Jump to content











Photo
- - - - -

Logical Paritition and Drive - Serial number


  • Please log in to reply
6 replies to this topic

#1 genetix

genetix

    Frequent Member

  • Advanced user
  • 132 posts
  •  
    Finland

Posted 26 March 2017 - 02:54 PM

Well, been trying few days now to find a function from Windows that would allow me to change FAT16 partition serial number. Any partition tools yes are capable of doing it, but I am after Windows Native way of writing  the bit.

 

Native:

 

- Diskpart -> can set Drive UniqueID (but couldn't find a way to set VOLUME serial number).

 

3rd Party:

- DD for Windows (might be capable of it) -> but 3rd party solution.

- Most partition tools are capable of it -> but 3rd party solution.

 

 

So, does anyone here know a way to set the 0x012345678 (FAT16), VolumeSerialNumber?

 

Usable tools I am looking at are:

 

- WMI

- PowerShell

- CMD

- .NET languages

- Any tool coming with Windows Vista->10 or it's support language redistributables (C++, .NET 'up-to 4.5.1').

 

?



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13745 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 26 March 2017 - 05:30 PM

It is a field in the bootsector, you can use *any* hex/disk editor (or *any* form of dd) to change it, but of course that would be "third party" anyway.

 

And, in the case of Vista and later you need a compatible program or a tool to "lock" the volume/disk, see:
http://reboot.pro/to...t-v0300-update/

 

Would Sysinternals count as "not third party"?

https://technet.micr...s/bb897436.aspx

 

If you want to "code" your own for *whatever* reason this is probably a good start point :unsure::
https://github.com/RolKau/dskacl

 

Or - but it has to be verified - you can script SECINSPECT.EXE (MS original tool):

http://thestarman.pc...efs.htm#SecInsp

 to backup the sector, and then re-write it after having modified it (but you may need anyway a binary editing tool), or maybe use VBS with a trick or two:
https://www.aspfree....ry-data-in-wsh/

 

Some detailed use of sectinspect.exe are in this seemingly unrelated thread:
http://reboot.pro/to...ed-drive-image/

 

 

:duff:

Wonko


  • genetix likes this

#3 genetix

genetix

    Frequent Member

  • Advanced user
  • 132 posts
  •  
    Finland

Posted 26 March 2017 - 08:58 PM

Thanks for the information.

 

Sysinternals, secinspect.exe also ImDisk is kinda like me making software download dd and making user to agree with licensing terms, so, will not go to that direction.

 

dskacl project seems quite nice, but would have to include c++ app which is still better than any other method.

Currently:

C#.NET, WMI with ManagementObject can't set the VolumeSerialNumber while I can read it of course.

 

Reading this topic:

http://stackoverflow...e-serial-number

 

I think I can nail it with above topic.

 

since I couldn't find anything by DllImport kernel32.dll from pinvoke.net:

http://www.pinvoke.n...umeinformation#

and Microsoft doesn't give any directions:

https://msdn.microso...3(v=vs.85).aspx

 

Considering:

 

A. Wondering would it be enough, if I simply use diskpart with script to set Drive UniqueID and then list'n'record Volume IDs by that Unique Drive ID and use that as an identification.

B. Trying the above C++ -> C#.NET porting (which will be needing REALLY nasty testing before it can be used, heh).

 

 

Anyway, I'll be back in 10-15 years after checking how the port goes along with my code or when I get some 100% working solution, heh.



#4 genetix

genetix

    Frequent Member

  • Advanced user
  • 132 posts
  •  
    Finland

Posted 29 March 2017 - 07:55 PM

yeah, should probably note what was solution and that is here:

 

http://stackoverflow...e-serial-number

 

^ That C# code port works even to raw write boot sector. The post by Mormegil is quite beautiful and simple design for C#.



#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13745 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 March 2017 - 08:42 AM

Good. :)

You could share the compiled/working/tested tool, just in case someone has the same need but hasn't a compiler handy. :unsure:

 

As a side-side note and JFYI on FAT the volume serial number is not "random", but rather it is generated based on date/time of the formatting of the volume, so (of course it depends on the use) changing it to a "random" value might be detected in some cases:

http://www.forensicf...ewtopic/t=2134/

And the (pretty much unuseful) related spreadsheets:
http://www.msfn.org/...&comment=980297

and the even less useful (but fun ;)) volchance one:
http://www.msfn.org/...#comment-987748

 

:duff:

Wonko



#6 genetix

genetix

    Frequent Member

  • Advanced user
  • 132 posts
  •  
    Finland

Posted 31 March 2017 - 01:30 AM

Yeah, sure will do as soon I dump the code to new project(today, tomorrow) up the source and compiled bin. Only problem with my code will be that I will only use 4-bytes volumeid/serial as in example without identification which is FAT16 limit only where FAT32 and NTFS supports longer id, but the point is including basic raw disk access to write the 512 + 4-bytes identification which can be done without adding any extra data to logical volume which again helps to identify media from WinPE or from online system.

 

(Offtopic: Above reminded me also, that I got the 3 newest versions of grub4dos compiled from chenall project/pages from 'compiled in debian' which is worth mentioning since it's 'pain in the rear' to be done from MinGW.)

 

-edit-

 

Having issues a bit with converting hex string to uint with C# (which seems to be impossible), so, gonna figure some solution to it before upload it here.



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13745 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 31 March 2017 - 07:52 AM

Volume serial is 4 bytes on both FAT16 and 32, whilst on NTFS it is is 8 bytes (but most tools will show only the partial 4 bytes value), the matter is detailed in the mentioned thread:
http://reboot.pro/to...ed-drive-image/

 

:duff:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users