Hello, I maintain a filesystem driver for Windows and I just noticed a behavior that I wasn’t aware of:
First, In the UNIX world we are used to the fact that if a user does not mount a partition then that filesystem will never be touch by the OS and can be considered “safe” from writing.
I have been under the impression that Windows behaves the same in the sense that if you don’t create a link, say f:, that points to some extra partition, that partition will be untouched by our driver.
However today I discovered that if I run a simple test application that enumerates all the disks in the system then ALL partitions will be “mounted” even though they are not visible to the user only because the app touched the device object for the partition!
Now I think this is a problem from a “forensic” perspective because mounting the fs will update the mount count/time and possible more status fields in the fs while the user is unaware of it. (Also a power cut could make the partition inconsistent even though you never intended using that partition!)
So I would like to ask if this just is something we need to accept is different in the Windows world or if it can be avoided.