Can a filter driver redirect this?

Hi all,
I am a software Engg. working with a product based company upon a
file system/filter driver.
I am new in this era , I am reffering “Device driver by Art Baker” and IFS toolkit.
I am facing problem with this.
please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after x-times
reboot operation. This is accomplished in competitive products by redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a private partition with hidden file system type created by us . Any changes made by the user are written to the buffer space / private partition and available for the user during the current session / next session . As soon as the computer is rebooted / after specified number of reboot, the I/O reads are redirected back to the original file locations and all changes made in the previous session are discarded that simply means all the files Created/modified/deleted by the user in the last session are completely restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install new software, Remove software, Delete folders, files or everything, Virus infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???
Please…

Regards,
Rakesh


Do you Yahoo!?
The all-new My Yahoo! – What will yours do?

I don’t know if a file system filter driver is the best way to do what you
want, or not. I do know that writing file system filter drivers is
ferociously difficult.

I’d be inclined to research the possibilities of using a simpler filter at a
lower level (for instance, just above the disk class driver) to reserve an
area of disk that cannot be written to under normal circumstances. However,
if the malicious user is able to boot the machine to run his own code, then
all bets are off: you’ve lost.

Another reason for rejecting a file system filter driver, apart from the
difficulty of writing one, is that I don’t think a file system filter driver
would protect you from lower level accesses such as formatting the disk.

Regards
Don

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: 21 January 2005 07:58
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?

Hi all,
I am a software Engg. working with a product based company upon a
file system/filter driver.
I am new in this era , I am reffering “Device driver by Art Baker” and IFS
toolkit.
I am facing problem with this.
please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after
x-times
reboot operation. This is accomplished in competitive products by
redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a
private partition with hidden file system type created by us . Any changes
made by the user are written to the buffer space / private partition and
available for the user during the current session / next session . As soon
as the computer is rebooted / after specified number of reboot, the I/O
reads are redirected back to the original file locations and all changes
made in the previous session are discarded that simply means all the files
Created/modified/deleted by the user in the last session are completely
restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install
new software, Remove software, Delete folders, files or everything, Virus
infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???
Please…

Regards,
Rakesh

MessageYes, I absolutely agree and endorse what Don says, adding only that a file system filter is definitely a choice of last resort.

To restore the state of the disk after use the simplest approach is to ensure that the file system reads and writes use a filtered view of the disk sectors, (use free space to save the user’s changes, and never change the real file allocation tables). Upon reboot the free space will still be marked as free and the authrorized data on disk will still be intact.

I think you are well advised to stay low in the stack, and investigate the possibilities of doing this at the filter level between the file system and the disk. If I remember rightly a lower filter below a file system, and an upper filter above a disk, are subtly different, even although they would normally end up in the same location in the device stack. Check that out.

If there are other factors that oblige you to choose a higher level, a file system filter driver is still not the best way to go, because it is so difficult for such a filter to handle the disk cache, and (a related issue) memory mapped files. Moreover, different file systems make use of the cache in different ways.

If you choose to go high in the stack, then a ‘pseudo file system’ would likely be the simplest way (but you won’t find much info if you search for this term). This is just a component that behaves like a file system, but replaces the chosen file system(s) at mount time. This results in all access to the original file system being redirected to the pseudo file system.

The swap file, and file-deletion via the trash bin are also tricky issues to handle, so you need to consider carefully if these affect you. Moreover the file system queries directory contents and traverses become things you need to actively manage at this level. So the workload expands a lot in comparsion with with faking a FAT or two.

Arranging for redirecting to the PFS when a native file sytem mounts is something I saw implemented in someone else’s code a few years ago. Its really simple if you know the magic code (but unfortunately I can’t remember any of the details except that it was very clean).

The PFS must present at its upper-edge the appearance of a full windows file system (more than a filter needs to do), but it can use an existing file system for disk reads and writes. E.g. create an ordinary file on the native file system as a kind of temporary disk image.

