To add to what Michael says.
Also, format is not the only thing that can
destroy data. Format happens to destroy the data
and yet leave the disk in a usable condition.
It would take about 10 minutes to knock up a user
mode program that can do a block write of 512
zeros to any sector on a disk. How would you
stop this ? OK, as Henry suggested you use ACLs,
but it would only take another 10 mins to turn it
into a driver, you can’t stop that.
There have been several suggestions here on how
to stop specific cases, indeed, these may be
enough for your purposes. But for the general
case, the question you asked and how you asked it, there is no solution.
Mark
At 01:07 AM 7/29/2005, Michal Vodicka wrote:
IIRC, all user mode formatting tools finally
call a function from fmifs.dll. You can try to
hook exported Format() and FormatEx() function.
At XP there is also FormatEx2() exported so
you’d have to probably hook it, too. Read the
old Mark Russinovich’s article for more info:
http://www.sysinternals.com/sourcecode/fmifs.html.Hooking user mode DLL should be enough for your
purposes as an attempt to stop malicious
software running under administrator account is
futile, as it was said many times here. It would
be hard or impossible to detect an attempt to
format in the kernel driver. From the article:
“Neither UNTFS.DLL nor UFAT.DLL call file system
drivers to take any part in a format or chkdsk
operation - they directly read and write raw
clusters on the drive.” If it still applies, the
only way which could work would be to deny
attempts to open volume for direct access
which’d have other negative consequences because
tools like chkdsk, disk defragmenters etc. use it, too.BTW, I don’t quite agree with common list sense
expressed in past days. Although attempts to
stop admin from formatting disk are
theoretically useless because admin can always
bypass them, they may not be quite useless in
practice. If there is a virus, trojan or any
other malicious software which tries to use
format, it may help. I presume a situation when
admin reads mails or browses web (Should he? No!
Do they? Yes!) and the attack isn’t directed
specially against him. On the other hand, there
are many other ways how to destroy data. If you
presume user accidentally runs format.com
(actually PE file with correct parameters,
what if he accidentally runs “del /s *.*” in the root directory?Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]> ----------
>
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
on behalf of shark mouse[SMTP:xxxxx@hotmail.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Friday, July 29, 2005 1:37 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Help about prevent disk from being formatted?
>
> thanks the reply from everybody.
> maybe someone is still misunderstanding my
question,my goal is to make a
> method to prevent the user destroy my data disk,this is only thought of
> user’s misoperation,not ill intentions.so i
do think of the boot cd or move
> the disk to another computer,etc,just want to do this.
> in detail,want to prevent two ways to format the disk:
> 1.prevent common usage of the shell’s “format” option
> 2.prevent common usage of specific format utilities (i.e format.com),
> just this.
>
> _________________________________________________________________
> ???ѽ??н???ʹ?? MSN Messenger: http://messenger.msn.com/cn
>
>
> —
> Questions? First check the Kernel Driver FAQ
at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com