Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

WDE Hot fix verification tool for 10.1.2 SP1 HF1

Created: 13 Apr 2011 • Updated: 15 Apr 2013 | 5 comments
Glen Dayton's picture
+4 4 Votes
Login to vote

 

Introduction to Walnut and EnableReadProtection

What is Walnut?

Walnut is a Windows Executable tool that allows a PGP WDE user to easily get the start sector of the PGPWDE01 file, or any file on the boot disk, and compare it with the MBR sector pointer.  Walnut can also be used to validate the location of the MBR sector pointer matches the start sector of PGPWDE01 in the MFT(Master File Table).  Walnut will be used to validate the level of protection that the WDE software is providing.

How to Use Walnut

To view the start sector of PGPWDE01, copy the walnut executable to the root of the C: drive, open a command prompt and type the following command:

C:\>walnut c:\pgpwde01

Doing this should return output similar to this:

File Start Sector: 2115584

MBR Sector Pointer: 2115584

To change the MFT sector pointer for PGPWDE01 you can use xcopy:

C:\>xcopy /Y /V /H /R c:\<invalid file> c:\pgpwde01

If you run walnut again after xcopy you should see that PGPWDE01 and the MBR sector pointer now return different values. For example:

File Start Sector: 3168

MBR Sector Pointer: 2115584

The MBR still points to a valid section of disk containing the PGPWDE01 but no longer has a File Record in the MFT for those clusters, the MFT is no longer in sync with the MBR pointer.

To remedy this you can run the following:

C:\>Program Files\PGP Corporation\PGP Desktop\pgpwde –-sync-bgfs

On a system that has a more current version of the PGP WDE driver, you should not be able to change the MFT sector pointer due to our security enhancements.

What is EnableReadProtection?

EnableReadProtection is a registry key available in PGP Desktop 10.1.2 SP1 HF1 that, when present in the registry, does not allow any application to read the PGP Bootguard File System (BGFS) including the PGPWDE01 file.

To enable read protection of the BGFS create the following key in the Windows Registry and reboot the system:

HKLM\SYSTEM\CurrentControlSet\services\PGPwded\EnableReadProtection

To demonstrate that read protection of BGFS is in fact enabled you can use the Windows Support Tool “dskprobe” to try and read the start sector for the PGPWDE01 file returned by Walnut.  If the EnableReadProtection key is in the registry dskprobe should fail to allow reading any part of PGPWDE01 and will close unexpectedly.

To disable read protection of BGFS, simply remove the EnableReadProtection key from the registry and reboot.

Dskprobe.exe can be downloaded from Microsoft at the following location: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38

To install dskprobe.exe, run this installer in Windows XP SP3 compatibility mode, and select “Custom Install” and then “Optional Tools”.

Run dskprobe.exe, select “Physical Drive” from the “Drives” menu, then double-click “Physical Drive 0” and click on “Set Active.”

Now, from the “Sectors” menu, select “Read” and provide the sector number returned by walnut.exe under the “MBR Sector Pointer” heading.

The following two screenshots demonstrate the behavior of dskprobe with read protection enabled and disabled, respectively.

 

 disk error 2-- error reading sectors

https://www-secure.symantec.com/connect/sites/default/files/dskprobe err2_0.png 

 

disk probe -- no error

Comments 5 CommentsJump to latest comment

UlrichW's picture

comment no longer applies

0
Login to vote
rmilling's picture

I use WDE (part of PGP Desktop).  Why are you referring to v10.1.2?   I have v10.1.1 and just checked the support site.  10.1.1 is still listed as the latest version.

I'm confused.

0
Login to vote
PGP_Ben's picture

It should be available via fileconnect in the symantec support portal. where are you seeing that PGP Desktop 10.1.1 is the latest supported version?

Thanks,

Ben

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote
PGP_Ben's picture

http://www.symantec.com/business/support/index?page=content&id=DOC3583

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote