I used a SD card as drive D: on a Win10 Netbook and wanted
to replace it by a bigger one. Because it was FAT32 formatted,
there shouldn't be any problem to just copy all files from
the old to the new SD card. I put both cards in a USB
card reader, connected the reader to an Win11 PC and used
Explorer to copy all files to the new card. But there
was a problem with three system folders: WindowsApps, WpSystem
and WUDownloadCache. Even rebooting to Save Mode didn't
solve the problem. There was no access to the files in
these folders, even though FAT32 doesn't support any access
restriction features.
With the help of Google I found this:
https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/ https://patents.google.com/patent/US10726147B2/en
|| First, starting from Windows 10 “Redstone 1”, EFS-based
|| encryption is supported for FAT volumes. This feature is
|| thoroughly described in US10726147B2.
||
|| Encrypted files have the “.PFILE” extension and their 8.3
|| directory entries store additional metadata. In the current
|| implementation, this metadata fits 6 bits: two bits are used
|| as flags and four bits are used to store the padding size.
I then connected the USB reader to a Win7 PC and it wasn't
any problem to copy the three folders. But because the misused
bits in the directory are not copied (Win7 doesn't know about
them), the files in the folders are now normal files and no longer
recognized by Win10/11 as encrypted files and therefore useless.
So, if you have a FAT formatted USB pen drive or SD card
with some files or folders you can't delete, then they are
maybe encrypted and Windows doesn't allow any access to them.
Just connect them to a Win7 PC and you can delete them
without any problem.
So, if you have a FAT formatted USB pen drive or SD card
with some files or folders you can't delete, then they are
maybe encrypted and Windows doesn't allow any access to them.
Just connect them to a Win7 PC and you can delete them
without any problem.
I used a SD card as drive D: on a Win10 Netbook and wanted
to replace it by a bigger one. Because it was FAT32 formatted,
there shouldn't be any problem to just copy all files from
the old to the new SD card. I put both cards in a USB
card reader, connected the reader to an Win11 PC and used
Explorer to copy all files to the new card. But there
was a problem with three system folders: WindowsApps, WpSystem
and WUDownloadCache. Even rebooting to Save Mode didn't
solve the problem. There was no access to the files in
these folders, even though FAT32 doesn't support any access
restriction features.
With the help of Google I found this:
https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/ https://patents.google.com/patent/US10726147B2/en
|| First, starting from Windows 10 “Redstone 1”, EFS-based
|| encryption is supported for FAT volumes. This feature is
|| thoroughly described in US10726147B2.
||
|| Encrypted files have the “.PFILE” extension and their 8.3
|| directory entries store additional metadata. In the current
|| implementation, this metadata fits 6 bits: two bits are used
|| as flags and four bits are used to store the padding size.
I then connected the USB reader to a Win7 PC and it wasn't
any problem to copy the three folders. But because the misused
bits in the directory are not copied (Win7 doesn't know about
them), the files in the folders are now normal files and no longer
recognized by Win10/11 as encrypted files and therefore useless.
So, if you have a FAT formatted USB pen drive or SD card
with some files or folders you can't delete, then they are
maybe encrypted and Windows doesn't allow any access to them.
Just connect them to a Win7 PC and you can delete them
without any problem.
Explorer to copy all files to the new card. But there
was a problem with three system folders: WindowsApps, WpSystem
and WUDownloadCache. Even rebooting to Save Mode didn't
solve the problem. There was no access to the files in
these folders, even though FAT32 doesn't support any access
restriction features.
With the help of Google I found this:
https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
https://patents.google.com/patent/US10726147B2/en
|| First, starting from Windows 10 “Redstone 1”, EFS-based
|| encryption is supported for FAT volumes. This feature is
|| thoroughly described in US10726147B2.
||
|| Encrypted files have the “.PFILE” extension and their 8.3
|| directory entries store additional metadata. In the current
|| implementation, this metadata fits 6 bits: two bits are used
|| as flags and four bits are used to store the padding size.
Somewhere in this claim, there has got to be an interpretation error.
The evidence does not add up, of miraculous behavior. For example,
what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
Do you mean NTFS ?
Encryption does not necessarily prevent access. Access is controlled
with ACLs or similar.
To copy a file for example, I can use "dd", "seek", "skip" and
transfer blocks of data representing the file. If encryption is
involved, when I look at the resulting data now stored on some
other storage device, it will be binary garbage.
On 12.11.2023 07:14, Paul wrote:
Somewhere in this claim, there has got to be an interpretation error.
The evidence does not add up, of miraculous behavior. For example,
what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
Do you mean NTFS ?
