Use Windows SteadyState to secure Windows systems for disk protection

1.Windows SteadyState Introduction

Windows SteadyState prevents computer settings from being changed, prevents some users from installing unwanted software themselves, implements Windows Disk protection, and provides an API programming interface for disk protection that is perfectly comparable to the shadow System (Powershadow).

2. Download and install Windows SteadyState

Chinese version:
http://www.microsoft.com/downloads/details.aspx?familyid=D077A52D-93E9-4B02-BD95-9D770CCDB431&displaylang= Zh-cn

Before you install Windows steadystate, you need to verify that the computer is running genuine Microsoft windows.

3.SteadyState of disk protection features

Here we focus on SteadyState's disk protection features.

3.1 SteadyState's disk protection function principle

When Windows SteadyState is installed for the first time, Windows Disk protection is turned off by default, and when Windows Disk protection is turned on, a cache file is created to hold all changes to the operating system and program files. Created by

Cache files will reserve a large amount of space on the system drive, and after you install and turn on Windows Disk protection, shutting down Windows Disk protection deletes the cache files created during installation.

Before you install and turn on Windows Disk protection, you should defragment your hard disk and install and open Windows Disk protection on a fragmented hard disk to cause the Windows Disk protection cache to fail to be created.

3.2 Disk protection features using SteadyState

Using the SteadyState disk Protection feature requires an administrator to log on to the computer.
A. perform disk defragmentation;
B. Open the disk protection feature via steadystate, and note that the default state after opening is "Remove all changes on restart";
C. To save the current system state, select "Keep all changes permanently";
D. To implement disk protection, System Restore , select Remove all changes on restart.

A sentence summary:
After you select permanently keep all changes, make various settings for the system, restart the computer, and then set the delete all changes on restart and restart.

3.3 Using the Windows disk protection API

The Windows SteadyState application Programming Interface (API) consists of the Windows Management Instrumentation (WMI) interface.

After installing SteadyState, under WMI's namespace ROOT\WMI, there will be a WMI class called Wdp_control that has five properties:
Enablewdpandreboot, Currentstatus, CurrentMode, Disablewdpandreboot and Persistdatetime.

A.currentmode the current mode of Windows disk protection can be set or retrieved through the CurrentMode property. Note that the CurrentMode property can be applied only if the Currentstatus property is wdp_active. The CurrentMode properties listed in table 1 correspond directly to the three disk protection levels that are available when Windows disk protection is turned on.

Table 1:windows disk protection mode and corresponding level of disk protection

Windows Disk Protection mode	Disk protection level
Wdp_mode_discard (0)	Remove all changes on restart
Wdp_mode_persist (1)	Temporarily keep changes
Wdp_mode_commit (2)	Keep all changes permanently

B.currentstatus The Currentstatus property is a read-only property. At query time, this property returns a value indicating whether Windows disk protection is active or passive. The following two values may be returned:

• Wdp_active (0)
• Wdp_passive (1)

If the Windows disk protection proactive cache changes, it is active (wdp_active). When Windows Disk protection is turned on, Windows Disk protection is in a passive state (wdp_passive) If you can save changes directly to your hard disk without using cache files as temporary storage.

Note that users cannot select or write to the passive state (wdp_passive) through the Windows SteadyState user interface, which is used internally by Windows SteadyState applications. Typically, the value of this property is wdp_active.

C.disablewdpandreboot

Disablewdpandreboot can disable and uninstall Windows disk protection. This script performs the same functions as shutting down Windows Disk protection in the Windows SteadyState user interface. This procedure requires three reboots to complete the following tasks:

1. Clears the cache.
2. Commit Changes to the computer (remove the Windows disk protection driver).
3. Complete the uninstall of Windows disk protection.

You can also execute commands: Sctui/disablewdpandrebootd.enablewdpandrebootenablewdpandreboot can install and enable Windows disk protection. During installation, a console window is opened that displays status messages. If the installation succeeds, the system restarts automatically to complete the Windows disk protection enablement.
You can also execute commands: sctui/enablewdpandreboote.persistdatetime when Windows disk protection is turned on, you can query or specify wdp_mode_persist by using the Persistdatetime property Date and time that expired and was automatically reverted to Wdp_mode_discard. At query time, the date type of this property is Wbemscripting.swbemdatetime. Note that unless the CurrentMode property is set to Wdp_mode_persist, the Persistdatetime property is not valid.
The following sample code defines constants, sets the Windows disk protection level to the "temporarily retain changes" option (wdp_mode_persist), and then specifies that this mode expires and reverts to the "Remove all changes on restart" option (Wdp_mode_discard) Date and time.
' Wdp_control.currentstatus

Const wdp_active = 0

Const wdp_passive = 1

' Wdp_control.currentmode

Const wdp_mode_discard = 0

Const wdp_mode_persist = 1

Const wdp_mode_commit = 2

' Wdp_control.persistdatetime property requires the use of the FILETIME type.  

' Create with a readable string FILETIME The easiest way is to use

' Wbemscripting.swbemdatetime object.

Set dateTime = createobject ("Wbemscripting.swbemdatetime")

' datetime set to year 5 month 8 morning 8:00am

DateTime . setvardate #5/8/2020 08:00:00 am#

' Get Wdp_control WMI instances of the class

Set objwbemservices = GetObject ("Winmgmts:\\.\root\wmi")

Set setwdpobjects = objwbemservices. ExecQuery ("SELECT * from Wdp_control")

for Each objwdp in setwdpobjects

OBJWDP.     CurrentMode = wdp_mode_persist

OBJWDP. Persistdatetime = dateTime. Getfiletime

OBJWDP. Put_

Next

4. Other SteadyState related articles

Description of the Windows Disk Protection feature in the Windows SteadyState API:
Http://support.microsoft.com/kb/938335/zh-cn

5. Summary

SteadyState to a certain extent than EWF and ghost to use, just to occupy C disk more space.

Use Windows SteadyState to secure Windows systems for disk protection