Persistent write on EWF w/o breaking limitations

3
//Last Update: Mar 28, 2012

Windows Embedded Standard 2009

This workaround is about ‘Writing on EWF partition” without knowing any API or paying attention of keeping the file-size the same. I created this workaround some years ago and never was sure to publish it (anywhere) or not. I never read about anything like this approach.

Background:

skip it if you don’t mind

[dropdown_box expand_text=”info” show_more=”show” show_less=”hide” start=”show”]
Many developers want to protect their Embedded Systems with a Write Filter usually it’s preferred to use EWF because of stability, none-faulting system after losing of power and so on.

In my case we had some critical 3rd party software that writes critical files to the a static path on the %systemdrive% partition. Providing a very secure and protected EWF system and writing to a protected partition seem to be a none-addressable issue if you can’t keep the file-size exactly the same. (If you can keep the size and know what you’re doing than you might take a look at option 1.)

After some brainstorming a fsutil.exe function came in mind. Hard-linking files on another unprotected partition should work and do the job. Changes on hard-linked files are instantly available and it wouldn’t matter if changes come from the %systemdrive% or another location as long as the instance is written on an unprotected partition.

Unfortunately hard-linking of files over partitions doesn’t work, but linking does. 🙂
But there is also a limitation: linkd.exe only works with folders. – So if you need to store some sort of files in e.g. the Windows root-folder this workaround won’t be that much practical.
[/dropdown_box]

Workaround:

I wrote a little script which does little more (changing attributes, setting permissions, moving files, creating folders, if not exists and so on) but broken down the only command-line you need is:

linkd.exe %protectedpartition% %unprotectedpartition%
Example: linkd.exe %systemdrive%\privatfiles D:\Hiddenfolder

The %systemdrive%\privatfiles folder is accessible, but the files are physically located on D:. You also can change permissions and attributes to secure your files even more. Of course you have to avoid any kind of clearing the partition, otherwise your data will be lost. I haven’t tested it in a HORM environment, only RAM(Reg)Mode on a UFD which works like a charm.

Requirements:

Windows Embedded Standard 7/8

I’m pretty sure this Workaround will also work with Win7-Codebase, but I never tested it under real condition. With Windows Vista Microsoft implemented more commands into the native command-line. Instead of using linkd.exe you can now use mklink in cmd.exe

mklink /j %unprotectedpartition% %protectedpartition%
Example: mklink /j D:\Hiddenfolder %systemdrive%\privatfiles

Mar 5th, 2012 Categories: EWF, Tutorial, Workaround Tags: , , , , ,

Comments

Your email address will not be published. Required fields are marked *

Trackbacks

  1. Apr 21st, 2013 8:22
    crisis loan