How does Windows locking down the drive for Fast Startup work?
Microsoft Windows has a feature where, when shutting down, it will actually go into a state of hibernation instead of fully shutting down, to boot faster in the future (though this can be disabled). This preserves the state of the kernel and system session while locking down the Windows partition to prevent editing and corruption of data. This information can be found here.
I personally have also come across this feature when dual-booting Windows and Ubuntu and trying to access my Windows files from Ubuntu.
How does this drive locking down work? For example, does it rely on the other operating system respecting the drive lockdown (like setting a lockdown bit) or does it completely prevent the other OS from modifying the data (like drive encryption, which it clearly isn't because the files can be read, but not written to). Can the drive be unlocked by another operating system?
Solution 1:
Windows uses a "dirty" bit on the drive to notify the system whether it has been cleanly shutdown.
From HAL9000 on the Raymond.cc blog: Manually Reset or Clear Dirty Bit in Windows without using CHKDSK
One mystery that has gone unsolved for the longest time now is the dirty bit on hard drive volumes. Basically a dirty bit is just a 1 hex value located somewhere hidden on the hard drive that Microsoft has never reveal until recently. Windows will check the dirty bit to determine if a volume can contain corrupted files due to hard resetting your Windows computer with files that are still opened or when you unplug a USB flash drive that is in the midst of copying a file.
It serves the same purpose under Fast Startup, as the system is hibernated it has not been fully shutdown and so is considered "dirty" as the hibernated system may have files open or data ready to write.
Linux, or at least some version of it, can respect the dirty flag and refuse to open the disk as read-write, reverting to read-only.
Failure to respect the flag will cause Windows to believe that the disk may have been corrupted as other contents of the disk may not agree with the operating system stored data.
Also, from FOG Wiki:Windows Dirty Bit
The Windows "dirty bit" is set ON when:
- There are pending Windows updates
- There is a pending restart
- Fast Startup is enabled
- Windows is hibernated
- Windows is improperly shutdown
- There is a chkdsk scheduled
- Data corruption is detected
...
Windows 8.0, 8.1, and 10 (and most likely future Windows versions) have a feature called "Fast Startup". This feature basically sets windows so that a hibernation occurs whenever the system is shutting down. This enables Windows to startup much faster than in past Windows versions. Because this feature is on by default, the windows OS partition has a hibernation file which prevents mounting and imaging via FOG, and also marks the OS partition's "Dirty Bit" to ON. Even when hibernation and fast startup is disabled, the hibernation file remains and the "Dirty Bit" remains ON and these things causes problems. There are a few ways to fix/get around this.