My Road to Digital Forensics Excellence

Windows Steadystate

Posted by Paul Bobby on November 6, 2008

This awesome piece of software is designed to simplify the process of managing shared computers. At the end of the day, a shared computer, such as at a library or university, can be in an infinite number of states. How about we keep it in the same state that the IT department knows about? – hence Windows Steadystate.

I’m interested in SteadyState for two reasons – forensic evidence present in the SteadyState Cache file, and using SteadyState as a malware testing option.

A key feature of SteadyState is called Disk Protection. Using caching technology, the Operating System writes new changes, and reads those new changes from a large static file called cache.wdp. I have found no documentation on the structure of this cache file, and requests on the MSDN forums yielded no information. If you are logged in as an Administrator, you are given the option, on Shutdown/Restart, to either commit or discard the changes. During the next bootup the changes are discarded (the cache file rewritten) or made permanent (followed by rewriting the cache.wdp file).

The key here is that even during a graceful shutdown, when the Admin says “discard changes”, the changes are still present in the cache as long as the computer is not booted up. (In Windows Vista, the changes and cache.wdp operations take effect before the log on screen is presented). The standard system monitoring tools don’t apply here (or at least I haven’t discovered it). The cache.wdp file does not get written to (at least from the perspective of tools like filemon.exe and procmon.exe). Therefore trying to reverse engineer this is going to be a challenge. I configured Process Monitor for Bootup Logging, and this persisted when I clicked “Save changes”. The results:

  • VCFCHK.exe creates c:\cache.wdp
  • VCFCHK.exe reads 512bytes, then another 512bytes, then another 512bytes
  • c:\cache.wdp is closed

VCFCHK.exe is an application in \Program files\Windows SteadyState, and “Cannot be run in Win32 mode”.

Looks like the cache.wdp file is created during each bootup.

I will be conducting a series of tests and documenting them here on this blog.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: