Protect from partitioning !

NTFSD
1

Hello Everybody,

I wanna stop the user/administrator from partitioning/formatting the
drives(protected by my filter driver) via disk management or running
utilities like partition magic. I’m able to stop the format process from a
file system filter driver, which hooks with the requisite FSCTL’s and
cancels them from reaching the drive, but am not able to cater for
anti-partition.

My driver captures FSCTL’s like FSCTL_DISMOUNT_VOLUME,
FSCTL_IS_VOLUME_MOUNTED and cancels them as follows:

case IRP_MN_USER_FS_REQUEST:
{
switch (pIrpSp->Parameters.FileSystemControl.FsControlCode) {

case FSCTL_DISMOUNT_VOLUME:
{
status = STATUS_UNSUCCESSFUL;
DbgPrint(“FSCTL_DISMOUNT_VOLUME”);
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
break;
}
}
}

I’m only getting a warning message (mentioned below) when i try to delete
the protected partitions, the warning can be very easily overridden to
delete the partitions.

WARNING:
“The partition is in use. You can force the deletion of this partition by
choosing ‘yes’. Unexpected errors can come in the application using it.”

Please suggest.

Thanks in advance
Swati

2

Fail writes to absolute sector 0.

Max

----- Original Message -----
From: “swati”
To: “File Systems Developers”
Sent: Wednesday, June 11, 2003 8:13 PM
Subject: [ntfsd] Protect from partitioning !

> Hello Everybody,
>
> I wanna stop the user/administrator from partitioning/formatting the
> drives(protected by my filter driver) via disk management or running
> utilities like partition magic. I’m able to stop the format process
from a
> file system filter driver, which hooks with the requisite FSCTL’s
and
> cancels them from reaching the drive, but am not able to cater for
> anti-partition.
>
> My driver captures FSCTL’s like FSCTL_DISMOUNT_VOLUME,
> FSCTL_IS_VOLUME_MOUNTED and cancels them as follows:
>
> case IRP_MN_USER_FS_REQUEST:
> {
> switch (pIrpSp->Parameters.FileSystemControl.FsControlCode) {
>
> case FSCTL_DISMOUNT_VOLUME:
> {
> status = STATUS_UNSUCCESSFUL;
> DbgPrint(“FSCTL_DISMOUNT_VOLUME”);
> Irp->IoStatus.Status = status;
> Irp->IoStatus.Information = 0;
> IoCompleteRequest(Irp, IO_NO_INCREMENT);
> return status;
> break;
> }
> }
> }
>
> I’m only getting a warning message (mentioned below) when i try to
delete
> the protected partitions, the warning can be very easily overridden
to
> delete the partitions.
>
> WARNING:
> “The partition is in use. You can force the deletion of this
partition by
> choosing ‘yes’. Unexpected errors can come in the application using
it.”
>
> Please suggest.
>
> Thanks in advance
> Swati
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

3

You need to fail IOCTL_DISK_SET_DRIVE_LAYOUT/IOCTL_DISK_SET_DRIVE_LAYOUT_EX

Alexei.

“swati” wrote in message news:xxxxx@ntfsd…
>
> Hello Everybody,
>
> I wanna stop the user/administrator from partitioning/formatting the
> drives(protected by my filter driver) via disk management or running
> utilities like partition magic. I’m able to stop the format process from a
> file system filter driver, which hooks with the requisite FSCTL’s and
> cancels them from reaching the drive, but am not able to cater for
> anti-partition.
>
> My driver captures FSCTL’s like FSCTL_DISMOUNT_VOLUME,
> FSCTL_IS_VOLUME_MOUNTED and cancels them as follows:
>
> case IRP_MN_USER_FS_REQUEST:
> {
> switch (pIrpSp->Parameters.FileSystemControl.FsControlCode) {
>
> case FSCTL_DISMOUNT_VOLUME:
> {
> status = STATUS_UNSUCCESSFUL;
> DbgPrint(“FSCTL_DISMOUNT_VOLUME”);
> Irp->IoStatus.Status = status;
> Irp->IoStatus.Information = 0;
> IoCompleteRequest(Irp, IO_NO_INCREMENT);
> return status;
> break;
> }
> }
> }
>
> I’m only getting a warning message (mentioned below) when i try to delete
> the protected partitions, the warning can be very easily overridden to
> delete the partitions.
>
> WARNING:
> “The partition is in use. You can force the deletion of this partition by
> choosing ‘yes’. Unexpected errors can come in the application using it.”
>
> Please suggest.
>
> Thanks in advance
> Swati
>
>

4

Hello Alexei,

Thank u for replying back, i tried failing all the relevent IOCTL’s
but still am not able to protect my drive. I’m only getting various
warning messages, and i loose the protected drive ASA i cancel the
warning’s.

Is there any other alternative?

Below is the code i’m using…

case IRP_MJ_DEVICE_CONTROL:
{
DbgPrint(“Entered IoControlCode”);
switch(irpStack->Parameters.DeviceIoControl.IoControlCode){

case IOCTL_DISK_CREATE_DISK:
case IOCTL_DISK_FORMAT_TRACKS:
case IOCTL_DISK_GET_DRIVE_GEOMETRY:
case IOCTL_DISK_SET_DRIVE_LAYOUT:
case IOCTL_DISK_GET_DRIVE_LAYOUT_EX:
case IOCTL_DISK_GET_LENGTH_INFO:
case IOCTL_DISK_GET_PARTITION_INFO_EX:
case IOCTL_DISK_PERFORMANCE:
case IOCTL_DISK_REASSIGN_BLOCKS:
case IOCTL_DISK_SET_DRIVE_LAYOUT_EX:
case IOCTL_DISK_SET_PARTITION_INFO_EX:
case IOCTL_DISK_VERIFY:
case IOCTL_SERIAL_LSRMST_INSERT:
case IOCTL_STORAGE_CHECK_VERIFY:
case IOCTL_STORAGE_EJECT_MEDIA:
case IOCTL_STORAGE_GET_MEDIA_TYPES:
case IOCTL_STORAGE_LOAD_MEDIA:
case IOCTL_STORAGE_MEDIA_REMOVAL: case 5046280:
{
DbgPrint(“In Decimal Format”);
status = STATUS_SUCCESS;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
DbgPrint(“Entered IOCTL default”);
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
break;
}
default:
DbgPrint(“The IOCTL is
%lu”,irpStack->Parameters.DeviceIoControl.IoControlCode);
}

5

Thanks Max…

How should i handle this from a file system filter driver ?

6

You can’t. You must have storage filter driver.

-htfv

----- Original Message -----
From: “swati”
To: “File Systems Developers”
Sent: Thursday, June 12, 2003 4:13 PM
Subject: [ntfsd] Re: Protect from partitioning !

> Thanks Max…
>
> How should i handle this from a file system filter driver ?
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>