I used a SD card as drive D: on a Win10 Netbook and wanted
to replace it by a bigger one. Because it was FAT32 formatted,
there shouldn't be any problem to just copy all files from
the old to the new SD card. I put both cards in a USB
card reader, connected the reader to an Win11 PC and used
Explorer to copy all files to the new card. But there
was a problem with three system folders: WindowsApps, WpSystem
and WUDownloadCache. Even rebooting to Save Mode didn't
solve the problem. There was no access to the files in
these folders, even though FAT32 doesn't support any access
restriction features.

With the help of Google I found this:

https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
https://patents.google.com/patent/US10726147B2/en

|| First, starting from Windows 10 “Redstone 1”, EFS-based
|| encryption is supported for FAT volumes. This feature is
|| thoroughly described in US10726147B2.
||
|| Encrypted files have the “.PFILE” extension and their 8.3
|| directory entries store additional metadata. In the current
|| implementation, this metadata fits 6 bits: two bits are used
|| as flags and four bits are used to store the padding size.

I then connected the USB reader to a Win7 PC and it wasn't
any problem to copy the three folders. But because the misused
bits in the directory are not copied (Win7 doesn't know about
them), the files in the folders are now normal files and no longer
recognized by Win10/11 as encrypted files and therefore useless.

So, if you have a FAT formatted USB pen drive or SD card
with some files or folders you can't delete, then they are
maybe encrypted and Windows doesn't allow any access to them.
Just connect them to a Win7 PC and you can delete them
without any problem.

On 2023-11-11 22:43, Herbert Kleebauer wrote:
> I used a SD card as drive D: on a Win10 Netbook and wanted
> to replace it by a bigger one. Because it was FAT32 formatted,
> there shouldn't be any problem to just copy all files from
> the old to the new SD card. I put both cards in a USB
> card reader, connected the reader to an Win11 PC and used
> Explorer to copy all files to the new card. But there
> was a problem with three system folders: WindowsApps, WpSystem
> and WUDownloadCache. Even rebooting to Save Mode didn't
> solve the problem. There was no access to the files in
> these folders, even though FAT32 doesn't support any access
> restriction features.
>
>
> With the help of Google I found this:
>
> https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
> https://patents.google.com/patent/US10726147B2/en
>
> || First, starting from Windows 10 “Redstone 1”, EFS-based
> || encryption is supported for FAT volumes. This feature is
> || thoroughly described in US10726147B2.
> ||
> || Encrypted files have the “.PFILE” extension and their 8.3
> || directory entries store additional metadata. In the current
> || implementation, this metadata fits 6 bits: two bits are used
> || as flags and four bits are used to store the padding size.
>
> I then connected the USB reader to a Win7 PC and it wasn't
> any problem to copy the three folders. But because the misused
> bits in the directory are not copied (Win7 doesn't know about
> them), the files in the folders are now normal files and no longer
> recognized by Win10/11 as encrypted files and therefore useless.
>
> So, if you have a FAT formatted USB pen drive or SD card
> with some files or folders you can't delete, then they are
> maybe encrypted and Windows doesn't allow any access to them.
> Just connect them to a Win7 PC and you can delete them
> without any problem.

Interesting, thanks.

--
Cheers,
Carlos E.R.

On 11/11/2023 21:43, Herbert Kleebauer wrote:
>
> So, if you have a FAT formatted USB pen drive or SD card
> with some files or folders you can't delete, then they are
> maybe encrypted and Windows doesn't allow any access to them.
> Just connect them to a Win7 PC and you can delete them
> without any problem.

What if people don't have Win7 PC? Do they just sit tight and shake their cock to pass time?

On 11/11/2023 4:43 PM, Herbert Kleebauer wrote:
> I used a SD card as drive D: on a Win10 Netbook and wanted
> to replace it by a bigger one. Because it was FAT32 formatted,
> there shouldn't be any problem to just copy all files from
> the old to the new SD card. I put both cards in a USB
> card reader, connected the reader to an Win11 PC and used
> Explorer to copy all files to the new card. But there
> was a problem with three system folders: WindowsApps, WpSystem
> and WUDownloadCache. Even rebooting to Save Mode didn't
> solve the problem. There was no access to the files in
> these folders, even though FAT32 doesn't support any access
> restriction features.
>
>
> With the help of Google I found this:
>
> https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
> https://patents.google.com/patent/US10726147B2/en
>
> || First, starting from Windows 10 “Redstone 1”, EFS-based
> || encryption is supported for FAT volumes. This feature is
> || thoroughly described in US10726147B2.
> ||
> || Encrypted files have the “.PFILE” extension and their 8.3
> || directory entries store additional metadata. In the current
> || implementation, this metadata fits 6 bits: two bits are used
> || as flags and four bits are used to store the padding size.
>
> I then connected the USB reader to a Win7 PC and it wasn't
> any problem to copy the three folders. But because the misused
> bits in the directory are not copied (Win7 doesn't know about
> them), the files in the folders are now normal files and no longer
> recognized by Win10/11 as encrypted files and therefore useless.
>
> So, if you have a FAT formatted USB pen drive or SD card
> with some files or folders you can't delete, then they are
> maybe encrypted and Windows doesn't allow any access to them.
> Just connect them to a Win7 PC and you can delete them
> without any problem.

