Is there any method of determining that windows system restore is in progress in kernel mode? Thank you.
I noticed that on Windows 7 system restore can be done on the live system just before shutdown. And looking at stack it appears there are no file system is involved only volsnap. Is system restore block based? If so what if the files have been moved around due to defragmentation?
Since user may restore back to a point where my software was not installed, I need to erase some sensitive data off the disk. Is there a way I can check in my drivers if system restore is in progress or just completed before shutdown? Thank you.
xxxxx@gmail.com wrote:
Since user may restore back to a point where my software was not installed, I need to erase some sensitive data off the disk. Is there a way I can check in my drivers if system restore is in progress or just completed before shutdown?
That is not a solvable problem in the general case. What if I just
decide to pull the plug on the computer and move the disk to another
machine? If you have unencrypted sensitive data on the disk, that data
is vulnerable.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Tim. The system I have been working on does not allow this disk to be removed from the system. And also booting off another device to access this disk is not allowed. so all those kind of problems have been take care of. Only system restore is the one left which I need to detect.
> so all those kind of problems have been take care of.
Not really - what you mean is, you’ve “worked around” these problems, not truly solved them.
So long as you’re looking for possible venues of attack and simply building workarounds, your system isn’t secure; it only gives the impression of security. You’d be better off designing a secure system from the ground-up, or using pre-existing solutions and modifying them to suite your needs.
What if tomorrow you release and it turns out there’s some other feature of Windows that gives the attacker a way around your “security” measures - what do you do then? Patch it and hope another such flaw doesn’t come up again?
Thank you for your comments.
> “Not really - what you mean is, you’ve “worked around” these problems, not truly
solved them.”
No this is not a workaround. it is a specially designed machine which has the disk integrated with the system and can’t be physically removed. I’m not the decision maker 
> “You’d be better off designing a secure system from the ground-up, or using
pre-existing solutions and modifying them to suite your needs.”
Do you have any suggestions on how can I solve this system restore issue? Thanks.
xxxxx@gmail.com wrote:
Do you have any suggestions on how can I solve this system restore issue? Thanks.
You could turn off system restore points.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.