Help about prevent disk from being formatted?

To add to what Michael says.

Also, format is not the only thing that can
destroy data. Format happens to destroy the data
and yet leave the disk in a usable condition.

It would take about 10 minutes to knock up a user
mode program that can do a block write of 512
zeros to any sector on a disk. How would you
stop this ? OK, as Henry suggested you use ACLs,
but it would only take another 10 mins to turn it
into a driver, you can’t stop that.

There have been several suggestions here on how
to stop specific cases, indeed, these may be
enough for your purposes. But for the general
case, the question you asked and how you asked it, there is no solution.

Mark

At 01:07 AM 7/29/2005, Michal Vodicka wrote:

IIRC, all user mode formatting tools finally
call a function from fmifs.dll. You can try to
hook exported Format() and FormatEx() function.
At XP there is also FormatEx2() exported so
you’d have to probably hook it, too. Read the
old Mark Russinovich’s article for more info:
http://www.sysinternals.com/sourcecode/fmifs.html.

Hooking user mode DLL should be enough for your
purposes as an attempt to stop malicious
software running under administrator account is
futile, as it was said many times here. It would
be hard or impossible to detect an attempt to
format in the kernel driver. From the article:
“Neither UNTFS.DLL nor UFAT.DLL call file system
drivers to take any part in a format or chkdsk
operation - they directly read and write raw
clusters on the drive.” If it still applies, the
only way which could work would be to deny
attempts to open volume for direct access
which’d have other negative consequences because
tools like chkdsk, disk defragmenters etc. use it, too.

BTW, I don’t quite agree with common list sense
expressed in past days. Although attempts to
stop admin from formatting disk are
theoretically useless because admin can always
bypass them, they may not be quite useless in
practice. If there is a virus, trojan or any
other malicious software which tries to use
format, it may help. I presume a situation when
admin reads mails or browses web (Should he? No!
Do they? Yes!) and the attack isn’t directed
specially against him. On the other hand, there
are many other ways how to destroy data. If you
presume user accidentally runs format.com
(actually PE file with correct parameters,
what if he accidentally runs “del /s *.*” in the root directory?

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
>
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
on behalf of shark mouse[SMTP:xxxxx@hotmail.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Friday, July 29, 2005 1:37 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Help about prevent disk from being formatted?
>
> thanks the reply from everybody.
> maybe someone is still misunderstanding my
question,my goal is to make a
> method to prevent the user destroy my data disk,this is only thought of
> user’s misoperation,not ill intentions.so i
do think of the boot cd or move
> the disk to another computer,etc,just want to do this.
> in detail,want to prevent two ways to format the disk:
> 1.prevent common usage of the shell’s “format” option
> 2.prevent common usage of specific format utilities (i.e format.com),
> just this.
>
> _________________________________________________________________
> ???ѽ??н???ʹ?? MSN Messenger: http://messenger.msn.com/cn
>
>
> —
> Questions? First check the Kernel Driver FAQ
at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do not give this user the admin rights. Period. No software development is
needed.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “shark mouse”
To: “Windows System Software Devs Interest List”
Sent: Friday, July 29, 2005 3:37 AM
Subject: RE:[ntdev] Help about prevent disk from being formatted?

> thanks the reply from everybody.
> maybe someone is still misunderstanding my question,my goal is to make a
> method to prevent the user destroy my data disk,this is only thought of
> user’s misoperation,not ill intentions.so i do think of the boot cd or move
> the disk to another computer,etc,just want to do this.
> in detail,want to prevent two ways to format the disk:
> 1.prevent common usage of the shell’s “format” option
> 2.prevent common usage of specific format utilities (i.e format.com),
> just this.
>
> _________________________________________________________________
> ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: http://messenger.msn.com/cn
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

What is vertical recording?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “David J. Craig”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Friday, July 29, 2005 8:51 AM
Subject: Re:[ntdev] Help about prevent disk from being formatted?

> The drive must be unlocked with user input before any reads or writes of the
> media is permitted - as I understand it. Otherwise it would not be of any
> use. I want one of those 160GB drives with FDE and vertical recording. It
> should be a nice toy.
>
> “Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Gary G. Little[SMTP:glittle@mn.rr.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Thursday, July 28, 2005 5:40 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] Help about prevent disk from being formatted?
> >
> > Use a disc that does full disc encryption, FDE. The only way to format
> > that
> > disc, whether or not you have moved it to another computer, is to either
> > have the proper credentials. or disassemble the disc change out the
> > firmware
> > board. ANY software solution is fundamentally flawed in protecting against
> > such an attack, when you can boot to an OS that will allow you to do what
> > you want, by simply inserting a floppy or a CD. FDE forces authentication
> > and login BEFORE the disc can even be accessed.
> >
> Sorry Gary, I don’t see how FDE protects against data destroy. Once disk is
> mounted by OS, user and malicious software can do anything. If machine can
> be physically accessed, disk can be removed and destroyed by big hammer or
> simply stolen. The theorecical level of protection is the same as with
> software solutions i.e. zero
>
> FDE can prevent against data access, if properly implemented. This is what
> I’d still like to know – do Seagate drives use hardcoded encryption key,
> key stored somewhere or some safe approach?
>
> (sorry, caustic mood today
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

