Brett's Ramblings

Font size: +
3 minutes reading time (603 words)

Colin's Final Version of his write protect application

This posting is copied from, posted by Colin Ramsden on his final version of the WinFE write protect tool.  My thanks to Colin for his countless hours of work for which all of us will benefit.

As to the future development of WinFE, maybe this is it for some time to come.   Anyone can now build a Windows based, forensically sound bootable operating system.  Choices of a having simple, shell based system or a full-fledged Windows 7 visual experience as your forensic environment gives plenty of flexibility.  What more could you ask?

"I’ve just released WProtect version (available on, which as far as I am concerned is no longer a Release Candidate, but the final version (less any new bug fixes or code optimisations).

I actually think that WinFE is the best free Forensic Boot CD that is available, I used it in anger (V1.0.0.151) for the first time today, the Ubuntu based Raptor disk would not work on a particular Acer machine where the drive appeared to be somehow locked to the machine (did not even register with the Tableau T35i when removed). WinFE along with FTK Imager Lite imaged the drive in the host machine flawlessly.

The latest update includes some suggestions from forum member ‘EM’ (a.k.a Boot_Monkey) which include a slightly longer forced delay between disk actions, a text change to the ‘close’ button (now ‘continue’) during the initial run and ‘greyed out’ buttons when the application is busy dealing with disks.

It’s been a long and sometimes hard project, which has involved loads of code being written and binaries that have had to be reverse engineered (over 2 years since inception), there have been many hurdles that have been encountered and overcome along the journey, the main of which, was the initial patching of the VDS.EXE binary which did not prove too popular with Microsoft that pretty much left WinFE dead in the water until some new API calls were exposed.

Anyway, we got here in the end. I would like to take this opportunity to thank the following individuals for their support, both past and present:

Troy Larson (Microsoft) for his assistance with the initial registry settings, which are still used for the initial write protection, without these, the disks would be touched before my tool got the chance to execute.

Brett Shavers for being the driving force behind WinFE, Brett has taken time out of his very busy schedule and strived to promote WinFE and keep it in the public eye through his presentations, user guides, testing and the WinFE web site on WordPress.

Karl Morton, a very good friend of mine who is an exceptionally talented individual, in fact he was one of the lead programmers on the Team17 game ‘Worms’. Karl was responsible for writing the initial backend code in the form of a DLL which was his own rendition of Diskpart, a brilliant tool, however, this was eventually defunct due to the VDS.EXE patch issue, nevertheless, Karl has still been a great contributor by helping me with converting undocumented C++ code to assembly language. Karl is also responsible for attempting to write the filter driver which I hope will eventually replace my WProtect tool, I will still code the front end though.

There has been other help along the way, by people such as Royal Mayer and Nuno Brito who initially helped me with adding my application binaries to the WinBuilder script language.

So all that I have left to say is hats off to the guys that I have mentioned and anyone else that has contributed along the way.


Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

X-Ways Forensics Practitioner's Guide is coming!
A little reminder about 'write protection'