Is mounting a filesystem inevitable in Windows?

Bo_Branten · February 11, 2026, 1:14pm

Hello, I maintain a filesystem driver for Windows and I just noticed a behavior that I wasn’t aware of:

First, In the UNIX world we are used to the fact that if a user does not mount a partition then that filesystem will never be touch by the OS and can be considered “safe” from writing.

I have been under the impression that Windows behaves the same in the sense that if you don’t create a link, say f:, that points to some extra partition, that partition will be untouched by our driver.

However today I discovered that if I run a simple test application that enumerates all the disks in the system then ALL partitions will be “mounted” even though they are not visible to the user only because the app touched the device object for the partition!

Now I think this is a problem from a “forensic” perspective because mounting the fs will update the mount count/time and possible more status fields in the fs while the user is unaware of it. (Also a power cut could make the partition inconsistent even though you never intended using that partition!)

So I would like to ask if this just is something we need to accept is different in the Windows world or if it can be avoided.

Scott_Noone_OSR · February 11, 2026, 1:29pm

The I/O Manager kicks off the file system recognition/mount process on first open. Even if the media device doesn’t have a drive letter mount point you can still enumerate and find them through SetupDi so, yes, this is expected.

If your file system can become entirely corrupted if you crash during mount then that sounds like a design flaw.

Olof_Lagerkvist · February 12, 2026, 12:28pm

In forensics analysis cases, you should always use settings that control auto offline/online of disks that are attached to the system. If a disk is not automatically brought online by Windows, no partitions are enumerated, no volume device objects are created and no file systems are mounted. You can then choose to online a disk in read-only mode which will mount file systems, but read-only.

All of this does not help in all cases anyway such as Storage Spaces which needs to be disabled in other ways to stay completely out of partition recognition.