My netbook only has a 32G C: drive, which isn't nearly enough
for Win10 itself. Therefore I use a SD card in the build-in
SD card reader as drive D: for programs and user data. The
card is FAT32 formatted to avoid any access restriction problems
when duplicating the card. If possible I use portable programs which
doesn't need to be installed but only copied to the SD card or at
least programs, where I can specify an installation folder on
drive d:. A SD card isn't made for so many write cycles when used
as a SSD replacement, so after about 2 years the spare blocks are used
up and the SD card switches to read-only mode. Then I just copy
all files on the card to a new one (on a different PC) and
because of FAT32 there wasn't any problem. Then I insert the new
card in the netbook and all is OK for the next 2 years.
But now Whatsapp can only be installed from the MS Store. The
only way to specify where it should be installed is in the
Windows settings (drive to install new apps). When you
install an app from the MS Store, the 3 folder given above
are created.
Encryption does not necessarily prevent access. Access is controlled
with ACLs or similar.
That's what I also thought. But Win10/11 has a different opinion.
To copy a file for example, I can use "dd", "seek", "skip" and
transfer blocks of data representing the file. If encryption is
involved, when I look at the resulting data now stored on some
other storage device, it will be binary garbage.
You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).
If you want to copy the files in Win10/11, you need a
program which accesses the card at block level with
it's own FAT32 driver, because when the Windows FAT32
driver is involved, you are lost.
But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.
On 12.11.2023 12:51, Carlos E. R. wrote:
It sounds very strange to me to hear there were unused bits in the FAT
directory entries. The original FAT definition was very compact, no
unused space. Now, in the structure for long names that was added later,
perhaps.
I don't have my msdos technical book for verification, though.
It is explaind in the link I provided:
https://k2s.cc/file/f93029041094d/gl_644.mp4
It sounds very strange to me to hear there were unused bits in the FAT directory entries. The original FAT definition was very compact, no
unused space. Now, in the structure for long names that was added later, perhaps.
I don't have my msdos technical book for verification, though.
On 2023-11-12 13:20, Herbert Kleebauer wrote:
On 12.11.2023 12:51, Carlos E. R. wrote:
It sounds very strange to me to hear there were unused bits in the FAT
directory entries. The original FAT definition was very compact, no
unused space. Now, in the structure for long names that was added later, >>> perhaps.
I don't have my msdos technical book for verification, though.
It is explaind in the link I provided:
On 2023-11-12 09:49, Herbert Kleebauer wrote:[...]
On 12.11.2023 07:14, Paul wrote:
[...]My netbook only has a 32G C: drive, which isn't nearly enough
for Win10 itself. Therefore I use a SD card in the build-in
SD card reader as drive D: for programs and user data. The
card is FAT32 formatted to avoid any access restriction problems
when duplicating the card. If possible I use portable programs which doesn't need to be installed but only copied to the SD card or at
least programs, where I can specify an installation folder on
drive d:. A SD card isn't made for so many write cycles when used
as a SSD replacement, so after about 2 years the spare blocks are used
up and the SD card switches to read-only mode. Then I just copy
all files on the card to a new one (on a different PC) and
because of FAT32 there wasn't any problem. Then I insert the new
card in the netbook and all is OK for the next 2 years.
But now Whatsapp can only be installed from the MS Store. The
only way to specify where it should be installed is in the
Windows settings (drive to install new apps). When you
install an app from the MS Store, the 3 folder given above
are created.
Encryption does not necessarily prevent access. Access is controlled
with ACLs or similar.
That's what I also thought. But Win10/11 has a different opinion.
You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).
You can instead clone the card. Image it.
[...]If you want to copy the files in Win10/11, you need a
program which accesses the card at block level with
it's own FAT32 driver, because when the Windows FAT32
driver is involved, you are lost.
But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.
You can instead clone the card. Image it.
Good point! I just checked in Macrium Reflect Free and indeed my exFAT
USB memory-stick (should be the same for Herbert's SD card) is listed as available for imaging and cloning.
Perhaps Macrium Reflect is a little over the top for such a limited storage system, but probably another imaging/cloning problem, even an
offline one, can do the job. (Macrium Reflect's Resue media could do it,
but that still requires a temporary install of Micrium Reflect.)
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-12 09:49, Herbert Kleebauer wrote:[...]
On 12.11.2023 07:14, Paul wrote:
[...]
You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).
You can instead clone the card. Image it.
Good point! I just checked in Macrium Reflect Free and indeed my exFAT
USB memory-stick (should be the same for Herbert's SD card) is listed as available for imaging and cloning.
Perhaps Macrium Reflect is a little over the top for such a limited storage system, but probably another imaging/cloning problem, even an
offline one, can do the job. (Macrium Reflect's Resue media could do it,
but that still requires a temporary install of Micrium Reflect.)
On 2023-11-12 14:42, Frank Slootweg wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-12 09:49, Herbert Kleebauer wrote:[...]
On 12.11.2023 07:14, Paul wrote:
[...]
You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).
You can instead clone the card. Image it.
Good point! I just checked in Macrium Reflect Free and indeed my exFAT USB memory-stick (should be the same for Herbert's SD card) is listed as available for imaging and cloning.
Perhaps Macrium Reflect is a little over the top for such a limited storage system, but probably another imaging/cloning problem, even an offline one, can do the job. (Macrium Reflect's Resue media could do it, but that still requires a temporary install of Micrium Reflect.)
I was not thinking of a smart cloning software, but dumb cloning
software. Smart software do smart things like skipping unused sectors.
I would use "dd" in Linux, but I understand there is a Windows version.
Dumb cloning software doesn't say "we support FAT". They just clone bit
by bit. They don't care what they are cloning.
This is important because I understand these bits are not supported by
all Windows versions. A dumb clone doesn't care what the OS supports,
they can clone anything.
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-12 14:42, Frank Slootweg wrote:
Carlos E. R. <robin_listas@es.invalid> wrote:
On 2023-11-12 09:49, Herbert Kleebauer wrote:[...]
On 12.11.2023 07:14, Paul wrote:
[...]
Perhaps Macrium Reflect is a little over the top for such a limited
storage system, but probably another imaging/cloning problem, even an
offline one, can do the job. (Macrium Reflect's Resue media could do it, >>> but that still requires a temporary install of Micrium Reflect.)
I was not thinking of a smart cloning software, but dumb cloning
software. Smart software do smart things like skipping unused sectors.
I would use "dd" in Linux, but I understand there is a Windows version.
Dumb cloning software doesn't say "we support FAT". They just clone bit
by bit. They don't care what they are cloning.
This is important because I understand these bits are not supported by
all Windows versions. A dumb clone doesn't care what the OS supports,
they can clone anything.
Yes, I know/realize all that, but Macrium Reflect *can* "play dumb"
and just copy every sector, you just have to tick the relevant option
when starting the clone/image operation ("Peform a Forensic Sector Copy.
This option will copy all sectors from the source disk, whether they are
in use or not.").
On 12.11.2023 07:14, Paul wrote:
Explorer to copy all files to the new card. But there
was a problem with three system folders: WindowsApps, WpSystem
and WUDownloadCache. Even rebooting to Save Mode didn't
solve the problem. There was no access to the files in
these folders, even though FAT32 doesn't support any access
restriction features.
With the help of Google I found this:
https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
https://patents.google.com/patent/US10726147B2/en
|| First, starting from Windows 10 “Redstone 1”, EFS-based
|| encryption is supported for FAT volumes. This feature is
|| thoroughly described in US10726147B2.
||
|| Encrypted files have the “.PFILE” extension and their 8.3
|| directory entries store additional metadata. In the current
|| implementation, this metadata fits 6 bits: two bits are used
|| as flags and four bits are used to store the padding size.
Somewhere in this claim, there has got to be an interpretation error.
The evidence does not add up, of miraculous behavior. For example,
what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
Do you mean NTFS ?
My netbook only has a 32G C: drive, which isn't nearly enough
for Win10 itself. Therefore I use a SD card in the build-in
SD card reader as drive D: for programs and user data. The
card is FAT32 formatted to avoid any access restriction problems
when duplicating the card. If possible I use portable programs which
doesn't need to be installed but only copied to the SD card or at
least programs, where I can specify an installation folder on
drive d:. A SD card isn't made for so many write cycles when used
as a SSD replacement, so after about 2 years the spare blocks are used
up and the SD card switches to read-only mode. Then I just copy
all files on the card to a new one (on a different PC) and
because of FAT32 there wasn't any problem. Then I insert the new
card in the netbook and all is OK for the next 2 years.
But now Whatsapp can only be installed from the MS Store. The
only way to specify where it should be installed is in the
Windows settings (drive to install new apps). When you
install an app from the MS Store, the 3 folder given above
are created.
Encryption does not necessarily prevent access. Access is controlled
with ACLs or similar.
That's what I also thought. But Win10/11 has a different opinion.
To copy a file for example, I can use "dd", "seek", "skip" and
transfer blocks of data representing the file. If encryption is
involved, when I look at the resulting data now stored on some
other storage device, it will be binary garbage.
You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).
If you want to copy the files in Win10/11, you need a
program which accesses the card at block level with
it's own FAT32 driver, because when the Windows FAT32
driver is involved, you are lost.
But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.
But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.
I defined a New App storage space here, on my ~30GB E: Fat32
partition. The software created some empty directories.
[Picture]
https://i.postimg.cc/J04LQD4G/now-app-storage-space-redirect-win10.gif
The "WindowsApps" resists entry, which is abnormal for FAT32.
But as for the interpretation of what property is doing that,
there is nothing inside that folder.
I zeroed the 30GB partition, formatted it FAT32 before starting.
After numerous experiments, most of the partition remains zeroed.
Only a tiny portion of the partition contains data, it looks like
directory data for the prefunctory structure. There are no *giant gobs*
of encrypted data present.
Presumably my inability to reproduce is because I'm not on a tablet.
On 12.11.2023 20:40, Paul wrote:
But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.
I defined a New App storage space here, on my ~30GB E: Fat32
partition. The software created some empty directories.
[Picture]
https://i.postimg.cc/J04LQD4G/now-app-storage-space-redirect-win10.gif
The "WindowsApps" resists entry, which is abnormal for FAT32.
You can use an administrator CMD window to cd into the
folder and do a "dir /s". But you can't copy, read or
delete any of the encrypted files.
For example:
Verzeichnis von D:\WindowsApps\5319275A.WhatsAppDesktop_2.2342.8.0_x64__cv1g1gvanyjgm
11.11.2023 16:37 <DIR> .
11.11.2023 16:37 <DIR> ..
11.11.2023 16:40 31.971 AppxManifest.xml
11.11.2023 16:40 250.037 AppxBlockMap.xml
11.11.2023 16:37 <DIR> AppxMetadata
11.11.2023 16:40 12.035 AppxSignature.p7x 11.11.2023 16:37 0 05DBE9EA-EF75-43DB-8A03-27898B59D1E9
11.11.2023 16:40 66.960 clrcompression.dll 11.11.2023 16:37 <DIR> Design
11.11.2023 16:40 1.530.368 e_sqlite3.dll
11.11.2023 16:37 <DIR> GraphQL
11.11.2023 16:37 <DIR> Images
11.11.2023 16:40 1.625.480 Microsoft.Graphics.Canvas.dll 11.11.2023 16:40 281.472 Microsoft.Graphics.Canvas.winmd
11.11.2023 16:40 2.598.272 Microsoft.UI.Xaml.Core.Direct.dll
11.11.2023 16:40 103.296 Microsoft.UI.Xaml.Core.Direct.winmd
11.11.2023 16:40 295.824 Microsoft.UI.Xaml.winmd 11.11.2023 16:40 551.368 Microsoft.Web.WebView2.Core.dll
11.11.2023 16:40 98.232 Microsoft.Web.WebView2.Core.winmd
11.11.2023 16:40 8.776.768 resources.pri
11.11.2023 16:37 <DIR> Sounds
11.11.2023 16:40 3.481.600 Wail.dll
11.11.2023 16:40 9.728 Wail.winmd
11.11.2023 16:40 157.624 WebView2Loader.dll 11.11.2023 16:37 <DIR> WhatsApp.Design
11.11.2023 16:40 98.668.032 WhatsApp.dll
11.11.2023 16:40 293.376 WhatsApp.exe
11.11.2023 16:40 107.894 WhatsApp.xr.xml
11.11.2023 16:40 9.710.592 WhatsAppNative.dll
11.11.2023 16:40 115.712 WhatsAppNative.winmd 11.11.2023 16:40 6.144 WindowsLegacyApi.winmd 23 Datei(en), 128.772.785 Bytes
But as for the interpretation of what property is doing that,
there is nothing inside that folder.
I zeroed the 30GB partition, formatted it FAT32 before starting.
After numerous experiments, most of the partition remains zeroed.
Only a tiny portion of the partition contains data, it looks like
directory data for the prefunctory structure. There are no *giant gobs*
of encrypted data present.
Only apps installed from the MS Store are installed in
"WindowsApps". As long as you don't install any app,
nothing is in "WindowsApps". But even if you set App
storage space back to c: you will have a problems
to remove the folder "WindowsApps" from e: (beside
formatting e: or booting a Linux life system to
delete the folder).
Presumably my inability to reproduce is because I'm not on a tablet.
That has nothing to do with a tablet. It is Win10/11
which doesn't allow access to files with a formerly
unused bit set in the FAT directory. Therefore I
suggested to use a USB pen drive, which you can
transfer to a non Win10/11 system to see whats really
on the drive.
Maybe also a Win7 running in a virtual machine on a
Win10/11 host can access the files (or maybe Win10/11
also restricts the access of the virtual machine).
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 442 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 37:06:57 |
| Calls: | 9,154 |
| Calls today: | 5 |
| Files: | 13,433 |
| Messages: | 6,044,103 |
| Posted today: | 2 |
