Last week, a bug was released in Windows 10 that, just by executing a command, could erase all the data on our hard drive. Security researchers have been reporting this bug to Microsoft since last August 2020, receiving only silence in response. Now that this problem has become much more widely known, and it has begun to be seen that exploiting it is much easier than it seemed, there are developers who have begun to create their own unofficial mitigations against the failure of the NTFS driver . And we can now install them on our PC to protect ourselves from this failure.
This flaw is found in the Windows 10 NTFS driver , and affects any version of the operating system, from XP to the newest Insider branch. What it does is, when you run the following link (from a CMD window, for example), it automatically corrupts the entire file index on your hard drive.
cd c:/$i30:$bitmap
Although Windows will show us a message to start a system repair, it will be too late. All the data saved on the hard drive will be gone. If we check the Windows event viewer we can see an error in which it will indicate that the Master File Table (MFT) on the hard disk is corrupt .
Although it is possible to run the CHKDSK command to analyze the hard drive, repair the file table, and recover the data, we cannot deny that it is a very annoying failure. And this command does not always work, since there are users who, after encountering the failure twice, have lost their data forever. And it is very easy to hide in malicious scripts or programs. Therefore, having a patch, even if it is unofficial, is appreciated.
New unofficial driver to protect us from NTFS corruption
This new driver comes from the hand of a security researcher, in the form of an open source driver, under the name ” i30Flt “. What this driver does is constantly monitor the access of the disk to “$ i30”, and if it detects that an attempt is being made to enter that directory, it automatically blocks the attempt before the disk’s partition table is corrupted.
To install this driver, the first thing we must do is download the latest version of it from its GitHub repository and save it in a folder that we have on hand on the PC. Once done, we will open a CMD window, with Administrator permissions, and execute the following commands on the PC:
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .i30flt.inf
wevtutil im i30flt.man
fltmc load i30flt
Ready. We restart the computer (although it is optional) and the new NTFS filter will be active . If we try to execute the command that we have seen at the beginning, this filter will act and block it automatically, preventing the hard disk from being corrupted.
When Microsoft releases its new official patch (if it does) we can uninstall this driver by simply executing the following command:
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 .i30flt.inf
Thus we will return to the official Windows 10 NTFS driver, without modifications, to protect ourselves from this problem as the company itself advises us.
Comments are closed