This largely avoids the cache issues which plague filter drivers, and is merely fiendishly difficult to write, rather than being actively ferocious! But since you have the IFS kit you have access to sample code for pretty well everything you need.

And as Don says you’ll need good boot protection too.

Jack.
“Don Ward” wrote in message news:xxxxx@ntdev…
I don’t know if a file system filter driver is the best way to do what you want, or not. I do know that writing file system filter drivers is ferociously difficult.

I’d be inclined to research the possibilities of using a simpler filter at a lower level (for instance, just above the disk class driver) to reserve an area of disk that cannot be written to under normal circumstances. However, if the malicious user is able to boot the machine to run his own code, then all bets are off: you’ve lost.

Another reason for rejecting a file system filter driver, apart from the difficulty of writing one, is that I don’t think a file system filter driver would protect you from lower level accesses such as formatting the disk.

Regards
Don
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: 21 January 2005 07:58
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?

Hi all,
I am a software Engg. working with a product based company upon a
file system/filter driver.
I am new in this era , I am reffering “Device driver by Art Baker” and IFS toolkit.
I am facing problem with this.
please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after x-times
reboot operation. This is accomplished in competitive products by redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a private partition with hidden file system type created by us . Any changes made by the user are written to the buffer space / private partition and available for the user during the current session / next session . As soon as the computer is rebooted / after specified number of reboot, the I/O reads are redirected back to the original file locations and all changes made in the previous session are discarded that simply means all the files Created/modified/deleted by the user in the last session are completely restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install new software, Remove software, Delete folders, files or everything, Virus infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???
Please…

Regards,
Rakesh

I believe a good solution would simply be to use a ghosting application.
Create an image of the hard drive, then load it back every time you boot.

To prevent users from formatting over the image itself, you could make sure
you place it in a separate hard drive, and then, make sure that second hard
drive is not accessible by Windows.

Mat


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: Friday, January 21, 2005 2:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?

Hi all,

I am a software Engg. working with a product based company upon a
file system/filter driver.

I am new in this era , I am reffering “Device driver by Art Baker” and IFS
toolkit.

I am facing problem with this.

please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after
x-times

reboot operation. This is accomplished in competitive products by
redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a
private partition with hidden file system type created by us . Any changes
made by the user are written to the buffer space / private partition and
available for the user during the current session / next session . As soon
as the computer is rebooted / after specified number of reboot, the I/O
reads are redirected back to the original file locations and all changes
made in the previous session are discarded that simply means all the files
Created/modified/deleted by the user in the last session are completely
restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install
new software, Remove software, Delete folders, files or everything, Virus
infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???

Please…

Regards,

Rakesh


Do you Yahoo!?
The all-new My Yahoo! http: What will yours do? —
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: xxxxx@encentrus.com To unsubscribe send a blank email to
xxxxx@lists.osr.com</http:>

Your idea reminds me the VMWare, for example, for different users, just
direct them to different
VMWare image or every time booted, overwrite the VMWare image with the
original one, when
user wants to login, just hide the original desktop and forward them to the
VMWare box automatically.
This sounds like a solution. Of course, VMWare is not easy to implement and
the performance
might be a troublemaker.

AFei

I can only suggest to OEM our ShadowUser product :slight_smile:

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Rakesh Yadava
To: Windows System Software Devs Interest List
Sent: Friday, January 21, 2005 10:58 AM
Subject: [ntdev] Can a filter driver redirect this?

Hi all,
I am a software Engg. working with a product based company upon a
file system/filter driver.
I am new in this era , I am reffering “Device driver by Art Baker” and IFS toolkit.
I am facing problem with this.
please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after x-times
reboot operation. This is accomplished in competitive products by redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a private partition with hidden file system type created by us . Any changes made by the user are written to the buffer space / private partition and available for the user during the current session / next session . As soon as the computer is rebooted / after specified number of reboot, the I/O reads are redirected back to the original file locations and all changes made in the previous session are discarded that simply means all the files Created/modified/deleted by the user in the last session are completely restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install new software, Remove software, Delete folders, files or everything, Virus infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???
Please…

Regards,
Rakesh


Do you Yahoo!?
The all-new My Yahoo! - What will yours do? — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

www.shadowstor.com http:</http:>


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: Thursday, January 20, 2005 11:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?

