none
System Restore Like Development RRS feed

  • Question

  • I have to develop a kernel level driver that makes user changes (new files, new software installations, etc.) store at a cache (or specified location in the disk). Upon restart of the machine, all changes to be discarded and original system to be loaded. This is similar to softwares like Deep Freeze, Toolwiz Time Freeze, etc, of whose details given later.

    Please let me know how can I do this.

    Any help for this development will be appreciated. Thank you.!

    Operation of Deep Freeze:

    Deep Freeze is a kernel-level driver that protects hard drive integrity by redirecting information being written to the hard drive or partition, leaving the original data intact. This redirected information is no longer referenced once the computer is restarted, thus restoring the system to its original state at the disk sector level. This allows users to make 'virtual' changes to the system, giving them the appearance that they can modify core files or even delete them, and even make the system unusable to themselves, but upon reboot the originally configured 'frozen' state of the operating system is restored.

    Operation of Toolwiz Time Freeze:

    The Toolwiz engine is made up of two Windows kernel drivers. One is the file system filter and another is a disk filter. The whole engine is designed to hold all the changes(both in the file system and raw disk level) and save the changes to one cache file.



    • Edited by Madhu KC Friday, December 12, 2014 7:18 AM
    Friday, December 12, 2014 7:11 AM

Answers

  • This is a very large an complex project.  I've done design quotes for clients on this sort of project and even that can be major.  You will need at a minimum a disk filter that caches all changes (probably on a scracth area of the disk).


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Doron Holan [MSFT] Friday, December 12, 2014 6:20 PM
    • Unmarked as answer by Madhu KC Monday, December 15, 2014 4:49 AM
    • Marked as answer by Madhu KC Monday, December 15, 2014 4:50 AM
    Friday, December 12, 2014 12:22 PM
  • This is one of those types of projects that fall into the class of "if you have to ask how, you don't have the skills to implement it". As Don mentioned, this is a very large and complex undertaking

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, December 12, 2014 6:12 PM
    Moderator

All replies

  • This is a very large an complex project.  I've done design quotes for clients on this sort of project and even that can be major.  You will need at a minimum a disk filter that caches all changes (probably on a scracth area of the disk).


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Doron Holan [MSFT] Friday, December 12, 2014 6:20 PM
    • Unmarked as answer by Madhu KC Monday, December 15, 2014 4:49 AM
    • Marked as answer by Madhu KC Monday, December 15, 2014 4:50 AM
    Friday, December 12, 2014 12:22 PM
  • This is one of those types of projects that fall into the class of "if you have to ask how, you don't have the skills to implement it". As Don mentioned, this is a very large and complex undertaking

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, December 12, 2014 6:12 PM
    Moderator
  • Thanks Pavel for your response.

    Can I get the source code of any such software for Windows.? I didn't find any on internet.

    Monday, December 15, 2014 4:49 AM
  • Thanks Don for your response.

    We have to develop such a project. Could I get any more inputs at any websites or blogs for this.?

    Monday, December 15, 2014 4:51 AM
  • Thanks Brian for your response.

    It's very true as you said. I have to develop such a project.

    Monday, December 15, 2014 4:53 AM
  • I know of no websites that will help you on this.  As Brian stated, if you have to ask how you not at a level to do the work.  If your company is insisting on going forward, then use Sysinternals DiskMon to look at what is happening at the disk level to understand what you would need to capture/cache so that the disk is not actually modified.  Also study the Disk Class driver, this is the disk drive for Windows, you will need a filter (upper or lower depending on the design) that works with the disk class filter to cache the modified data on a scratch area of the disk or in memory.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Madhu KC Tuesday, December 16, 2014 8:57 AM
    • Unmarked as answer by Madhu KC Tuesday, December 16, 2014 8:57 AM
    Monday, December 15, 2014 12:15 PM
  • Also, take a look at how volume shadowing is implemented on Windows

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, December 15, 2014 12:49 PM
    Moderator
  • Thanks Don Burn, your inputs are very helpful.!

    I'm looking for driver routines those process IRP to store data at the scratch area or memory you have mentioned.

    Any help on this is highly appreciated.!

    Tuesday, December 16, 2014 9:16 AM