More accurately termed perpendicular recording. Today, disks use
longitudinal recording. That means that the poles of the magnet are in the
plane of the platter, and oriented tangentially (as opposed to radially,
like the spokes on a wheel) on the track, so the magnetic bits are
effectively a bunch of bar magnets lined up end to end. When you have a
polarity flip, you have the same poles together, which cause them to try to
flip each other. When they start flipping each other uncontrollably,
that’s called reaching the super-paramagnetic limit.

Perpendicular recording not only turns the bars sideways, like the radial
alignment I mentioned, it also stands them perpendicular to the platter, so
you don’t have the poles of the adjacent tracks causing the same effect in
the near future, since we already have enough trouble keeping the tracks
from encroaching on each other now. Eventually, even perpendicular
recording runs into the same issue, but not for a while, and there are
widely publicized strategies under development (HAMR, SOMA) for coping with
that in the future.

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842

“Maxim S.
Shatskih”
ft.com> “Windows System Software Devs
Sent by: Interest List”
bounce-215426-643
xxxxx@lists.osr.com cc
No Phone Info
Available Subject
Re: Re:[ntdev] Help about prevent
disk from being formatted?
07/29/2005 05:54
AM

Please respond to
“Windows System
Software Devs
Interest List”
com>

What is vertical recording?

It re-orients the physical bits on the media from parallel to perpendicular
to the substrate, effectively increasing the capacity.

Michal, you can always destroy data on a disc. Indeed a sledge hammer works
wonders in mangling media, substrate, firmware and just about everything
else. The point of FDE is that it takes extra-ordinary efforts to do what
today is really a no-brainier. FDE will deny you access regardless HOW you
boot, or no matter where you move the drive. Move it to a system where the
BIOS does not handshake with the disc to unlock the disc and you are denied
access. Stuff a CD or floppy in the system and boot and sorry, you can’t
because the drive firmware will deny any unauthorized user access. Short of
disassembling the drive or replacing the firmware you cannot access the
media where all the data you want to see resides. Move the substrate to
another chassis? The media uses perpendicular recording so there is LOTS of
special stuff you have to have there to even READ the media. So you only
replace the firmware and can handle the new recording format you can then
read the media, but the entire media is encrypted. None of this is
impossible to crack … but it certainly is no longer a no-brainier.

–
The personal opinion of
Gary G. Little

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> What is vertical recording?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Friday, July 29, 2005 8:51 AM
> Subject: Re:[ntdev] Help about prevent disk from being formatted?
>
>
>> The drive must be unlocked with user input before any reads or writes of
>> the
>> media is permitted - as I understand it. Otherwise it would not be of
>> any
>> use. I want one of those 160GB drives with FDE and vertical recording.
>> It
>> should be a nice toy.
>>
>> “Michal Vodicka” wrote in message
>> news:xxxxx@ntdev…
>> > ----------
>> > From:
>> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>> > on behalf of Gary G. Little[SMTP:glittle@mn.rr.com]
>> > Reply To: Windows System Software Devs Interest List
>> > Sent: Thursday, July 28, 2005 5:40 PM
>> > To: Windows System Software Devs Interest List
>> > Subject: Re:[ntdev] Help about prevent disk from being formatted?
>> >
>> > Use a disc that does full disc encryption, FDE. The only way to format
>> > that
>> > disc, whether or not you have moved it to another computer, is to
>> > either
>> > have the proper credentials. or disassemble the disc change out the
>> > firmware
>> > board. ANY software solution is fundamentally flawed in protecting
>> > against
>> > such an attack, when you can boot to an OS that will allow you to do
>> > what
>> > you want, by simply inserting a floppy or a CD. FDE forces
>> > authentication
>> > and login BEFORE the disc can even be accessed.
>> >
>> Sorry Gary, I don’t see how FDE protects against data destroy. Once disk
>> is
>> mounted by OS, user and malicious software can do anything. If machine
>> can
>> be physically accessed, disk can be removed and destroyed by big hammer
>> or
>> simply stolen. The theorecical level of protection is the same as with
>> software solutions i.e. zero
>>
>> FDE can prevent against data access, if properly implemented. This is
>> what
>> I’d still like to know – do Seagate drives use hardcoded encryption key,
>> key stored somewhere or some safe approach?
>>
>> (sorry, caustic mood today
>>
>> Best regards,
>>
>> Michal Vodicka
>> UPEK, Inc.
>> [xxxxx@upek.com, http://www.upek.com]
>>
>>
>>
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>