newer Known Folder API, the old special folders have this issue (Common Templates etc.) while the KF-only folders (CommonRingtones etc.) do not.

  • Avatar
    Stefan Kanthak

    “Accidentally reconfiguring the system.”
    Its time to learn a new german word: Unfallverhütungsvorschrift!
    Also “Software Engineering” may come into your mind…
    A PROPERLY designed and implemented product does NOT allow such accidents!