Somewhere in this claim, there has got to be an interpretation error.
The evidence does not add up, of miraculous behavior. For example,
what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
Do you mean NTFS ?

Encryption does not necessarily prevent access. Access is controlled
with ACLs or similar. When a file is encrypted, if you do not use
the correct protocol for examination, the file will look like
"binary random numbers". That is the consequence of encryption.
If I encrypt my ransom note, and the police use a hex editor,
they can find no mention of "small denomination notes", because
the file is binary garbage to them.

To copy a file for example, I can use "dd", "seek", "skip" and
transfer blocks of data representing the file. If encryption is
involved, when I look at the resulting data now stored on some
other storage device, it will be binary garbage.

The metadata in the file system, may indicate "hey, pal, this
file is encrypted". The OS and its File Explorer or similar.
can then parse the file and tell you "if you present a password,
we can unlock this for you and present plaintext". An encrypted
file does not necessarily have metadata at the file blocks level,
indicating the encryption method. Perhaps only the metadata
indicates it is encrypted. Certain kinds of archives, they
can have plaintext indicating encryption is present as metadata
within the item. An MSOffice document, may indicate a password is
required.

At the file system level, if a file system supports ownership,
attributes, ACLs, then access (at the file system level) can be
blocked. Not all file systems have support for that. That's what
suggests to me, your determination of what happened, is a bit
flawed.

Start by opening Disk Management. That's the easiest thing.
Does it really say "FAT32" ???

Alternately, use "diskpart.exe" like this.

(Admin window)
diskpart
list disk
select disk 2 # assumes this is the USB stick
list partition
select partition 3 # assumes this is the affected partition
detail partition # This gives info on what file system is present
exit

Not all file systems have nice dumper utilities for giving
additional information. Bitlocker has a utility for indicating
the Bitlockered status of storage devices. And perhaps, even on
a version of OS that does not "support" the creation of new
Bitlocker volumes, there may still be a "manage-bde -status" available.

Another utility is "fsutil". Unfortunately, it is not an orthogonal
utility and does not support all Windows file systems.

fsutil fsinfo # You can see some things are missing

If NTFS was involved for example, you can do this (read info from a second boot OS):

fsutil usn readdata Y:\Windows\Logs\CBS\CBS.log

The result you get from that, can be decoded with this table:

Constants - the following attribute values are returned by the GetFileAttributes function:

FILE_ATTRIBUTE_READONLY = 1 (0x1)
FILE_ATTRIBUTE_HIDDEN = 2 (0x2)
FILE_ATTRIBUTE_SYSTEM = 4 (0x4)
FILE_ATTRIBUTE_DIRECTORY = 16 (0x10)
FILE_ATTRIBUTE_ARCHIVE = 32 (0x20)
FILE_ATTRIBUTE_NORMAL = 128 (0x80)
FILE_ATTRIBUTE_TEMPORARY = 256 (0x100)
FILE_ATTRIBUTE_SPARSE_FILE = 512 (0x200)
FILE_ATTRIBUTE_REPARSE_POINT = 1024 (0x400)
FILE_ATTRIBUTE_COMPRESSED = 2048 (0x800) <=== old compression... new compression uses reparse point
FILE_ATTRIBUTE_OFFLINE = 4096 (0x1000)
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 (0x2000)
FILE_ATTRIBUTE_ENCRYPTED = 16384 (0x4000) <=== is this EFS ???

Paul

On 12.11.2023 07:14, Paul wrote:

>> Explorer to copy all files to the new card. But there
>> was a problem with three system folders: WindowsApps, WpSystem
>> and WUDownloadCache. Even rebooting to Save Mode didn't
>> solve the problem. There was no access to the files in
>> these folders, even though FAT32 doesn't support any access
>> restriction features.
>>
>>
>> With the help of Google I found this:
>>
>> https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
>> https://patents.google.com/patent/US10726147B2/en
>>
>> || First, starting from Windows 10 “Redstone 1”, EFS-based
>> || encryption is supported for FAT volumes. This feature is
>> || thoroughly described in US10726147B2.
>> ||
>> || Encrypted files have the “.PFILE” extension and their 8.3
>> || directory entries store additional metadata. In the current
>> || implementation, this metadata fits 6 bits: two bits are used
>> || as flags and four bits are used to store the padding size.

> Somewhere in this claim, there has got to be an interpretation error.
> The evidence does not add up, of miraculous behavior. For example,
> what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
> Do you mean NTFS ?

My netbook only has a 32G C: drive, which isn't nearly enough
for Win10 itself. Therefore I use a SD card in the build-in
SD card reader as drive D: for programs and user data. The
card is FAT32 formatted to avoid any access restriction problems
when duplicating the card. If possible I use portable programs which
doesn't need to be installed but only copied to the SD card or at
least programs, where I can specify an installation folder on
drive d:. A SD card isn't made for so many write cycles when used
as a SSD replacement, so after about 2 years the spare blocks are used
up and the SD card switches to read-only mode. Then I just copy
all files on the card to a new one (on a different PC) and
because of FAT32 there wasn't any problem. Then I insert the new
card in the netbook and all is OK for the next 2 years.

But now Whatsapp can only be installed from the MS Store. The
only way to specify where it should be installed is in the
Windows settings (drive to install new apps). When you
install an app from the MS Store, the 3 folder given above
are created.

> Encryption does not necessarily prevent access. Access is controlled
> with ACLs or similar.

That's what I also thought. But Win10/11 has a different opinion.

> To copy a file for example, I can use "dd", "seek", "skip" and
> transfer blocks of data representing the file. If encryption is
> involved, when I look at the resulting data now stored on some
> other storage device, it will be binary garbage.

You can copy the files on any system which is not Win10/11
and supports FAT32. The copied file is binary identical, but
the misused bits in the directory are not set, so back
on a Win10/11 system, the copied files are not recognized
as encrypted files but as normal files and therefore useless
(then you will also see the extension .PFILE).

If you want to copy the files in Win10/11, you need a
program which accesses the card at block level with
it's own FAT32 driver, because when the Windows FAT32
driver is involved, you are lost.

But you can easily test it yourself. Connect a FAT32
(or exFAT) formatted USB pen drive, in Windows settings
specify this drive as the drive where to install new apps
and install an app from the MS Store. Then try to copy
this 3 folders. And if you want to see whats really in
this folders, connect the pen drive to a Win7 PC.

On 2023-11-12 09:49, Herbert Kleebauer wrote:
> On 12.11.2023 07:14, Paul wrote:

....

>> Somewhere in this claim, there has got to be an interpretation error.
>> The evidence does not add up, of miraculous behavior. For example,
>> what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
>> Do you mean NTFS ?
>
>
> My netbook only has a 32G C: drive, which isn't nearly enough
> for Win10 itself. Therefore I use a SD card in the build-in
> SD card reader as drive D: for programs and user data. The
> card is FAT32 formatted to avoid any access restriction problems
> when duplicating the card. If possible I use portable programs which
> doesn't need to be installed but only copied to the SD card or at
> least programs, where I can specify an installation folder on
> drive d:. A SD card isn't made for so many write cycles when used
> as a SSD replacement, so after about 2 years the spare blocks are used
> up and  the SD card switches to read-only mode. Then I just copy
> all files on the card to a new one (on a different PC) and
> because of FAT32 there wasn't any problem. Then I insert the new
> card in the netbook and all is OK for the next 2 years.
>
> But now Whatsapp can only be installed from the MS Store. The
> only way to specify where it should be installed is in the
> Windows settings (drive to install new apps). When you
> install an app from the MS Store, the 3 folder given above
> are created.
>
>
>
>> Encryption does not necessarily prevent access. Access is controlled
>> with ACLs or similar.
>
> That's what I also thought. But Win10/11 has a different opinion.
>
>
>> To copy a file for example, I can use "dd", "seek", "skip" and
>> transfer blocks of data representing the file. If encryption is
>> involved, when I look at the resulting data now stored on some
>> other storage device, it will be binary garbage.
>
> You can copy the files on any system which is not Win10/11
> and supports FAT32. The copied file is binary identical, but
> the misused bits in the directory are not set, so back
> on a Win10/11 system, the copied files are not recognized
> as encrypted files but as normal files and therefore useless
> (then you will also see the extension .PFILE).

You can instead clone the card. Image it.

>
> If you want to copy the files in Win10/11, you need a
> program which accesses the card at block level with
> it's own FAT32 driver, because when the Windows FAT32
> driver is involved, you are lost.
>
> But you can easily test it yourself. Connect a FAT32
> (or exFAT) formatted USB pen drive, in Windows settings
> specify this drive as the drive where to install new apps
> and install an app from the MS Store. Then try to copy
> this 3 folders. And if you want to see whats really in
> this folders, connect the pen drive to a Win7 PC.

It sounds very strange to me to hear there were unused bits in the FAT
directory entries. The original FAT definition was very compact, no
unused space. Now, in the structure for long names that was added later,
perhaps.

I don't have my msdos technical book for verification, though.

--
Cheers,
Carlos E.R.

On 12.11.2023 12:51, Carlos E. R. wrote:

> It sounds very strange to me to hear there were unused bits in the FAT
> directory entries. The original FAT definition was very compact, no
> unused space. Now, in the structure for long names that was added later,
> perhaps.
>
> I don't have my msdos technical book for verification, though.
>

It is explaind in the link I provided:

https://k2s.cc/file/f93029041094d/gl_644.mp4

|| Encrypted files have the “.PFILE” extension and their 8.3 directory
|| entries store additional metadata. In the current implementation,
|| this metadata fits 6 bits: two bits are used as flags and four bits
|| are used to store the padding size.
||
|| The additional metadata is stored in the NTByte field, which is
|| located at the offset of 12 bytes within the 8.3 directory entry.
|| Previously, this field was only used to store two flags marking the
|| short base name or extension as lowercase (bits #3 and #4 respectively).
||
|| Now, remaining bits are used too. Bit #0 is set when the file is
|| encrypted (it’s also set for a directory when its newly created
|| files should be encrypted by default), bit #1 is set when the file
|| starts with a large EFS header (otherwise, it’s a standard EFS
|| header). Other bits (bits #2, #5, #6, and #7) are used to store
|| the padding size (which is at most 15 bytes in size, so 4 bits are
|| enough) – its bit #0 (LSB) goes to bit #2 of the NTByte field,
|| bit #1 to bit #5, bit #2 to bit #6, bit #3 to bit #7.

On 2023-11-12 13:20, Herbert Kleebauer wrote:
> On 12.11.2023 12:51, Carlos E. R. wrote:
>
>> It sounds very strange to me to hear there were unused bits in the FAT
>> directory entries. The original FAT definition was very compact, no
>> unused space. Now, in the structure for long names that was added later,
>> perhaps.
>>
>> I don't have my msdos technical book for verification, though.
>>
>
> It is explaind in the link I provided:
>
> https://k2s.cc/file/f93029041094d/gl_644.mp4

A video?

I prefer a document.

--
Cheers,
Carlos E.R.

On 12.11.2023 14:10, Carlos E. R. wrote:
> On 2023-11-12 13:20, Herbert Kleebauer wrote:
>> On 12.11.2023 12:51, Carlos E. R. wrote:
>>
>>> It sounds very strange to me to hear there were unused bits in the FAT
>>> directory entries. The original FAT definition was very compact, no
>>> unused space. Now, in the structure for long names that was added later,
>>> perhaps.
>>>
>>> I don't have my msdos technical book for verification, though.
>>>
>>
>> It is explaind in the link I provided:

https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-12 09:49, Herbert Kleebauer wrote:
> > On 12.11.2023 07:14, Paul wrote:
[...]
> > My netbook only has a 32G C: drive, which isn't nearly enough
> > for Win10 itself. Therefore I use a SD card in the build-in
> > SD card reader as drive D: for programs and user data. The
> > card is FAT32 formatted to avoid any access restriction problems
> > when duplicating the card. If possible I use portable programs which
> > doesn't need to be installed but only copied to the SD card or at
> > least programs, where I can specify an installation folder on
> > drive d:. A SD card isn't made for so many write cycles when used
> > as a SSD replacement, so after about 2 years the spare blocks are used
> > up and  the SD card switches to read-only mode. Then I just copy
> > all files on the card to a new one (on a different PC) and
> > because of FAT32 there wasn't any problem. Then I insert the new
> > card in the netbook and all is OK for the next 2 years.
> >
> > But now Whatsapp can only be installed from the MS Store. The
> > only way to specify where it should be installed is in the
> > Windows settings (drive to install new apps). When you
> > install an app from the MS Store, the 3 folder given above
> > are created.
> >
> >> Encryption does not necessarily prevent access. Access is controlled
> >> with ACLs or similar.
> >
> > That's what I also thought. But Win10/11 has a different opinion.
[...]
> > You can copy the files on any system which is not Win10/11
> > and supports FAT32. The copied file is binary identical, but
> > the misused bits in the directory are not set, so back
> > on a Win10/11 system, the copied files are not recognized
> > as encrypted files but as normal files and therefore useless
> > (then you will also see the extension .PFILE).
>
> You can instead clone the card. Image it.

Good point! I just checked in Macrium Reflect Free and indeed my exFAT
USB memory-stick (should be the same for Herbert's SD card) is listed as
available for imaging and cloning.

Perhaps Macrium Reflect is a little over the top for such a limited
storage system, but probably another imaging/cloning problem, even an
offline one, can do the job. (Macrium Reflect's Resue media could do it,
but that still requires a temporary install of Micrium Reflect.)

> > If you want to copy the files in Win10/11, you need a
> > program which accesses the card at block level with
> > it's own FAT32 driver, because when the Windows FAT32
> > driver is involved, you are lost.
> >
> > But you can easily test it yourself. Connect a FAT32
> > (or exFAT) formatted USB pen drive, in Windows settings
> > specify this drive as the drive where to install new apps
> > and install an app from the MS Store. Then try to copy
> > this 3 folders. And if you want to see whats really in
> > this folders, connect the pen drive to a Win7 PC.
[...]

On 12.11.2023 14:42, Frank Slootweg wrote:

>> You can instead clone the card. Image it.
>
> Good point! I just checked in Macrium Reflect Free and indeed my exFAT
> USB memory-stick (should be the same for Herbert's SD card) is listed as
> available for imaging and cloning.
>
> Perhaps Macrium Reflect is a little over the top for such a limited
> storage system, but probably another imaging/cloning problem, even an
> offline one, can do the job. (Macrium Reflect's Resue media could do it,
> but that still requires a temporary install of Micrium Reflect.)

