3

As the title implies, I want to know if I can load or unload a diskdrive filter driver without restarting the machine and have the change take effect immediately.

I'm doing this in a WinPE environment and need to remain in WinPE.

Historical

I've baked the Symantec Encryption Desktop (aka PGP) PGPWDE drivers into our MDT/SCCM boot media so that our techs can easily manage encrypted drives (add/remove users, password recovery, data recovery etc.).
However the PGPWDE drivers have some built-in feature that prevents one from wiping out the MBR/sector 0. This creates a problem when re-imaging an encrypted machine:

  • diskpart clean will not wipe the MBR
  • bootrec /fixmbr or /fixboot won't re-write the MBR
  • third party utilities like dskprobe and mbrwiz won't work either
  • All of the above executes successfully meaning it says "completed successfully" or the equivalent; errorlevel/lastexitcode is 0

So my thinking is, if I can unload the driver, then that will remove this 'protection' so I can successfully wipe the MBR and proceed with imaging.

In WinPE,

  • I don't see any relevant (e.g.: no references to pgp, wde etc.) filter drivers loaded in fltmc
  • I don't see anything relevant (e.g.: no references to pgp, wde etc.) when running devcon status, driverfiles, dp_enum, resources, find, findall
  • There are several device setup classes that have both name and description of "?"
  • The System process loads only one file: pgpwded.sys (checked via procexp)

Here's what [little] I think I know about the driver/'device':

  • In Device Manager (on a Windows machine with the software installed), after showing hidden items, I can see it under Non-Plug and Play Drivers
    • Two services: PGPdisk and PGPsdkDriver
    • The Device class and Device Class GUID for both is LegacyDriver and {8ECC055D-047F-11D1-A537-0000F8753ED1} respectively
  • devcon stack * shows:
    • setup class is of course DiskDrive class (in GUID form)
    • upper class filters include partmgr and pgpwded
  • devcon driverfiles * shows the installed INF files and device driver files as being %WINDIR%\inf\disk.inf [disk_install] and %WINDIR%\system32\drivers\disk.sys respectively
  • when checking the DiskDrive GUID in the registry, the UpperFilters confirm PartMgr & pgpwded entries.
  • I found the service in HKLM\System\ControlSet001\Services\PGPwded
    • ErrorControl: 1
    • Group: Filter
    • Start: 0
    • Type: 1
  • Trying to stop the service ("PGPwded Storage Filter Service") fails with "the requested pause, continue or stop is not valid for this service"
  • although devcon classfilter diskdrive upper !pgpwded succeeds, it doesn't actively unload it from memory until its rebooted. (which we can't do)
  • Lastly, these are the files generally associated with the PGP:
    • %WINDIR%\System32\pgpcl.dll
    • %WINDIR%\System32\pgpiconv.dll
    • %WINDIR%\System32\pgpsdk.dll
    • %WINDIR%\System32\pgpsdknl.dll
    • %WINDIR%\System32\pgpsdkui.dll
    • %WINDIR%\System32\pgpwd.dll
    • %WINDIR%\System32\pgpwdesdk.dll
    • %WINDIR%\System32\drivers\pgpsdk.sys
    • %WINDIR%\System32\drivers\pgpwded.sys

Would changing the 'Start' type constant from 0 (which represents a part of the driver stack for the boot volume and must therefore be loaded by the Boot Loader) to either:

  • 2 = Loaded or started automatically for all startups, regardless of service type; OR
  • 3 = Available, regardless of type, but will not be started until manually started

I think I've taken this as far as I can on my own, and while I'm dreading the worst, reaching out to the community for suggestions.

music2myear
  • 49,799
JuliusPIV
  • 178

0 Answers0