Developers have released an unofficial fix for a Windows bug that could lead to the corruption of an NTFS volume by merely viewing a specially crafted file.
Earlier this month, BleepingComputer reported that a Windows 10 bug was discovered by security researcher Jonas Lykkegaard that allows non-privileged users to mark an NTFS volume as dirty.
Once the volume is marked as dirty, Windows would display an error stating that the drive was corrupted and prompt the user to reboot the computer to run chkdsk and fix the corruption.
For most people, Windows would run chkdsk, and the operating system would boot like normal soon after. Unfortunately, in a test by BleepingComputer, even after running chkdsk, the operating system would not start properly.
BleepingComputer later learned that this bug also affected older versions of Windows, including Windows XP.
To make matters worse, BleepingComputer created a specially crafted file that would automatically trigger the bug when you attempt to access it in Windows.
Third-party fix released for NTFS bug
OSR, a software development company specializing in Windows internals, has released an open-source filter driver that prevents the NTFS bug from being abused while waiting for an official fix from Microsoft.
This filter driver, called ‘i30Flt’, will monitor for attempts to access streams beginning with “:$i30:”, and if detected, block them before they can trigger the bug.
“OSRDrivers/i30Flt: This is a simple filter that will block any attempt to access streams beginning with “:$i30:”. This stops the spurious corruption warning triggered on certain Windows 10 versions. (github.com),” stated OSR in a blog post about this bug.
Like BleepingComputer, when OSR was playing with this bug they encountered a system that would no longer boot after running chkdsk.
“We also have a system here at OSR that will no longer boot after running a second chkdsk while playing with this. Between the ugly warning and the broken system here we think it’s worth mitigating until there’s a real fix released.” – OSR
To install the driver, download it from the project’s GitHub page, open an elevated command prompt, and then navigate to the folder you extracted the files.
Once in the folder with the files, you can run the following commands to install the driver.
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .i30flt.inf wevtutil im i30flt.man fltmc load i30flt
After installing the driver, it is not necessary to reboot Windows.
Once OSR’s driver is installed, if it detects an attempt to access a path containing “$i30:”, it will block it and generate an event log, as shown below.
As Microsoft has told BleepingComputer that they plan to fix this bug, once it is patched, you can remove the filter driver using the following command:
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 132 .i30flt.inf
As illustrated below, if the bug is not fixed and you uninstall the driver, the bug can instantly be used to mark a drive as corrupted.
It is unknown when Microsoft plans to fix this bug, so if you are concerned threat actors could abuse it on your computer, this is a good alternative while you wait.