A Simple Way to Create and Hide a Junction Link on Windows 10

In the Windows Operating system, there are three types of links:

  • Hard links
  • Junction links
  • Symbolic links

A hard link creates a second directory entry to a file such that it can reference a file using more than one reference path.

A symbolic link creates a new file altogether that references an already existing file.

A junction link, also referred to as a soft link, is used in linking directories which are located on different volumes or drives, but not between network drives. It’s created only between two folders and not files.

In this article, you will learn how you can create and hide junction links.

How to create a junction link on Windows 10

To create a junction, you first need to define the location of the junction link as well as the folder you’d want to link it to. Take note that the target folder should exist before creating the junction link.

In this tutorial, we will create a junction link at:

C:\Users\james\OneDrive\Music with the target defined at E:\MTBL

To begin with, you need to run the Command Prompt tool as an Administrator.

You can achieve this by clicking on the Start button, typing cmd in the text field, right clicking on the Command Prompt option, and selecting ‘Run as Administrator’.

Next, let’s apply the mklink command as shown in the syntax below:

mklink /J “path to junction link” “path to target folder”

In our case, the command will be as follows:

mklink /J “C:\Users\james\OneDrive\Music\MTBL” “E:\MTBL”

You can verify the existence of the junction link using the dir command as shown below:

How to hide a junction link on Windows 10

Additionally, you can create a directory junction with the ::$INDEX_ALLOCATION attribute, which will create a directory with dots like this […].

Here is an example:

In this case, the target folder, E:\MTBL, is not displayed as highlighted. This shows that we have tactfully managed to “hide” it.

To navigate into the directory, you can use the syntax below:

cd …/…/

To ensure that it contains the same files as the target folder, you can use the dir command:

Here is a simple tutorial for creating and hiding junction links on the Windows 10 operating systems.

As you can see above, we have successfully managed to hide the path to the target directory using the […] notation.


Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Filesystem: How to Hide the Destination of a Directory Junction

Directory junctions are critical NTFS features on Windows that hide security vulnerabilities from would-be attackers. Junctions can help in creating symbolic links using normal privileges.

The best vulnerability that can exploit directory junctions is the AVGater, which works by abusing the ability of users to restore dangerous files that antivirus products have quarantined.

For example, the vulnerability can take place when a file is placed inside a folder X, and the antivirus solution marks the file as a virus, and moves it to the quarantine folder.

Thereafter, if the previously quarantined file is restored, the attacker can trick it into an arbitrary directory, which is not its original location.

The attacker can transfer the quarantined file to a hidden location on the host system, leading to abuse of the SYSTEM permissions and causing extensive damages.

Directory junctions can be misused if the target has time-of-check to time-of-use (TOCTOU) vulnerabilities.

You can also create a directory junction using the mklink utility, alongside the /J argument. It will now be possible to combine this with the ::$INDEX_ALLOCATION trick to create a directory junction with the name “…”

As you can see on the example above, the first directory was created using the normal name, which explains why destination is correctly shown in the dir output.

In the second junction, the target is absent and shown as […]. You can have your first junction to point to the second one, which also points to the third junction—until the last one points to the actual destination.

The paths are obviously confused; you can enter the junction using cd …\…\ that must be inside the System 32 folder. Remember the directory will point to C:\Test\

With the dir command, you can output files found on the System32 folder. The first command above created the Hello.bat file in C:\Test\

From the screenshot above, the Hello.bat command is shown to come from the current directory (.\). It will execute to its content, not what is contained in the C:\Windows\System32\hello.bat.

Since you can set up folders in any way, this can be applied to bypass application whitelisting programs using white scripted files.

This way, hiding the destination of a directory junction becomes possible.

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!