Can a mini filter driver detect the "Volume Format" operation?

Hi,
I need a way to detect a format command (i.e. >format h:) on a volume and prevent it. Is there any way that a mini filter driver can detect a format operation and then denies it?

Thanks
Payman

Yes, if it is a floppy and a physical format is being done. Possibly if it
is a SCSI device where the format is done in the drive itself. Otherwise,
no. You must determine if you are asking about a logical or a physical
format. Logical formats are just writes of data to the drive and can be
done in any order. The FATs could be written before or after the root
directory which could be before or after the partition boot record(s). NTFS
is another problem in that how the system areas are formatted is not
documented. Some Linux systems have a NTFS write capability that can help
you understand the logical format, but you can’t be sure that all possible
variations have been discovered.

wrote in message news:xxxxx@ntfsd…
> Hi,
> I need a way to detect a format command (i.e. >format h:) on a volume and
> prevent it. Is there any way that a mini filter driver can detect a format
> operation and then denies it?
>
> Thanks
> Payman
>

Hmm, perhaps David knows sometihng I dont - perhaps it’s another thing I
have wrong in my head here - but doesnt format unmount the file system, and
write at volume level, mount the file system? Then, in file system (mini)
filter, you’d see the unmount and mount, but not the stuff in the middle.

wrote in message news:xxxxx@ntfsd…
> Hi,
> I need a way to detect a format command (i.e. >format h:) on a volume and
> prevent it. Is there any way that a mini filter driver can detect a format
> operation and then denies it?
>
> Thanks
> Payman
>

Lyndon,

That was what I thought. I wrote a disk filter years ago for a
customer who needed to modify format of things like USB keys. It was
interesting to see the operations, since the format IOCTL was not invoked
(at least at that level).


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> Hmm, perhaps David knows sometihng I dont - perhaps it’s another thing I
> have wrong in my head here - but doesnt format unmount the file system,
> and write at volume level, mount the file system? Then, in file system
> (mini) filter, you’d see the unmount and mount, but not the stuff in the
> middle.
>
> wrote in message news:xxxxx@ntfsd…
>> Hi,
>> I need a way to detect a format command (i.e. >format h:) on a volume
>> and prevent it. Is there any way that a mini filter driver can detect a
>> format operation and then denies it?
>>
>> Thanks
>> Payman
>>
>
>
>

>> format unmount the file system, and write at volume level, mount the file

> system
That was what I thought
… and that’s what I saw analyzing sysinternals’ sample code
related to formatting.
I mean, when the source was available.
Gone are the days.

----- Original Message -----
From: “Don Burn”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, October 08, 2008 8:15 AM
Subject: Re:[ntfsd] Can a mini filter driver detect the “Volume Format”
operation?

> Lyndon,
>
> That was what I thought. I wrote a disk filter years ago for a
> customer who needed to modify format of things like USB keys. It was
> interesting to see the operations, since the format IOCTL was not invoked
> (at least at that level).
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
>
>
> “Lyndon J Clarke” wrote in message
> news:xxxxx@ntfsd…
>> Hmm, perhaps David knows sometihng I dont - perhaps it’s another thing I
>> have wrong in my head here - but doesnt format unmount the file system,
>> and write at volume level, mount the file system? Then, in file system
>> (mini) filter, you’d see the unmount and mount, but not the stuff in the
>> middle.
>>
>> wrote in message news:xxxxx@ntfsd…
>>> Hi,
>>> I need a way to detect a format command (i.e. >format h:) on a volume
>>> and prevent it. Is there any way that a mini filter driver can detect a
>>> format operation and then denies it?
>>>
>>> Thanks
>>> Payman
>>>
>>
>>
>>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I would never consider trying to protect a storage device from a format at
the file system level. There are too many ways to get a volume unmounted
that a file system filter would not see with enough context to know for
certain. You can use some information at the FSFD to get a hint, but a
volume, partition, or storage device filter would be better. For floppy, a
filter above flpydisk.sys would be the best choice.

True SCSI devices can do a format internal to the device that will destroy
all the data on the drive, but not create the systems areas after the
format. Some of my answer depends upon what the OP wants to do and why.
Most logical formats on USB keys, SATA and ATAPI hard drives are just
created by writing to the system areas. If security, a leap on my part but
a part of my mindset, is the issue a format could be written to create/wipe
the system areas in a non-standard order to avoid detection. Just because
Microsoft’s format will dismount the volume does not mean you have to do so
to wipe a volume.

Just because I am paranoid, it does not mean that the whole world is not out
to get me. Too many years with a security mindset.