Hi all,

I am a software Engg. working with a product based company upon a
file system/filter driver.

I am new in this era , I am reffering “Device driver by Art Baker” and IFS
toolkit.

I am facing problem with this.

please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after
x-times

reboot operation. This is accomplished in competitive products by
redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a
private partition with hidden file system type created by us . Any changes
made by the user are written to the buffer space / private partition and
available for the user during the current session / next session . As soon
as the computer is rebooted / after specified number of reboot, the I/O
reads are redirected back to the original file locations and all changes
made in the previous session are discarded that simply means all the files
Created/modified/deleted by the user in the last session are completely
restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install
new software, Remove software, Delete folders, files or everything, Virus
infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???

Please…

Regards,

Rakesh


Do you Yahoo!?
The all-new My Yahoo! http: What will yours do? —
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: xxxxx@tfb.com To unsubscribe send a blank email to
xxxxx@lists.osr.com</http:>

Someone is hijacking my email addresses and logging in to my old MSN
messenger account using my old StorageCraft credentials. I have sent a
message to Microsoft regarding this matter and I am now posting this message
to let people know something is going on. I may, once again, be changing my
email addresses.

Jamey


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Saturday, January 22, 2005 12:05 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Can a filter driver redirect this?

www.shadowstor.com http:</http:>


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: Thursday, January 20, 2005 11:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?

Hi all,

I am a software Engg. working with a product based company upon a
file system/filter driver.

I am new in this era , I am reffering “Device driver by Art Baker” and IFS
toolkit.

I am facing problem with this.

please provide a valuable help.

I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after
x-times

reboot operation. This is accomplished in competitive products by
redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a
private partition with hidden file system type created by us . Any changes
made by the user are written to the buffer space / private partition and
available for the user during the current session / next session . As soon
as the computer is rebooted / after specified number of reboot, the I/O
reads are redirected back to the original file locations and all changes
made in the previous session are discarded that simply means all the files
Created/modified/deleted by the user in the last session are completely
restored!

All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install
new software, Remove software, Delete folders, files or everything, Virus
infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!

All the above changes to the system should be completely restored.

can u suggest me anything ???

Please…

Regards,

Rakesh


Do you Yahoo!?
The all-new My Yahoo! http: What will yours do? —
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 You are currently subscribed to
ntdev as: xxxxx@tfb.com To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.975 (20050118) Information

This message was checked by NOD32 antivirus system.
http://www.nod32.com</http:>

Hi Jack,
Thanks,
no doubt you provided a good and usefull information.
I study about both idea given by you.
I want to go first way , to make a disk filter driver
which will reside to low level on stack.

i am trying to get more information regarding this.
would you like to provide more information regarding
this which can help me?

I would be thankfull to you.
regards,
Rakesh

— Jack Heeley wrote:

> MessageYes, I absolutely agree and endorse what Don
> says, adding only that a file system filter is
> definitely a choice of last resort.
>
> To restore the state of the disk after use the
> simplest approach is to ensure that the file system
> reads and writes use a filtered view of the disk
> sectors, (use free space to save the user’s changes,
> and never change the real file allocation tables).
> Upon reboot the free space will still be marked as
> free and the authrorized data on disk will still be
> intact.
>
> I think you are well advised to stay low in the
> stack, and investigate the possibilities of doing
> this at the filter level between the file system and
> the disk. If I remember rightly a lower filter below
> a file system, and an upper filter above a disk, are
> subtly different, even although they would normally
> end up in the same location in the device stack.
> Check that out.
>
> If there are other factors that oblige you to choose
> a higher level, a file system filter driver is still
> not the best way to go, because it is so difficult
> for such a filter to handle the disk cache, and (a
> related issue) memory mapped files. Moreover,
> different file systems make use of the cache in
> different ways.
>
> If you choose to go high in the stack, then a
> ‘pseudo file system’ would likely be the simplest
> way (but you won’t find much info if you search for
> this term). This is just a component that behaves
> like a file system, but replaces the chosen file
> system(s) at mount time. This results in all access
> to the original file system being redirected to the
> pseudo file system.
>
> The swap file, and file-deletion via the trash bin
> are also tricky issues to handle, so you need to
> consider carefully if these affect you. Moreover the
> file system queries directory contents and traverses
> become things you need to actively manage at this
> level. So the workload expands a lot in comparsion
> with with faking a FAT or two.
>
> Arranging for redirecting to the PFS when a native
> file sytem mounts is something I saw implemented in
> someone else’s code a few years ago. Its really
> simple if you know the magic code (but unfortunately
> I can’t remember any of the details except that it
> was very clean).
>
> The PFS must present at its upper-edge the
> appearance of a full windows file system (more than
> a filter needs to do), but it can use an existing
> file system for disk reads and writes. E.g. create
> an ordinary file on the native file system as a kind
> of temporary disk image.
>
> This largely avoids the cache issues which plague
> filter drivers, and is merely fiendishly difficult
> to write, rather than being actively ferocious! But
> since you have the IFS kit you have access to sample
> code for pretty well everything you need.
>
> And as Don says you’ll need good boot protection
> too.
>
> Jack.
> “Don Ward” wrote in message
> news:xxxxx@ntdev…
> I don’t know if a file system filter driver is the
> best way to do what you want, or not. I do know that
> writing file system filter drivers is ferociously
> difficult.
>
> I’d be inclined to research the possibilities of
> using a simpler filter at a lower level (for
> instance, just above the disk class driver) to
> reserve an area of disk that cannot be written to
> under normal circumstances. However, if the
> malicious user is able to boot the machine to run
> his own code, then all bets are off: you’ve lost.
>
> Another reason for rejecting a file system filter
> driver, apart from the difficulty of writing one, is
> that I don’t think a file system filter driver would
> protect you from lower level accesses such as
> formatting the disk.
>
> Regards
> Don
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Rakesh Yadava
> Sent: 21 January 2005 07:58
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Can a filter driver redirect
> this?
>
>
> Hi all,
> I am a software Engg. working with a product
> based company upon a
> file system/filter driver.
> I am new in this era , I am reffering “Device
> driver by Art Baker” and IFS toolkit.
> I am facing problem with this.
> please provide a valuable help.
>
> I’m aiming to create a “Desktop security
> software for public access
> computers”. The core feature of the software,
> which is, Reboot to Restore
> the Hard Disk Drive, should have the ability to
> discard any changes made by
> a user once the software is installed on a
> system. It should restore the
> hard drive to its original configuration with a
> simple reboot/shutdown/after x-times
> reboot operation. This is accomplished in
> competitive products by redirecting the
> complete user I/O to a temporary buffer’ space
> hidden in the hard drive / a private partition with
> hidden file system type created by us . Any changes
> made by the user are written to the buffer space /
> private partition and available for the user during
> the current session / next session . As soon as the
> computer is rebooted / after specified number of
> reboot, the I/O reads are redirected back to the
> original file locations and all changes made in the
> previous session are discarded that simply means all
> the files Created/modified/deleted by the user in
> the last session are completely restored!
>
> All changes made by the user after
> Reboot-To-Restore is installed on the
> system should be temporary! For Example the user
> may perform all the
> following malicious actions, but the system will
> be completely restored with
> a simple reboot / after specified number of
> reboot; The User May: Install new software, Remove
> software, Delete folders, files or everything, Virus
> infections, Power off or reset (no
> Scandisk), Change Desktop and background,
> Download files from the Internet,
> Registry changes, Format the hard drive!,
> Totally mess up the computer!
>
> All the above changes to the system should be
> completely restored.
>
> can u suggest me anything ???
> Please…
>
> Regards,
> Rakesh
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
xxxxx@lists.osr.com

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com