Your browser is obsolete!

The page may not load correctly.

The rules of ”basic hygiene”

Правила гигиены

Other issues in this category (98)
  • add to favourites
    Add to Bookmarks

Protect your data using standard Windows tools

Read: 12195 Comments: 2 Rating: 9

Tuesday, November 14, 2017

We’ve already discussed Windows’ shadow copy feature on more than one occasion. It’s used to roll back all system changes to the moment a snapshot was made. This option is often used in training courses and is recommended as a way of protecting against malware.

Important! Using shadow copies to protect data against malware only makes sense if users don't have administrator privileges and if at least a confirmation prompt is displayed whenever they try to access features requiring those privileges. Otherwise, malware can destroy shadow copies.

In addition to shadow copies, Windows 8 and 10 make use of— UWF (Unified Write Filter). This feature can be used to make sure that changes to specified directories and files on hard drives are only committed to their copies in the memory, while the actual files on the disks remain unchanged. After a system restart, the protected volume always returns to the state it was in before UWF was enabled—no changes are saved.

In effect, shadow copies provide users with data backups. If they are used, all changes made to files are saved on disks, and the shadow copies can be used to roll back the files to their original state. UWF technology is quite different: it can be used to prevent changes from being made to data on disks. All the changes are applied to their copies in the memory and are never saved to the disks. UWF can be used to protect data that is not supposed to be changed.

Important! Unfortunately, this technology is only available in Windows 10 Enterprise (including LTSB) and Windows 10 Education.

By default, UWF is disabled. To toggle it on, go to Control Panel → Programs and Features → Turn Windows Features On or Off → Device Lockdown → Unified Write Filter).

#drweb

Once the component is enabled, you can control it using the utility uwfmgr.exe. To do that, open the command prompt with administrative permissions. To launch the console, enter Command Prompt in the search bar, right-click, and in the drop-down menu select “Run as administrator”.

#drweb

Once UWF is installed, enable it by running the command uwfmgr.exe filter enable. After that a system restart is required.

Important! When UWF is first enabled, such features as SuperFetch, paging files, system restore, file indexing and defragmentation services are disabled.

#drweb

To protect a volume from modifications, run the command uwfmgr.exe volume protect c: - and restart your computer. In our example, "c" is the letter of the drive whose files and folders will be protected from modification.

Certain files, folders and registry branches can be added to the UWF exceptions list. Changes for these objects will be applied to the disk instead of committing them to the overlay. Certain files and directories can't be added to the exceptions list. They include:

  • Registry files in \Windows\System32\config\;
  • Volume root;
  • \Windows, \Windows\System32, \Windows\System32\Drivers;

To add a specific file or folder to the exceptions list, run the following command:

Uwfmgr.exe file add-exclusion c:\student

Exclude a registry key from being filtered by UWF:

Uwfmgr.exe registry add-exclusion “HKLM\Software\MyRegKey”

A system restart is required to apply the changes.

A system restart is required to apply the changes.

Uwfmgr.exe servicing enable

The system will boot up under the local account UWF-Servicing and you will be able to apply the necessary updates. After that the PC will be restarted automatically with UWF enabled.

You can find out more about UWF here.

#Windows #backup

The Anti-virus Times recommends

The Unified Write Filter is a handy way to protect data from unauthorized modification. However, it doesn't guarantee 100% security: criminals can steal your data, intercept passwords, etc.—after all, UWF prevents data from being written onto a disk but won't stop malicious scripts on webpages.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments