Jump to content











Photo

How does Window get GUID of disk in MountedDevices


  • Please log in to reply
57 replies to this topic

#51 karyonix

karyonix

    Frequent Member

  • Advanced user
  • 472 posts
  •  
    Thailand

Posted 11 March 2019 - 02:59 PM

@Wonko
My previous post is about relevant concept as of my understanding at that time, sensitive information from my PC is removed. You already understand my main message.

----

I have found related information in UEFI spec v2.7 errata A
5.3.3 GPT Partition Entry Array

There are PartitionTypeGUID and UniquePartitionGUID. I think we can use these term to be specific and avoid confusion.
UniquePartitionGUID is generates when GPT Partition Entry is created which is when NumberOfPartitionEntries in the GPT Header is increased.


Appendix A GUID and Time format

It references RFC 4122 (A Universally Unique IDentifier (UUID) URN Namespace).
Related parameters to make GUID include timestamp, clock sequence, version, variant, node identifier which can be based on MAC address.



#52 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 March 2019 - 03:40 PM

@erwan.l

 

Yep, it will still be a long conversation, as we use (understandably) still some different terms.

A partition (no matter if on GPT or MBR) is (in my perverted mind) ONLY a way to address a physical extent (starting at a given address and extending for a gicen amount of sectors) residing on a disk.

A volume (on GPT) is EXACTLY the same extent as above (bar the mentioned NTFS extra sector) only if and when it has a valid filesystem (and when it is mounted to a volume drive letter).

 

On MBR there is a lot of confusion in terminology because there are both primary partitions and the extended type (that can contain one or more logical volumes), but - limited to primary partitions the behaviour is the same.

 

The fact that Volume ID (as seen in Mountvol) and Partition ID (in the GPT partition table) are (or are not) the same is the object of the observations, still BOTH remaing UUID V1x, i.e. made with a definite date/time and a "node" (which should be - but it has to be verified - the MAC address of the machine).

 

There are BIG differences against Volume Serial.

Volume Serial resides in the bootsector (if you prefer is part of the BPB) and is  NOT in any way connected to the partitioning (a floppy or a super-floppy still have the Volume Serial without having a MBR or a GPT partition table).

Additionally UNLIKE a UUID V1, there is NO KNOWN algorithm for HOW EXACTLY the Volume Serial is created (actually there is a known one for FAT volume serials in DOS/Win9x/Me, but in that case date/time is used as a sort of "salt" or "seed" for the generation of the volume serial, but it cannot be reversed univocally:

http://www.forensicf...iewtopic&t=2134

 

and again NTFS begs to differ and besides there are CD, DVD and ISO's for which the Volume Serial (and the GUID) generation remains a mistery::

 

https://www.forensic...wtopic/t=11250/

http://reboot.pro/to...ed-drive-image/

http://reboot.pro/to...-number-of-iso/

 

 

@karyonix

I understand, but you could post the actual values you got, changing the "node" part thus making it simpler to understand the concepts without giving away any sensible information.

I.e. if the "node" part (as seen in uuid -d) is (example):

 

node: 94:de:80:c2:a4:1f (global unicast)

or :

9EA1EAB7-1E78-11E9-8341-94DE80C2A41F

 

you can well change (as long as you do the same replace everywhere (still example):

replace 94:DE:80:C2:A4:1F with AA:BB:CC:DD:EE:FF

replace 94DE80C2A41F with AABBCCDDEEFF

 

This would be (to me) more undestandable than (still say):

#{some_guid_number_2} = ( 8-byte "DMIO:ID:", 16-byte partition GUID )

 

 

 

:duff:

Wonko



#53 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 March 2019 - 04:44 PM

On request of Karyonix, latest clonedisk version (x32) display the unique partition GUID (if disk is GPT).

 

Below, my F: volume is my physical drive 2 partition 1.

 

Note that changing my unique partition GUID in part editor immediately changes my volume GUID.

 

Before changing my unique partition guid.

F29nvLW.png

 

 

 

After changing my partition GUID.

Note the \\?\Volume{17592200-3207-11e9-8342-94de80c2a41e}\ becoming \\?\Volume{17592200-3207-11e9-8342-94de80c2a41f}\ (last GUID character).

9m6Wt6A.png



#54 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 March 2019 - 07:25 PM

The partition/volume GUID (UniquePartitionGUID) on GPT is (as I see it):
1) generated at format time
2) NOT changed by windows in "normal" operation
3) same as the volume ID (as seen in Mountvol) as long as it is not changed manually in the GPT partition table entry
4) have the last part derived from the MAC address (that is on that machine 94DE80C2A41E or 94:de:80:c2:a4:1e)
5) "persistent" in the sense that if you move the whole disk to another machine (with a different MAC address) the volume/partition GUID (UniquePartitionGUID) remains unchanged (since it is actually written inside the GPT partition table entry)

Of course if you change it manually on disk, this change is reflected in the volume ID (again *whatever* is seen in mountvol).

What karyonix reported seemed to me a completely different thing.

I.e. that part of the GUID (volume or also partition?) changed when a drive letter was assigned, then removed, then re-assigned to the same volume, being replaced by "different" values.

That could be a sort of dichotomy between a "plain" mount (or "first time" mount) and a mount/unmount/re-mount, but if karyonix cannto confiirm/explain clear the matter, I don't see how completely different experiments (like manually changing the GUID on disk) can confirm or refute that. :unsure:

As said I don't fully understand karyonix original report, so cannot really say if all points in my numbered list above are correct or - as it seems - there are exceptions in the case of mount/unmount/re-mount or in some other similar cases.

Or - maybe - I am actually also missing your point.

Today is one of those days in which either I am particularly tough in understanding or quite a few people are (by sheer coincidence) failing in making understandable posts. :w00t: :ph34r.

:duff:
Wonko

#55 karyonix

karyonix

    Frequent Member

  • Advanced user
  • 472 posts
  •  
    Thailand

Posted 12 March 2019 - 04:34 PM

What karyonix reported seemed to me a completely different thing.

I.e. that part of the GUID (volume or also partition?) changed when a drive letter was assigned, then removed, then re-assigned to the same volume, being replaced by "different" values.

That could be a sort of dichotomy between a "plain" mount (or "first time" mount) and a mount/unmount/re-mount, but if karyonix cannto confiirm/explain clear the matter, I don't see how completely different experiments (like manually changing the GUID on disk) can confirm or refute that. :unsure:

DISKPART> create partition primary size=100

DiskPart succeeded in creating the specified partition.
C:\tempo>dd bs=4096 count=1 if=\\.\PhysicalDrive1 of=pd1.bin
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0 seconds, Infinity B/s

C:\tempo>hexdump -C pd1.bin
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 57 f1 82 41 00 00 00 00 |........W?.A....|
000001c0 02 00 ee fe 3f 81 01 00 00 00 ff ff ff ff 00 00 |..?.?...........|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U?|
00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...|
00000210 32 9d fb 22 00 00 00 00 01 00 00 00 00 00 00 00 |2.?"............|
00000220 ff ff 1f 00 00 00 00 00 22 00 00 00 00 00 00 00 |........".......|
00000230 de ff 1f 00 00 00 00 00 4c d1 7a 58 44 ba 00 4a |........L?zXD?.J|
00000240 b8 6e 9a 94 ed ba 60 01 02 00 00 00 00 00 00 00 |?n."??`.........|
00000250 80 00 00 00 80 00 00 00 81 ec d2 8d 00 00 00 00 |.........??.....|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 16 e3 c9 e3 5c 0b b8 4d 81 7d f9 2d f0 02 15 ae |.???\.?M.}?-?..?|
00000410 ff 10 d4 ba 63 f5 c9 48 81 44 1c 99 5a 9e 9b fa |..??c??H.D..Z..?|
00000420 22 00 00 00 00 00 00 00 ff 7f 00 00 00 00 00 00 |"...............|
00000430 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 |........M.i.c.r.|
00000440 6f 00 73 00 6f 00 66 00 74 00 20 00 72 00 65 00 |o.s.o.f.t. .r.e.|
00000450 73 00 65 00 72 00 76 00 65 00 64 00 20 00 70 00 |s.e.r.v.e.d. .p.|
00000460 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.|
00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000480 a2 a0 d0 eb e5 b9 33 44 87 c0 68 b6 b7 26 99 c7 |? ????3D.?h??&.?|
00000490 d4 e1 b3 f8 23 e9 b6 40 be 58 74 5e 1e 3e e1 63 |????#??@?Xt^.>?c|
000004a0 00 80 00 00 00 00 00 00 ff 9f 03 00 00 00 00 00 |................|
000004b0 00 00 00 00 00 00 00 80 42 00 61 00 73 00 69 00 |........B.a.s.i.|
000004c0 63 00 20 00 64 00 61 00 74 00 61 00 20 00 70 00 |c. .d.a.t.a. .p.|
000004d0 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
C:\tempo>mountvol
...
\\?\Volume{f8b3e1d4-e923-40b6-be58-745e1e3ee163}\
*** NO MOUNT POINTS ***
...
DISKPART> format fs=ntfs quick

