Booting XP(E) complete writeprotect

[Dietmar]

Hi all,

I build a new driver disk.sys from the winddk XPSP1 which makes ALL
harddrives writeprotect.
I simple add ONE line to the disk.c driver in the Sources of Winddk SP1:
In


case IOCTL_DISK_IS_WRITABLE: {


status = STATUS_MEDIA_WRITE_PROTECTED;

break;
}


This simple sets ALL devices to writeprotect and that works, because
disk.sys starts earlier than for example ntfs.sys.


So I tell you the results:

It is impossible to boot Windows XP(E) from a device, that is complete
writeprotect.

XP(E) starts booting, but then BSOD.

I tested this on a FAT32 and on a NTFS partition and also an USB device
with Fat32, always gives BSOD.

Hihi, but then I do the following: I enabled on a FAT32 partition on a USB
stick EWF.
Suddenly, with the modified disk.sys, it boots to desktop. If you disable
EWF, this is possible, but on next boot you got again BSOD.

The same works NOT with NTFS.

So it is only possible to boot from a complete
writeprotect media with Fat32.
With Fat32, you can set a mechanical write protect switch, this is similar
to my modified
disk.sys.

Nice to hear from you
Dietmar

PS: I build with the brandnew WinDDK for Vista
in the same way a new disk.sys for Vista.
The behavior of Vista is exact like that from XP.
Vista tries to build a shadow harddisk, but with
NTFS starting from a complete write protect device gives BSOD. And with
EWF on Vista, there
are always 20 Bits written to the bootsector, so you never can use a
writeprotect switch on the bootdevice of Vista with NTFS, only for Vista
on Fat32, which I tested and it works.

 

[Andy Allred [MS]]

Hi again Dietmar. Is there a question or just commenting on your
investigations?

Take care.

--
Andy

Check out the Embedded team blog: http://blogs.msdn.com/embedded/

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dietmar]

Hi Andy,
I was asked in a newsgroup, why you cant set
a mechanical writeprotect switch, even when EWF (Ram Reg) was enabled. I
focused the problem to NTFS. 20 Bytes are written on the bootdevice, even
with EWF enabled. I test it with the normal ntldr and the EWFntldr, but
always the same result. I wonder, why EWF on NTFS shows that behavior,
because you cant protect so any bootdevice with a hardware switch. But it
is possible with Fat32, because using EWF, NOTHING was written on your EWF
protected bootdevice.
Do you have any idea, how to totally protect a bootdevice using NTFS?

Nice to hear from you
Dietmar

 

[Dietmar]

Hi all,

I have one more look what is about NTFS and writeprotected.

I build an image direct on a Buffalo USB stick, formattet with the HP
utility with NTFS, with the new Embedded USB2.0 boot component with
EWF(Ram reg)and winlogon.

They overcome here the problems with booting from a NTFS formattet stick.

And now comes that, what caligula describes. You cant boot from such a
device with the
mechanical writeprotect switch set. But the funniest thing is: Indeed
there seems to
be no modification on that stick after a successfull boot. So, the only
thing can happen is, that
NTFS reads and writes the same values at the same place in the bootsector.
So, this gives BSOD, when it is writeprotected.

The BSOD is

CONFIG_LIST_FAILED

0x00000073 (0x00000001, 0xC000017D, 0x00000001, 0xF7CD5BB8)

This BSOD belongs to, that a system HIVE cant be loaded.
The first 1 belongs to SAM, I think.

This would mean, that during the load of System Hives NTFS looks, whether
the device is writable.
And this gives the BSOD.

It also may be, that in the HIVE itself is an entry, which say, that it
stays on a writable device and NTFS tested this and fails.

Nice to hear from you
Dietmar

PS: There seems to be different versions of NTFS: On Vista, it shows those
20 different Bytes after booting from NTFS even with EWF enabled, but not
for NTFS from XP. But I think, that the NTFS from XP does
nearly exact the same, but only rewrites the readed entries with the same
values.

 

[Sean Liming \(eMVP\)]

I have seen and reported this issue with NTFS and EWF. For example, the
journal $LogFile of NTFS is not protected by EWF since it is not within the
"partition", thus XPe will write to the $LogFile and read/write access is
required. Of course, FAT doesn't have this problem. CD-ROM boot is created
with FAT.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit