How does Windows locking down the drive for Fast Startup work?

windows-10 boot windows win10-fast-startup

Microsoft Windows has a feature where, when shutting down, it will actually go into a state of hibernation instead of fully shutting down, to boot faster in the future (though this can be disabled). This preserves the state of the kernel and system session while locking down the Windows partition to prevent editing and corruption of data. This information can be found here.

I personally have also come across this feature when dual-booting Windows and Ubuntu and trying to access my Windows files from Ubuntu.

How does this drive locking down work? For example, does it rely on the other operating system respecting the drive lockdown (like setting a lockdown bit) or does it completely prevent the other OS from modifying the data (like drive encryption, which it clearly isn't because the files can be read, but not written to). Can the drive be unlocked by another operating system?


Solution 1:

Windows uses a "dirty" bit on the drive to notify the system whether it has been cleanly shutdown.

From HAL9000 on the Raymond.cc blog: Manually Reset or Clear Dirty Bit in Windows without using CHKDSK

One mystery that has gone unsolved for the longest time now is the dirty bit on hard drive volumes. Basically a dirty bit is just a 1 hex value located somewhere hidden on the hard drive that Microsoft has never reveal until recently. Windows will check the dirty bit to determine if a volume can contain corrupted files due to hard resetting your Windows computer with files that are still opened or when you unplug a USB flash drive that is in the midst of copying a file.

It serves the same purpose under Fast Startup, as the system is hibernated it has not been fully shutdown and so is considered "dirty" as the hibernated system may have files open or data ready to write.

Linux, or at least some version of it, can respect the dirty flag and refuse to open the disk as read-write, reverting to read-only.

Failure to respect the flag will cause Windows to believe that the disk may have been corrupted as other contents of the disk may not agree with the operating system stored data.

Also, from FOG Wiki:Windows Dirty Bit

The Windows "dirty bit" is set ON when:

  • There are pending Windows updates
  • There is a pending restart
  • Fast Startup is enabled
  • Windows is hibernated
  • Windows is improperly shutdown
  • There is a chkdsk scheduled
  • Data corruption is detected

...

Windows 8.0, 8.1, and 10 (and most likely future Windows versions) have a feature called "Fast Startup". This feature basically sets windows so that a hibernation occurs whenever the system is shutting down. This enables Windows to startup much faster than in past Windows versions. Because this feature is on by default, the windows OS partition has a hibernation file which prevents mounting and imaging via FOG, and also marks the OS partition's "Dirty Bit" to ON. Even when hibernation and fast startup is disabled, the hibernation file remains and the "Dirty Bit" remains ON and these things causes problems. There are a few ways to fix/get around this.

Related

"Operation can't be completed because item with name already exists" error with Paragon NTFS
macOS Sierra GDB not codesigned
Terminal escape character for hexadecimal input
List apps with access to your Apple ID
Some PDF bills are printed out with empty squares replacing the text
Empty the contents of Trash for only a single volume
Windows 10 runs extremely slowly in Parallels 10
Why does Access report it can't receive a command to its program?
Sync Google Contact Groups with Apple iOS Contact Groups
Can I import sheet music to play on a PC?
How can I change Finder's "Name" column width in "List" view in El Capitan?
Simulink is to Matlab as _______ is to Mathematica?