100 percent completed

DiskPart successfully formatted the volume.

DISKPART> list partition

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 15 MB 17 KB
* Partition 2 Primary 100 MB 16 MB

DISKPART> detail partition

Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0X8000000000000000
Offset in Bytes: 16777216

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 NTFS Partition 100 MB Healthy

DISKPART> assign

DiskPart successfully assigned the drive letter or mount point.
C:\tempo>dd bs=4096 count=1 if=\\.\PhysicalDrive1 of=pd1.bin
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0 seconds, Infinity B/s

C:\tempo>hexdump -C pd1.bin
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 57 f1 82 41 00 00 00 00 |........W?.A....|
000001c0 02 00 ee fe 3f 81 01 00 00 00 ff ff ff ff 00 00 |..?.?...........|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U?|
00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...|
00000210 1d 3f 65 d1 00 00 00 00 01 00 00 00 00 00 00 00 |.?e?............|
00000220 ff ff 1f 00 00 00 00 00 22 00 00 00 00 00 00 00 |........".......|
00000230 de ff 1f 00 00 00 00 00 4c d1 7a 58 44 ba 00 4a |........L?zXD?.J|
00000240 b8 6e 9a 94 ed ba 60 01 02 00 00 00 00 00 00 00 |?n."??`.........|
00000250 80 00 00 00 80 00 00 00 04 e7 25 80 00 00 00 00 |.........?%.....|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 16 e3 c9 e3 5c 0b b8 4d 81 7d f9 2d f0 02 15 ae |.???\.?M.}?-?..?|
00000410 ff 10 d4 ba 63 f5 c9 48 81 44 1c 99 5a 9e 9b fa |..??c??H.D..Z..?|
00000420 22 00 00 00 00 00 00 00 ff 7f 00 00 00 00 00 00 |"...............|
00000430 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 |........M.i.c.r.|
00000440 6f 00 73 00 6f 00 66 00 74 00 20 00 72 00 65 00 |o.s.o.f.t. .r.e.|
00000450 73 00 65 00 72 00 76 00 65 00 64 00 20 00 70 00 |s.e.r.v.e.d. .p.|
00000460 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.|
00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000480 a2 a0 d0 eb e5 b9 33 44 87 c0 68 b6 b7 26 99 c7 |? ????3D.?h??&.?|
00000490 d4 e1 b3 f8 23 e9 b6 40 be 58 74 5e 1e 3e e1 63 |????#??@?Xt^.>?c|
000004a0 00 80 00 00 00 00 00 00 ff 9f 03 00 00 00 00 00 |................|
000004b0 00 00 00 00 00 00 00 00 42 00 61 00 73 00 69 00 |........B.a.s.i.|
000004c0 63 00 20 00 64 00 61 00 74 00 61 00 20 00 70 00 |c. .d.a.t.a. .p.|
000004d0 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
C:\tempo>mountvol
...
\\?\Volume{f8b3e1d4-e923-40b6-be58-745e1e3ee163}\
D:\
...

C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
\DosDevices\D: REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
DISKPART> remove

DiskPart successfully removed the drive letter or mount point.
C:\tempo>mountvol
...
\\?\Volume{f8b3e1d4-e923-40b6-be58-745e1e3ee163}\
*** NO MOUNT POINTS ***
...

C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
#{18670fd9-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163

DISKPART> assign

DiskPart successfully assigned the drive letter or mount point.

