XPe and local storage devices

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello

I need to set an XPe target that will be bootable off IDE CD-ROM drives.
Of course, the instances of XPe built from that target will not be writable.

I know how to build these targets, no problem.

However, I want that, when these XPe run, they will not see any locally
attached IDE/SATA disk drive, but at the same time, they will let the user
connect a USB drive and read/write data off that USB drive.

So far I was not able to do so:
if I disable the "disk" driver in my XPe instance, the USB drive cannot be
mounted.
If I enable the "disk" driver, then the locally attached IDE drives are
mounted when the user boots the computer off the XPe CD-ROM.
I played with CriticalDevicesDatabase\gendisk entry, but it is not enough :
sometimes, when this key is present, I get a message stating that Windows
must be rebooted in order for the device to be accessible, but in fact, even
without a reboot, the device IS sometimes accessible.

Obviously, I cannot disable "atapi" driver, otherwise I cannot boot off IDE
CD-ROM drives.

And what's worse, I need to be able to "disable" locally attached IDE drives
that I do not know in advance.

I thought about "tuning" some .inf files, but it may be quite long and
painful, so I wondered if someone had a simpler method.

Thank you in advance

- P. Tarhn
 
Tarhn,

I wouldn't mess with disk driver just to disable local IDE drives.

In case you are using Explorer shell, there is a Group Policy exists that allows you to hide particular drives in the system for
specified user accounts. Take a look at the NoDrives registry entry under Policies\Explorer subkey.
Here is where you can get more info about the policy setup: http://www.pctools.com/guides/registry/detail/148.

If you happened to implement and use a custom shell, then it is even easier. You have the control on what drives and how to expose
to end users through GUI.
 
KM said:
Actually, preventing access to the contents of selected drives may work even better for you: NoViewOnDrive.
http://www.pctools.com/guides/registry/detail/1157.
Click to expand...
Thanks KM

I did not mention that I already made some tests with the Nodrive registry
key:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/w2kapsp4.mspx
==========
Policy Setting
Hide these specified drives in My Computer
Description
When enabled, this policy removes the icons representing the selected disk
drives from My Computer, Windows Explorer, and My Network Places and from
Common Dialogs.
Application
Action
Your application must hide any drives that are hidden by the system when
this policy is enabled. This includes any buttons, menu options, icons, or
any other visual representation of drives in your application. This does not
preclude the user from accessing drives by manually entering drive letters in
dialogs.
Registry Information
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: NoDrives
=========

But this was not enough. User could get access to the drives using dos
prompt for instance, or dialogs.

I'll try the NoViewOnDrive ASAP but I guess it will not do the trick either:
I have no clues about which drive letter to hide and which ones to allow.

The system (which is a recovery/emergency-work/think-client-like system) is
supposed to run on various PCs and some of them will have only one local
partition when some other will have more than 4, and I just cannot know the
number of local partitions in a PC that will run my XPe.

And even more, I need to set the system so that USB-drives drive letters be
not hidden, for the users need to be able to access their own USB-Drive
anytime, and I can't know in advance on which drive letter this USB drive
will be mounted.

I think I really need to be able to enable a class of storage device and
disable another.

Any help appreciated

- P. Tarhn
 
Tarhn,

Well, I think you got yourself in a tough position. You do want to use Explorer shell (full blown Desktop PC like shell) and the
same time you want to have an embedded device with lots of lockdown policies applied. Moreover, your embedded image is going to be
running on devices with different hardware configuration. Just too many variables, while the lock down feature in general typically
works the best on one type of devices.

What I mean is that if you are thinking about how end user can bypass the policies you've set in the image, please also think about
scenario where end user can easily install disk drivers (just copy or use those drivers from a USB mass storage device) and get
access to the local drives regardless of if you removed the right driver or not. (Note: if you install a disk level driver you don't
have to reboot to be able to start it).

Anyway, I still want to give out a few hints that might appear to be useful to you while you are on the lock-down adventure:
- Apply both "Hide drives" and "Prevent access to drives" policies. They work together much better then each of them separately.
Basically those will lock the explorer window from being able to browse to specified drives.

- Set another policy to prevent end user from being able to open and use CMD window. The appropriate registry settings is as
follows:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp],"Disabled"=dword:1
(and the same under HKCU reg.branch)

- If you use NTFS in that system, you can always set NTFS permissions on system files and folders and drives to prevent the
access (browsing, writing, etc.). This setup may require some manual steps but in general can be automated with utilities like
xcacls.exe. E.g., during FBA or at cloning you assume there are only local hard disks on the target device - you create new NTFS
permission settings on those drives to prevent non-admin users access.

- You may also want to disable access to regedit on the image. Otherwise, end user can easy reset the policy settings:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System],"DisableRegistryTools"=dword:1

- You can always create a disk filter driver that will climb through PnP tree of the disk device it is attached to and it allow
browse access to the disk if it is USB based device (e.g., USBHUB driver is in the sequence or etc.). Or, even simpler, just allow
browsing only for removable media.

There is also a bunch of 3rd party applications that can help you to lock down OS to whatever state you may need. Not freeware
usually, though.
 
Back
Top