“Alex Shvedov” wrote in message news:xxxxx@ntfsd…
>>> format unmount the file system, and write at volume level, mount the
>>> file system
>> That was what I thought
> … and that’s what I saw analyzing sysinternals’ sample code
> related to formatting.
> I mean, when the source was available.
> Gone are the days.
>
>
>
> ----- Original Message -----
> From: “Don Burn”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Wednesday, October 08, 2008 8:15 AM
> Subject: Re:[ntfsd] Can a mini filter driver detect the “Volume Format”
> operation?
>
>
>> Lyndon,
>>
>> That was what I thought. I wrote a disk filter years ago for a
>> customer who needed to modify format of things like USB keys. It was
>> interesting to see the operations, since the format IOCTL was not invoked
>> (at least at that level).
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>> Remove StopSpam to reply
>>
>>
>>
>>
>> “Lyndon J Clarke” wrote in message
>> news:xxxxx@ntfsd…
>>> Hmm, perhaps David knows sometihng I dont - perhaps it’s another thing I
>>> have wrong in my head here - but doesnt format unmount the file system,
>>> and write at volume level, mount the file system? Then, in file system
>>> (mini) filter, you’d see the unmount and mount, but not the stuff in the
>>> middle.
>>>
>>> wrote in message news:xxxxx@ntfsd…
>>>> Hi,
>>>> I need a way to detect a format command (i.e. >format h:) on a volume
>>>> and prevent it. Is there any way that a mini filter driver can detect a
>>>> format operation and then denies it?
>>>>
>>>> Thanks
>>>> Payman
>>>>
>>>
>>>
>>>
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Guuys thanks for yor reply.
This device is NTFS, SATA external hard drive.
A format command will cause, Lock, bunch of write/read operation to the system area and then Unmount/Mount volume.
So Checking and denying the Unmount command is going to be too late.
Checking and denying the Lock command works, but you never know what other applications uses the Lock command.

Dave do you know what infomation in FSFD would hint a format command?
Thanks
Payman

  1. format command requires admin access. Do you really want to deny this
    functionality to admin ?
  2. AFAIK the steps are
    open…lock(exclusive)…unmount…write…unlock…close
    a) if internally you have an additional reference(open) to FS,
    system will fail the lock. Side affect is other apps who want to lock
    will fail.
    b) a successful lock followed by unmount means that someone
    wants to change the blocks from underneath the FS but defragment app
    would do it as well.
    c) you could potentially monitor the writes into $mft’s first
    record(and deny them) but this is a bad hack.

Harish

-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Sent: Wednesday, October 08, 2008 9:53 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Can a mini filter driver detect the “Volume Format”
operation?

Guuys thanks for yor reply.
This device is NTFS, SATA external hard drive.
A format command will cause, Lock, bunch of write/read operation to the
system area and then Unmount/Mount volume.
So Checking and denying the Unmount command is going to be too late.
Checking and denying the Lock command works, but you never know what
other applications uses the Lock command.

Dave do you know what infomation in FSFD would hint a format command?
Thanks
Payman


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@netapp.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Harish,
I put a file-spy on the system and it seems to me that sequence is
open…lock(exclusive)…write… unmount unlock…close.
Unmount is coming after the writes.
Do you know why you are seeing differently?

Thanks
Payman

Having a shipping app that uses lock for other than formatting, blanket denying of it globally will indeed break programs out there.

  • S

-----Original Message-----
From: Arora, Harish
Sent: Wednesday, October 08, 2008 12:52
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Can a mini filter driver detect the “Volume Format” operation?

1. format command requires admin access. Do you really want to deny this
functionality to admin ?
2. AFAIK the steps are
open…lock(exclusive)…unmount…write…unlock…close
a) if internally you have an additional reference(open) to FS,
system will fail the lock. Side affect is other apps who want to lock
will fail.
b) a successful lock followed by unmount means that someone
wants to change the blocks from underneath the FS but defragment app
would do it as well.
c) you could potentially monitor the writes into $mft’s first
record(and deny them) but this is a bad hack.

Harish

-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Sent: Wednesday, October 08, 2008 9:53 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Can a mini filter driver detect the “Volume Format”
operation?

Guuys thanks for yor reply.
This device is NTFS, SATA external hard drive.
A format command will cause, Lock, bunch of write/read operation to the
system area and then Unmount/Mount volume.
So Checking and denying the Unmount command is going to be too late.
Checking and denying the Lock command works, but you never know what
other applications uses the Lock command.

Dave do you know what infomation in FSFD would hint a format command?
Thanks
Payman


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@netapp.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

My understanding was based on what I remembered from previous life. I
would go by what file-spy says.
But still The other parts my previous email are still valid.

Harish

-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Sent: Wednesday, October 08, 2008 11:04 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Can a mini filter driver detect the “Volume Format”
operation?

Harish,
I put a file-spy on the system and it seems to me that sequence is
open…lock(exclusive)…write… unmount unlock…close.
Unmount is coming after the writes.
Do you know why you are seeing differently?

Thanks
Payman


NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@netapp.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Payman,

There is no single format command that you can watch for going down the file system stack. You will typically see:

  1. A DASD (volume) open
  2. Lock (probably dismount if the lock fails)
  3. DASD reads and writes
  4. Unlock
  5. close

This can change depending on the various options that format is invoked with.

As was correctly pointer out failing volume lock can cause app compat issues and is highly discouraged.

The core of the question is what are you trying to achieve?

Regards,
Sarosh.
File System Filters Lead
Microsoft Corp.

This posting is provided “AS IS” with no warranties, and confers no Rights