I create disk partition to store some private data. I want it to be
protected from deletion unless the delete is enabled from a trusted
application (thru a private ioctl)
In order to achieve this, I created a disk filter driver (based on the
diskperf) in which I block and IRP_MJ_WRITE in the disk sectore 0-512.
I can see any writes issued in this region failing (I tested with ‘dd’ for
windows).
However, I could still delete the partition
using the disk manager
using the diskpart
What am I missing?
Am I to block some specific ioctls?
Any suggestions will be more than welcome. Its on Windows 7 (if that
matters)
The filter drive is between PartMgr and disk class driver.
Do you want to protect it against an user or an administrator?
Why you need a partition, what’s wrong with using a file? Do you need the data pre-boot?
I would like to protect it from any user (including) unless they have
enabled deletion using the custom app.
On Wed, Mar 23, 2011 at 8:10 PM, wrote:
> Do you want to protect it against an user or an administrator? > Why you need a partition, what’s wrong with using a file? Do you need the > data pre-boot? > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
On Wed, Mar 23, 2011 at 7:55 PM, Atul Kabra wrote:
> Hi, > > I create disk partition to store some private data. I want it to be > protected from deletion unless the delete is enabled from a trusted > application (thru a private ioctl) > > In order to achieve this, I created a disk filter driver (based on the > diskperf) in which I block and IRP_MJ_WRITE in the disk sectore 0-512. > > I can see any writes issued in this region failing (I tested with ‘dd’ for > windows). > > However, I could still delete the partition > 1) using the disk manager > 2) using the diskpart > > What am I missing? > > Am I to block some specific ioctls? > > Any suggestions will be more than welcome. Its on Windows 7 (if that > matters) > > The filter drive is between PartMgr and disk class driver. > > Thanks, > A > > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer
I would like to protect it from any user (including) unless they have
enabled deletion using the custom app.
You can’t possibly hope to make that fly. All I have to do is move the
disk to another computer, and your protection is gone. The best you can
do is protect against innocent accidents.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Agreed Tim. The idea here is to prevent from genuine innocent accidents
only.
On Wed, Mar 23, 2011 at 9:41 PM, Tim Roberts wrote:
> Atul Kabra wrote: > > Yes, I need the data pre-boot. > > > > I would like to protect it from any user (including) unless they have > > enabled deletion using the custom app. > > You can’t possibly hope to make that fly. All I have to do is move the > disk to another computer, and your protection is gone. The best you can > do is protect against innocent accidents. > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
Checking for these ioctls makes sense. Although at some point these ioctls
must be getting converted into read/writes. So if I put a lower disk filter,
can I protect the MBR by just blocking writes on the first sector?
On Wed, Mar 23, 2011 at 9:31 PM, amitr0 wrote:
> > I block and IRP_MJ_WRITE in the disk sectore 0-512. > > is this a primary partition, because extended partition info is not present > in MBR region which you are protecting. > > in addition, check out the IOCTLS > IOCTL_DISK_CREATE_DISK > IOCTL_DISK_GET/SET_DRIVE_GEOMETRY > IOCTL_DISK_GET/SET_DRIVE_LAYOUT > http:and > friends. > > If this is Vista and above, you will also need to check out for partition > resize. > > Actually the whole bunch of ‘usual suspects’ are here: > http://msdn.microsoft.com/en-us/library/aa363979(v=VS.85).aspx > > > Hope this helps… > > AB > > On Wed, Mar 23, 2011 at 7:55 PM, Atul Kabra wrote: > >> Hi, >> >> I create disk partition to store some private data. I want it to be >> protected from deletion unless the delete is enabled from a trusted >> application (thru a private ioctl) >> >> In order to achieve this, I created a disk filter driver (based on the >> diskperf) in which I block and IRP_MJ_WRITE in the disk sectore 0-512. >> >> I can see any writes issued in this region failing (I tested with ‘dd’ for >> windows). >> >> However, I could still delete the partition >> 1) using the disk manager >> 2) using the diskpart >> >> What am I missing? >> >> Am I to block some specific ioctls? >> >> Any suggestions will be more than welcome. Its on Windows 7 (if that >> matters) >> >> The filter drive is between PartMgr and disk class driver. >> >> Thanks, >> A >> >> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and >> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit >> the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer > > > > > – > > - amitr0 > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer</http:>
To “prevent from genuine innocent accidents only” the users should not have admin rights.