C:\tempo>mountvol
...
\\?\Volume{f8b3e1d4-e923-40b6-be58-745e1e3ee163}\
D:\
...

C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
\DosDevices\D: REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
DISKPART> remove

DiskPart successfully removed the drive letter or mount point.
C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
#{186710aa-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
DISKPART> assign

DiskPart successfully assigned the drive letter or mount point.

DISKPART> remove

DiskPart successfully removed the drive letter or mount point.
C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
#{186710b4-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
DISKPART> assign

DiskPart successfully assigned the drive letter or mount point.

DISKPART> detail disk
...
Disk ID: {587AD14C-BA44-4A00-B86E-9A94EDBA6001}
...

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 100 MB Healthy

DISKPART> detail partition

Partition 2
Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden : No
Required: No
Attrib : 0000000000000000
Offset in Bytes: 16777216

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 100 MB Healthy
C:\tempo>reg query hklm\system\mounteddevices

HKEY_LOCAL_MACHINE\system\mounteddevices
...
\DosDevices\D: REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163

C:\tempo>mountvol
...
\\?\Volume{f8b3e1d4-e923-40b6-be58-745e1e3ee163}\
D:\
...

C:\tempo>ipconfig /all
...
Physical Address. . . . . . . . . : 08-00-27-E3-04-48
...
This registry value exists when drive letter D: is assigned to the test partition.
\DosDevices\D: REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163

These registry values exist one at a time when drive letter is removed from the test partition
#{18670fd9-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
#{186710aa-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
#{186710b4-44ca-11e9-ba59-080027e30448} REG_BINARY 444D494F3A49443AD4E1B3F823E9B640BE58745E1E3EE163
They are deleted when drive letter is assigned.

#56 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 March 2019 - 09:20 AM

 

 

C:\appoggio\UUID>uuid -d 18670fd9-44ca-11e9-ba59-080027e30448
encode: STR: 18670fd9-44ca-11e9-ba59-080027e30448
SIV: 32436599925211656841010597862058427464
decode: variant: DCE 1.1, ISO/IEC 11578:1996
version: 1 (time and node based)
content: time: 2019-03-12 13:23:59.500079.3 UTC
clock: 14937 (usually random)
node: 08:00:27:e3:04:48 (global unicast)

 

 

 

C:\appoggio\UUID>uuid -d 186710aa-44ca-11e9-ba59-080027e30448
encode: STR: 186710aa-44ca-11e9-ba59-080027e30448
SIV: 32436616483897622322257154912744047688
decode: variant: DCE 1.1, ISO/IEC 11578:1996
version: 1 (time and node based)
content: time: 2019-03-12 13:23:59.500100.2 UTC
clock: 14937 (usually random)
node: 08:00:27:e3:04:48 (global unicast)

 

 

 

C:\appoggio\UUID>uuid -d 186710b4-44ca-11e9-ba59-080027e30448
encode: STR: 186710b4-44ca-11e9-ba59-080027e30448
SIV: 32436617276179247464900530848183551048
decode: variant: DCE 1.1, ISO/IEC 11578:1996
version: 1 (time and node based)
content: time: 2019-03-12 13:23:59.500101.2 UTC
clock: 14937 (usually random)
node: 08:00:27:e3:04:48 (global unicast)

 

It seems like they are using the fractions of the time seconds to have their "unique-unique" GUID.

 

:dubbio:

 

:duff:

Wonko



#57 karyonix

karyonix

    Frequent Member

  • Advanced user
  • 472 posts
  •  
    Thailand

Posted 13 March 2019 - 10:09 AM

According to RFC 4122

The timestamp is a 60-bit value.
For UUID version 1, this is represented by Coordinated Universal Time (UTC) as a count of 100-nanosecond intervals since 00:00:00.00, 15 October 1582 (the date of Gregorian reform to the Christian calendar).



#58 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 March 2019 - 11:03 AM

Yep.

Since the clock (that as UUID specifies) is "usually random", the fact that it remains constant as clock: 14937 seems to me like a sign that the good MS guys are simply mis-using the least relevant part of the date/time (in violation of RFC 4122) for their mysterious scopes of non-colliding GUID's.

 

:duff:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users