An easier solution was, to not copy the folders but
reinstall Whatsapp. I just wanted to inform, that on
a FAT32 formatted USB memory stick there can be files
which you can't delete in Win10/11 but without any problem
in Win7 and whats the reason for that. I hate OS which
control me, I want to control the OS. I miss DOS6.2 and
the real mode of the CPU.

On 2023-11-12 14:42, Frank Slootweg wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-12 09:49, Herbert Kleebauer wrote:
>>> On 12.11.2023 07:14, Paul wrote:
> [...]

> [...]
>>> You can copy the files on any system which is not Win10/11
>>> and supports FAT32. The copied file is binary identical, but
>>> the misused bits in the directory are not set, so back
>>> on a Win10/11 system, the copied files are not recognized
>>> as encrypted files but as normal files and therefore useless
>>> (then you will also see the extension .PFILE).
>>
>> You can instead clone the card. Image it.
>
> Good point! I just checked in Macrium Reflect Free and indeed my exFAT
> USB memory-stick (should be the same for Herbert's SD card) is listed as
> available for imaging and cloning.
>
> Perhaps Macrium Reflect is a little over the top for such a limited
> storage system, but probably another imaging/cloning problem, even an
> offline one, can do the job. (Macrium Reflect's Resue media could do it,
> but that still requires a temporary install of Micrium Reflect.)

I was not thinking of a smart cloning software, but dumb cloning
software. Smart software do smart things like skipping unused sectors.

I would use "dd" in Linux, but I understand there is a Windows version.

Dumb cloning software doesn't say "we support FAT". They just clone bit
by bit. They don't care what they are cloning.

This is important because I understand these bits are not supported by
all Windows versions. A dumb clone doesn't care what the OS supports,
they can clone anything.

--
Cheers,
Carlos E.R.

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-12 14:42, Frank Slootweg wrote:
> > Carlos E. R. <robin_listas@es.invalid> wrote:
> >> On 2023-11-12 09:49, Herbert Kleebauer wrote:
> >>> On 12.11.2023 07:14, Paul wrote:
> > [...]
>
>
> > [...]
> >>> You can copy the files on any system which is not Win10/11
> >>> and supports FAT32. The copied file is binary identical, but
> >>> the misused bits in the directory are not set, so back
> >>> on a Win10/11 system, the copied files are not recognized
> >>> as encrypted files but as normal files and therefore useless
> >>> (then you will also see the extension .PFILE).
> >>
> >> You can instead clone the card. Image it.
> >
> > Good point! I just checked in Macrium Reflect Free and indeed my exFAT
> > USB memory-stick (should be the same for Herbert's SD card) is listed as
> > available for imaging and cloning.
> >
> > Perhaps Macrium Reflect is a little over the top for such a limited
> > storage system, but probably another imaging/cloning problem, even an
> > offline one, can do the job. (Macrium Reflect's Resue media could do it,
> > but that still requires a temporary install of Micrium Reflect.)
>
> I was not thinking of a smart cloning software, but dumb cloning
> software. Smart software do smart things like skipping unused sectors.
>
> I would use "dd" in Linux, but I understand there is a Windows version.
>
> Dumb cloning software doesn't say "we support FAT". They just clone bit
> by bit. They don't care what they are cloning.
>
> This is important because I understand these bits are not supported by
> all Windows versions. A dumb clone doesn't care what the OS supports,
> they can clone anything.

Yes, I know/realize all that, but Macrium Reflect *can* "play dumb"
and just copy every sector, you just have to tick the relevant option
when starting the clone/image operation ("Peform a Forensic Sector Copy.
This option will copy all sectors from the source disk, whether they are
in use or not.").

On 2023-11-12 17:30, Frank Slootweg wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-12 14:42, Frank Slootweg wrote:
>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>> On 2023-11-12 09:49, Herbert Kleebauer wrote:
>>>>> On 12.11.2023 07:14, Paul wrote:
>>> [...]
>>
>>
>>> [...]

>>> Perhaps Macrium Reflect is a little over the top for such a limited
>>> storage system, but probably another imaging/cloning problem, even an
>>> offline one, can do the job. (Macrium Reflect's Resue media could do it,
>>> but that still requires a temporary install of Micrium Reflect.)
>>
>> I was not thinking of a smart cloning software, but dumb cloning
>> software. Smart software do smart things like skipping unused sectors.
>>
>> I would use "dd" in Linux, but I understand there is a Windows version.
>>
>> Dumb cloning software doesn't say "we support FAT". They just clone bit
>> by bit. They don't care what they are cloning.
>>
>> This is important because I understand these bits are not supported by
>> all Windows versions. A dumb clone doesn't care what the OS supports,
>> they can clone anything.
>
> Yes, I know/realize all that, but Macrium Reflect *can* "play dumb"
> and just copy every sector, you just have to tick the relevant option
> when starting the clone/image operation ("Peform a Forensic Sector Copy.
> This option will copy all sectors from the source disk, whether they are
> in use or not.").

Ok, then do remember to use that option :-)

--
Cheers,
Carlos E.R.

On 11/12/2023 3:49 AM, Herbert Kleebauer wrote:
> On 12.11.2023 07:14, Paul wrote:
>
>>> Explorer to copy all files to the new card. But there
>>> was a problem with three system folders: WindowsApps, WpSystem
>>> and WUDownloadCache. Even rebooting to Save Mode didn't
>>> solve the problem. There was no access to the files in
>>> these folders, even though FAT32 doesn't support any access
>>> restriction features.
>>>
>>>
>>> With the help of Google I found this:
>>>
>>> https://dfir.ru/2021/12/08/things-you-probably-didnt-know-about-fat/
>>> https://patents.google.com/patent/US10726147B2/en
>>>
>>> || First, starting from Windows 10 “Redstone 1”, EFS-based
>>> || encryption is supported for FAT volumes. This feature is
>>> || thoroughly described in US10726147B2.
>>> ||
>>> || Encrypted files have the “.PFILE” extension and their 8.3
>>> || directory entries store additional metadata. In the current
>>> || implementation, this metadata fits 6 bits: two bits are used
>>> || as flags and four bits are used to store the padding size.
>
>
>> Somewhere in this claim, there has got to be an interpretation error.
>> The evidence does not add up, of miraculous behavior. For example,
>> what is a "WUDownloadCache" doing on a FAT stick ? Do you mean ExFAT ?
>> Do you mean NTFS ?
>
>
> My netbook only has a 32G C: drive, which isn't nearly enough
> for Win10 itself. Therefore I use a SD card in the build-in
> SD card reader as drive D: for programs and user data. The
> card is FAT32 formatted to avoid any access restriction problems
> when duplicating the card. If possible I use portable programs which
> doesn't need to be installed but only copied to the SD card or at
> least programs, where I can specify an installation folder on
> drive d:. A SD card isn't made for so many write cycles when used
> as a SSD replacement, so after about 2 years the spare blocks are used
> up and  the SD card switches to read-only mode. Then I just copy
> all files on the card to a new one (on a different PC) and
> because of FAT32 there wasn't any problem. Then I insert the new
> card in the netbook and all is OK for the next 2 years.
>
> But now Whatsapp can only be installed from the MS Store. The
> only way to specify where it should be installed is in the
> Windows settings (drive to install new apps). When you
> install an app from the MS Store, the 3 folder given above
> are created.
>
>
>
>> Encryption does not necessarily prevent access. Access is controlled
>> with ACLs or similar.
>
> That's what I also thought. But Win10/11 has a different opinion.
>
>
>> To copy a file for example, I can use "dd", "seek", "skip" and
>> transfer blocks of data representing the file. If encryption is
>> involved, when I look at the resulting data now stored on some
>> other storage device, it will be binary garbage.
>
> You can copy the files on any system which is not Win10/11
> and supports FAT32. The copied file is binary identical, but
> the misused bits in the directory are not set, so back
> on a Win10/11 system, the copied files are not recognized
> as encrypted files but as normal files and therefore useless
> (then you will also see the extension .PFILE).
>
> If you want to copy the files in Win10/11, you need a
> program which accesses the card at block level with
> it's own FAT32 driver, because when the Windows FAT32
> driver is involved, you are lost.
>
> But you can easily test it yourself. Connect a FAT32
> (or exFAT) formatted USB pen drive, in Windows settings
> specify this drive as the drive where to install new apps
> and install an app from the MS Store. Then try to copy
> this 3 folders. And if you want to see whats really in
> this folders, connect the pen drive to a Win7 PC.
>

I defined a New App storage space here, on my ~30GB E: Fat32
partition. The software created some empty directories.

[Picture]

https://i.postimg.cc/J04LQD4G/now-app-storage-space-redirect-win10.gif

The "WindowsApps" resists entry, which is abnormal for FAT32.

But as for the interpretation of what property is doing that,
there is nothing inside that folder.

I zeroed the 30GB partition, formatted it FAT32 before starting.
After numerous experiments, most of the partition remains zeroed.
Only a tiny portion of the partition contains data, it looks like
directory data for the prefunctory structure. There are no *giant gobs*
of encrypted data present.

Does this "New App" storage include Windows Update ???
I'm installing a Cumulative Update Preview KB5031445 right
now, and ProcMon notes *no* access to E: partition at all.
The contents of E: are not changing. The "size" of E:
at the moment (Properties) is 409,600 bytes.

Summary: I cannot access "WindowsApps", but other than that,
there is no encrypted content on E: to be seen. The failure
to access, is abnormal for FAT32, I'll grant you that.

If they're using a WOF, I don't see the point of that unless
the container for it is stored on E: (to save space on C: ).
I scanned E: offline for evidence of binary blobs, there are none.

Presumably my inability to reproduce is because I'm not on a tablet.

Paul

On 12.11.2023 20:40, Paul wrote:

>> But you can easily test it yourself. Connect a FAT32
>> (or exFAT) formatted USB pen drive, in Windows settings
>> specify this drive as the drive where to install new apps
>> and install an app from the MS Store. Then try to copy
>> this 3 folders. And if you want to see whats really in
>> this folders, connect the pen drive to a Win7 PC.
>>
>
> I defined a New App storage space here, on my ~30GB E: Fat32
> partition. The software created some empty directories.
>
> [Picture]
>
> https://i.postimg.cc/J04LQD4G/now-app-storage-space-redirect-win10.gif
>
> The "WindowsApps" resists entry, which is abnormal for FAT32.

You can use an administrator CMD window to cd into the
folder and do a "dir /s". But you can't copy, read or
delete any of the encrypted files.

For example:

Verzeichnis von D:\WindowsApps\5319275A.WhatsAppDesktop_2.2342.8.0_x64__cv1g1gvanyjgm

11.11.2023 16:37 <DIR> .
11.11.2023 16:37 <DIR> ..
11.11.2023 16:40 31.971 AppxManifest.xml
11.11.2023 16:40 250.037 AppxBlockMap.xml
11.11.2023 16:37 <DIR> AppxMetadata
11.11.2023 16:40 12.035 AppxSignature.p7x
11.11.2023 16:37 0 05DBE9EA-EF75-43DB-8A03-27898B59D1E9
11.11.2023 16:40 66.960 clrcompression.dll
11.11.2023 16:37 <DIR> Design
11.11.2023 16:40 1.530.368 e_sqlite3.dll
11.11.2023 16:37 <DIR> GraphQL
11.11.2023 16:37 <DIR> Images
11.11.2023 16:40 1.625.480 Microsoft.Graphics.Canvas.dll
11.11.2023 16:40 281.472 Microsoft.Graphics.Canvas.winmd
11.11.2023 16:40 2.598.272 Microsoft.UI.Xaml.Core.Direct.dll
11.11.2023 16:40 103.296 Microsoft.UI.Xaml.Core.Direct.winmd
11.11.2023 16:40 295.824 Microsoft.UI.Xaml.winmd
11.11.2023 16:40 551.368 Microsoft.Web.WebView2.Core.dll
11.11.2023 16:40 98.232 Microsoft.Web.WebView2.Core.winmd
11.11.2023 16:40 8.776.768 resources.pri
11.11.2023 16:37 <DIR> Sounds
11.11.2023 16:40 3.481.600 Wail.dll
11.11.2023 16:40 9.728 Wail.winmd
11.11.2023 16:40 157.624 WebView2Loader.dll
11.11.2023 16:37 <DIR> WhatsApp.Design
11.11.2023 16:40 98.668.032 WhatsApp.dll
11.11.2023 16:40 293.376 WhatsApp.exe
11.11.2023 16:40 107.894 WhatsApp.xr.xml
11.11.2023 16:40 9.710.592 WhatsAppNative.dll
11.11.2023 16:40 115.712 WhatsAppNative.winmd
11.11.2023 16:40 6.144 WindowsLegacyApi.winmd
23 Datei(en), 128.772.785 Bytes

> But as for the interpretation of what property is doing that,
> there is nothing inside that folder.
>
> I zeroed the 30GB partition, formatted it FAT32 before starting.
> After numerous experiments, most of the partition remains zeroed.
> Only a tiny portion of the partition contains data, it looks like
> directory data for the prefunctory structure. There are no *giant gobs*
> of encrypted data present.

Only apps installed from the MS Store are installed in
"WindowsApps". As long as you don't install any app,
nothing is in "WindowsApps". But even if you set App
storage space back to c: you will have a problems
to remove the folder "WindowsApps" from e: (beside
formatting e: or booting a Linux life system to
delete the folder).

> Presumably my inability to reproduce is because I'm not on a tablet.

That has nothing to do with a tablet. It is Win10/11
which doesn't allow access to files with a formerly
unused bit set in the FAT directory. Therefore I
suggested to use a USB pen drive, which you can
transfer to a non Win10/11 system to see whats really
on the drive.

Maybe also a Win7 running in a virtual machine on a
Win10/11 host can access the files (or maybe Win10/11
also restricts the access of the virtual machine).

On 11/12/2023 3:43 PM, Herbert Kleebauer wrote:
> On 12.11.2023 20:40, Paul wrote:
>
>>> But you can easily test it yourself. Connect a FAT32
>>> (or exFAT) formatted USB pen drive, in Windows settings
>>> specify this drive as the drive where to install new apps
>>> and install an app from the MS Store. Then try to copy
>>> this 3 folders. And if you want to see whats really in
>>> this folders, connect the pen drive to a Win7 PC.
>>>
>>
>> I defined a New App storage space here, on my ~30GB E: Fat32
>> partition. The software created some empty directories.
>>
>>     [Picture]
>>
>>      https://i.postimg.cc/J04LQD4G/now-app-storage-space-redirect-win10.gif
>>
>> The "WindowsApps" resists entry, which is abnormal for FAT32.
>
> You can use an administrator CMD window to cd into the
> folder and do a "dir /s". But you can't copy, read or
> delete any of the encrypted files.
>
> For example:
>
>  Verzeichnis von D:\WindowsApps\5319275A.WhatsAppDesktop_2.2342.8.0_x64__cv1g1gvanyjgm
>
> 11.11.2023  16:37    <DIR>          .
> 11.11.2023  16:37    <DIR>          ..
> 11.11.2023  16:40            31.971 AppxManifest.xml
> 11.11.2023  16:40           250.037 AppxBlockMap.xml
> 11.11.2023  16:37    <DIR>          AppxMetadata
> 11.11.2023  16:40            12.035 AppxSignature.p7x
> 11.11.2023  16:37                 0 05DBE9EA-EF75-43DB-8A03-27898B59D1E9
> 11.11.2023  16:40            66.960 clrcompression.dll
> 11.11.2023  16:37    <DIR>          Design
> 11.11.2023  16:40         1.530.368 e_sqlite3.dll
> 11.11.2023  16:37    <DIR>          GraphQL
> 11.11.2023  16:37    <DIR>          Images
> 11.11.2023  16:40         1.625.480 Microsoft.Graphics.Canvas.dll
> 11.11.2023  16:40           281.472 Microsoft.Graphics.Canvas.winmd
> 11.11.2023  16:40         2.598.272 Microsoft.UI.Xaml.Core.Direct.dll
> 11.11.2023  16:40           103.296 Microsoft.UI.Xaml.Core.Direct.winmd
> 11.11.2023  16:40           295.824 Microsoft.UI.Xaml.winmd
> 11.11.2023  16:40           551.368 Microsoft.Web.WebView2.Core.dll
> 11.11.2023  16:40            98.232 Microsoft.Web.WebView2.Core.winmd
> 11.11.2023  16:40         8.776.768 resources.pri
> 11.11.2023  16:37    <DIR>          Sounds
> 11.11.2023  16:40         3.481.600 Wail.dll
> 11.11.2023  16:40             9.728 Wail.winmd
> 11.11.2023  16:40           157.624 WebView2Loader.dll
> 11.11.2023  16:37    <DIR>          WhatsApp.Design
> 11.11.2023  16:40        98.668.032 WhatsApp.dll
> 11.11.2023  16:40           293.376 WhatsApp.exe
> 11.11.2023  16:40           107.894 WhatsApp.xr.xml
> 11.11.2023  16:40         9.710.592 WhatsAppNative.dll
> 11.11.2023  16:40           115.712 WhatsAppNative.winmd
> 11.11.2023  16:40             6.144 WindowsLegacyApi.winmd
>               23 Datei(en),    128.772.785 Bytes
>
>
>> But as for the interpretation of what property is doing that,
>> there is nothing inside that folder.
>>
>> I zeroed the 30GB partition, formatted it FAT32 before starting.
>> After numerous experiments, most of the partition remains zeroed.
>> Only a tiny portion of the partition contains data, it looks like
>> directory data for the prefunctory structure. There are no *giant gobs*
>> of encrypted data present.
>
> Only apps installed from the MS Store are installed in
> "WindowsApps". As long as you don't install any app,
> nothing is in "WindowsApps". But even if you set App
> storage space back to c: you will have a problems
> to remove the folder "WindowsApps" from e: (beside
> formatting e: or booting a Linux life system to
> delete the folder).
>
>
>>           Presumably my inability to reproduce is because I'm not on a tablet.
>
> That has nothing to do with a tablet. It is Win10/11
> which doesn't allow access to files with a formerly
> unused bit set in the FAT directory. Therefore I
> suggested to use a USB pen drive, which you can
> transfer to a non Win10/11 system to see whats really
> on the drive.
>
> Maybe also a Win7 running in a virtual machine on a
> Win10/11 host can access the files (or maybe Win10/11
> also restricts the access of the virtual machine).

I installed Ubuntu 2204 WSL, and WhatsApp. I ran WhatsApp
but bailed out at the point it wanted to pair with a smartphone.
Ubuntu 2204 WSL is now fully functional, and a Firefox window
opens in it.

Absolute none of these, would write a drop of data onto E:
Even though the original change of storage location to E:
created a few directory entries. Including the WindowsApps
that would not open.

But if I use a hex editor, and look in the volume to
see *some* data chunks written, there is nothing. Nothing
is *using* E: for new App storage. I did go to the Microsoft Store,
and I installed more than one thing and ran it. I used the
Microsoft Store to install Thunderbird 115 MSIX version, ran it,
imported a profile from a "normal" version of Thunderbird, and
read some articles.

I did try a few things. No dice.

This is normal for Microsoft.

I just like to do full simulations if I can, before I start
dipping into details.

Paul