If an unqualified user has administrator rights, the system can be screwed up in many different ways, and your partition is not the worst thing to lose.
To “prevent from genuine innocent accidents only” the users should not
have
admin rights.
If an unqualified user has administrator rights, the system can be
screwed up
in many different ways, and your partition is not the worst thing to
lose.
So very true. One of our clients got a laptop back yesterday from a
remote user, and it was completely back to factory defaults. The only
way to do this is to hit the F11 recovery option on boot and ignore all
the very noisy warning messages telling you what will happen if you
proceed. The user swears that they didn’t do anything like that though,
yet here we are…
On Thu, Mar 24, 2011 at 7:59 AM, Atul Kabra wrote:
> Thanks Amit. Its a primary partition. > > Checking for these ioctls makes sense. Although at some point these ioctls > must be getting converted into read/writes. So if I put a lower disk filter, > can I protect the MBR by just blocking writes on the first sector? > > > On Wed, Mar 23, 2011 at 9:31 PM, amitr0 wrote: > >> > I block and IRP_MJ_WRITE in the disk sectore 0-512. >> >> is this a primary partition, because extended partition info is not >> present in MBR region which you are protecting. >> >> in addition, check out the IOCTLS >> IOCTL_DISK_CREATE_DISK >> IOCTL_DISK_GET/SET_DRIVE_GEOMETRY >> IOCTL_DISK_GET/SET_DRIVE_LAYOUT >> http:and >> friends. >> >> If this is Vista and above, you will also need to check out for partition >> resize. >> >> Actually the whole bunch of ‘usual suspects’ are here: >> http://msdn.microsoft.com/en-us/library/aa363979(v=VS.85).aspx >> >> >> Hope this helps… >> >> AB >> >> On Wed, Mar 23, 2011 at 7:55 PM, Atul Kabra wrote: >> >>> Hi, >>> >>> I create disk partition to store some private data. I want it to be >>> protected from deletion unless the delete is enabled from a trusted >>> application (thru a private ioctl) >>> >>> In order to achieve this, I created a disk filter driver (based on the >>> diskperf) in which I block and IRP_MJ_WRITE in the disk sectore 0-512. >>> >>> I can see any writes issued in this region failing (I tested with ‘dd’ >>> for windows). >>> >>> However, I could still delete the partition >>> 1) using the disk manager >>> 2) using the diskpart >>> >>> What am I missing? >>> >>> Am I to block some specific ioctls? >>> >>> Any suggestions will be more than welcome. Its on Windows 7 (if that >>> matters) >>> >>> The filter drive is between PartMgr and disk class driver. >>> >>> Thanks, >>> A >>> >>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and >>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit >>> the List Server section of OSR Online at >>> http://www.osronline.com/page.cfm?name=ListServer >> >> >> >> >> – >> >> - amitr0 >> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and >> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit >> the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer > > > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
So very true. One of our clients got a laptop back yesterday from a
remote user, and it was completely back to factory defaults. The only
way to do this is to hit the F11 recovery option on boot and ignore all
the very noisy warning messages telling you what will happen if you
proceed. The user swears that they didn’t do anything like that though,
yet here we are…
The “other group” in my company does outsourced IT consulting for about
120 small businesses in our area. Oh, the stories I could tell you.
Client: Bill can’t get to the network. Everyone else can get their
email, what’s the matter with Bill’s computer? You need to get someone
over here right now.
Me: OK, before I send a ticket to a tech, let’s check some things. Are
you quite sure both ends of the network cable are plugged in?
Client: Bill is a very knowledgeable network guy; I’m sure that’s
already been checked. Hang on…
(30 seconds of silence)
Client: Thank you very much.
– Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.