Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available

Download PDF here:

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.


Jason_T.Jason_T. Member Posts: 65


I recall years back when Vista first came out having a number of clients panic because their user mode disk utilities could no longer write to the disk without having a kernel driver component which added the SL_FORCE_DIRECT_WRITE flag to a write IRP. I've pretty much just worked off the assumption for the last 10+ years that you couldn't write an MBR from user mode for security reasons. But to my surprise today I found that simple CreateFile/WriteFile on \.\PhysicalDriveX allows updating sector 0 on both an MBR and GPT style disk (even while online and in use) as long as the process is run as admin. Was this relaxed at some point or did I just misunderstand it all these years? Seems awfully easy to modify the MBR, though you could make the argument that if a user has admin access they could just as well load their own driver to perform the IO that way... but with that line of thinking I'm not clear what the purpose of the IRP flag and the protection mechanism was ever meant to be in the first place. In other words, you can't open \.\PhysicalDriveX unless you are admin anyway, so what is the point of an additional write restriction which goes away if you are admin?



Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE