Windows – How to make a file non-deletable on an USB drive


Somebody used my USB drive and upon returning it to me, I found a autorun.inf that is undeleteable.
I tried changing it's file attribute which is only H (not even set as a system file) but it keeps on saying Access Denied.

The USB is set on FAT32, upon asking my friend, he told me that he uses Panda USB Vaccine

How do they do this?
Im trying to use some Disk Sector editor but have no idea which hex file they change to make this kind of file and make it deletable again.
Formatting the drive removes it, but I'm curious as to how to be able to set those kind of file attribute.

Best Answer

Test method

Panda doesn't seem to reveal the exact mechanism of its "vaccine", which is understandable, since it's basically security through obscurity. If you know how it works, you can reverse the effects and the "vaccine" becomes useless.

I downloaded and installed Panda USB Vaccine and "vaccinated" my flash drive, dumped the flash drive's partition with dd for windows using the commands

dd --list

dd if=\\.\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} of=C:\vaccinated.img

where xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is the GUID provided by the first command, opened c:\vaccinated.img in a hex editor and searched for AUTORUN.

What USB Vaccine does

The entry for AUTORUN.INF begins with the following twelve bytes:

41 55 54 4F 52 55 4E 20 49 4E 46 42

The first eleven bytes are just the space-padded 8.3 filename: AUTORUN INF

The last byte specifies the file's attributes, and its binary representation is:


According to the Microsoft EFI FAT32 File System Specification, this last byte is a bit field that takes the following form:


where the bits A, D, V, S, H and R are 1 if and only if the file is archived, a directory, the volume ID1, a system file, hidden or read-only. AUTORUN.INF is hidden, since H is set to 1.

The bits X and Y are reserved and should both be 0. However, USB Vaccine sets Y to 1.

What the specification says

The upper two bits of the attribute byte are reserved and should always be set to 0 when a file is created and never modified or looked at after that.

Furthermore, it recommends for validation of directory contents:

These guidelines are provided so that disk maintenance utilities can verify individual directory entries for 'correctness' while maintaining compatibility with future enhancements to the directory structure.

  1. DO NOT look at the content of directory entry fields marked reserved and assume that, if they are any value other than zero, that they are "bad".

  2. DO NOT reset the content of directory entry fields marked reserved to zero when they contain non-zero values (under the assumption that they are "bad").  Directory entry fields are designated reserved, rather than must-be-zero. They should be ignored by your application. These fields are intended for future extensions of the file system. By ignoring them an utility can continue to run on future versions of the operating system.

What actually happens

CHKDSK certainly follows the specification and ignores the AUTORUN.INF entry which the FAT32 driver doesn't understand, but Windows itself doesn't seem to comply with the specification's requirement to never look at the reserved bits again: Any kind of access (other than listing the file and its attributes) is denied.

For example, the command


states that the owner of AUTORUN.INF is .... Since FAT32 doesn't support file ownership, it should state \All.

The reason for this unexpected behavior is that, according to FAT32 - Wikipedia # Directory entry, Windows uses the bit Y internally to signal a character device name (CON, PRN, AUX, CLOCK$, NUL, LPT1, COM1, etc.), and it shouldn't be present on storage devices.2

In a manner of speaking, USB Vaccine tricks Windows into assuming that AUTORUN.INF isn't an actual file, but a device, which it cannot read from or write to.

How to delete the file

If you have direct access to the file system, it suffices to set Y to 0 (change the byte 42 to 02) to make the file deletable again. You could also set the first byte of the directory entry to E5, directly marking the file as deleted.3

Another option would be to use a different driver. Ubuntu 12.04, e.g., can delete the file without problems. Actually, it automatically "fixes" the directory entry when reading it.4

1 This attribute is used for, e.g., the volume label or the folder System Volume Information.

2Certainly enough, setting X to 1 doesn't seem to have any effect.

3I verified this by changing the corresponding bytes of C:\vaccinated.img with a hex editor and writing the modified image to the flash drive using the following command:

dd if=C:\vaccinated.img of=\\.\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

4 While a blatant deviation from the specification, it seems to be thought-out one. Ubuntu leaves the X intact if it is set to 1, since it does no harm. Setting the Y bit to 1 could easily be abused by a malicious application, by, e.g., creating an undeletable file that takes up the drive's entire free space.