Introduction to Walnut and EnableReadProtection
What is Walnut?
Walnut is a Windows Executable tool that allows a PGP WDE user to easily get the start sector of the PGPWDE01 file, or any file on the boot disk, and compare it with the MBR sector pointer. Walnut can also be used to validate the location of the MBR sector pointer matches the start sector of PGPWDE01 in the MFT(Master File Table). Walnut will be used to validate the level of protection that the WDE software is providing.
How to Use Walnut
To view the start sector of PGPWDE01, copy the walnut executable to the root of the C: drive, open a command prompt and type the following command:
C:\>walnut c:\pgpwde01
Doing this should return output similar to this:
File Start Sector: 2115584
MBR Sector Pointer: 2115584
To change the MFT sector pointer for PGPWDE01 you can use xcopy:
C:\>xcopy /Y /V /H /R c:\<invalid file> c:\pgpwde01
If you run walnut again after xcopy you should see that PGPWDE01 and the MBR sector pointer now return different values. For example:
File Start Sector: 3168
MBR Sector Pointer: 2115584
The MBR still points to a valid section of disk containing the PGPWDE01 but no longer has a File Record in the MFT for those clusters, the MFT is no longer in sync with the MBR pointer.
To remedy this you can run the following:
C:\>Program Files\PGP Corporation\PGP Desktop\pgpwde –-sync-bgfs
On a system that has a more current version of the PGP WDE driver, you should not be able to change the MFT sector pointer due to our security enhancements.
What is EnableReadProtection?
EnableReadProtection is a registry key available in PGP Desktop 10.1.2 SP1 HF1 that, when present in the registry, does not allow any application to read the PGP Bootguard File System (BGFS) including the PGPWDE01 file.
To enable read protection of the BGFS create the following key in the Windows Registry and reboot the system:
HKLM\SYSTEM\CurrentControlSet\services\PGPwded\EnableReadProtection
To demonstrate that read protection of BGFS is in fact enabled you can use the Windows Support Tool “dskprobe” to try and read the start sector for the PGPWDE01 file returned by Walnut. If the EnableReadProtection key is in the registry dskprobe should fail to allow reading any part of PGPWDE01 and will close unexpectedly.
To disable read protection of BGFS, simply remove the EnableReadProtection key from the registry and reboot.
Dskprobe.exe can be downloaded from Microsoft at the following location: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38
To install dskprobe.exe, run this installer in Windows XP SP3 compatibility mode, and select “Custom Install” and then “Optional Tools”.
Run dskprobe.exe, select “Physical Drive” from the “Drives” menu, then double-click “Physical Drive 0” and click on “Set Active.”
Now, from the “Sectors” menu, select “Read” and provide the sector number returned by walnut.exe under the “MBR Sector Pointer” heading.
The following two screenshots demonstrate the behavior of dskprobe with read protection enabled and disabled, respectively.
https://www-secure.symantec.com/connect/sites/default/files/dskprobe err2_0.png
