Hello,
This is my first post here and I have been trying to get a question of mine answered over on the MSDN forums (in the Vista Optical Platform Discussion group) for a while and have had no luck and was directed here by David Burg who is the Software Development Engineering Lead for the Optical Platform Group at Microsoft. So, I will just repost what I posted over there and hopefully someone can help me out:
I recently started a thread asking about the algorithms for generating volume serial numbers (the serial Windows generates) for CD/DVD media and so far have used the WDK source and gotten some help from Microsoft employees so that I now can generate the serial for audio CD’s and discs with ISO-9660/Joliet file systems. All I need to do now is support UDF discs, what is the algorithm used for them?
Just for some background about myself and why I am requesting this information, I work in the CD/DVD forensic software industry creating software for computer forensic examiners/law enforcement and have had users request that we display the volume serial number that Windows generates in our software. The problem is I cannot use GetVolumeInformation or any other Windows API functions and need to be able to generate the volume serial number myself due to the fact that our software works with discs that Windows sometimes cannot mount and also if there is more than one file system present then I need to be able to display the serial number for all of them.
So, if anyone at Microsoft can help me out that would be great. I don’t need actual code and I know it has not been released anyway. Just pseudo-code explaining what portions of the file system are used and how they are used (or whatever “magical” stuff is done similar to the ISO/Joliet algorithm I found in the WDK source) would be great.
Thank you very much for your time.
Andrew Dangerfield
UDF spec (and the ECMA-167 spec on which UDF is based) are available on the
website, so the task of “getting UDF volume ID from existing UDF volume in your
own FS parser” is doable.
If you need the control over how this ID is generated in the newly
generated FS image - then just do not use the Windows code and write your own
UDF generator. This is also doable.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hello,
>
> This is my first post here and I have been trying to get a question of mine
answered over on the MSDN forums (in the Vista Optical Platform Discussion
group) for a while and have had no luck and was directed here by David Burg who
is the Software Development Engineering Lead for the Optical Platform Group at
Microsoft. So, I will just repost what I posted over there and hopefully
someone can help me out:
>
> I recently started a thread asking about the algorithms for generating volume
serial numbers (the serial Windows generates) for CD/DVD media and so far have
used the WDK source and gotten some help from Microsoft employees so that I now
can generate the serial for audio CD’s and discs with ISO-9660/Joliet file
systems. All I need to do now is support UDF discs, what is the algorithm used
for them?
>
> Just for some background about myself and why I am requesting this
information, I work in the CD/DVD forensic software industry creating software
for computer forensic examiners/law enforcement and have had users request that
we display the volume serial number that Windows generates in our software.
The problem is I cannot use GetVolumeInformation or any other Windows API
functions and need to be able to generate the volume serial number myself due
to the fact that our software works with discs that Windows sometimes cannot
mount and also if there is more than one file system present then I need to be
able to display the serial number for all of them.
>
> So, if anyone at Microsoft can help me out that would be great. I don’t need
actual code and I know it has not been released anyway. Just pseudo-code
explaining what portions of the file system are used and how they are used (or
whatever “magical” stuff is done similar to the ISO/Joliet algorithm I found in
the WDK source) would be great.
>
> Thank you very much for your time.
>
> Andrew Dangerfield
>
>
Alright, I guess I should have been more clear. The serial number I want to display is the one that you see to the right of “Volume Serial Number” if you bring up a command prompt and ‘dir’ the drive the CD or DVD is in, I am NOT talking about any serial number/volume ID that is actually part of the file system. Here is an example:
F:\>dir
Volume in drive F is Install CD
Volume Serial Number is 74DC-8894
Directory of F:\
05/26/2003 01:08 AM 122,880 2507RM.exe
05/26/2003 01:10 AM 32,768 2507RM_silent.exe
04/22/2003 10:45 PM 549 PL2507S.inf
05/26/2003 01:03 AM 1,544 PL2507U.INF
05/28/2003 04:16 AM 1,446,512 Setup.exe
08/18/2003 02:32 AM
mac
5 File(s) 1,604,253 bytes
1 Dir(s) 0 bytes free
F:\>
The volume serial number 74DC-8894 is ENTIRELY generated by Windows, it is not located on the disc anywhere so parsing the file system (or searching the disc) will not get you this number. For ISO-9660 and Joliet file systems I have found the Windows code for serial generation in the WDK source for CDFS which I used to generate the serial number myself (it is basically just a "special" checksum of bytes from the PVD or SVD of the most recent session). So for UDF I need to know what is done to generate the Windows Volume Serial Number.
It was brought to my attention that the symbols UdfUpdateVolumeSerialNumber and UdfSerial32 can be found for UDFS.sys and if anyone has access to the source to those functions I think that would be just about all I need, or at least a detailed description on what is done.
Thank you,
Andrew Dangerfield
Have you read fatgen103.docx? How about the fastfat sources in the WDK?
You ask for the impossible. The “Volume Serial Number” displayed by a dir
command is a part of the filesystem. It is located in the extended BPB in
the first sector of a FATnn volume. I do not know and it is not documented
by Microsoft where that information is located in a NTFS volume.
You might want to try Process Monitor to see what requests are sent to NTFS
to obtain the number. It might take a few hours to experiment and using
windbg discover which sector contains that information. Then grab those
sectors from a few different NTFS volumes that you have used dir to see the
correct value and compare.
wrote in message news:xxxxx@ntfsd…
> Alright, I guess I should have been more clear. The serial number I want
> to display is the one that you see to the right of “Volume Serial Number”
> if you bring up a command prompt and ‘dir’ the drive the CD or DVD is in,
> I am NOT talking about any serial number/volume ID that is actually part
> of the file system. Here is an example:
>
> F:>dir
> Volume in drive F is Install CD
> Volume Serial Number is 74DC-8894
>
> Directory of F:<br>>
> 05/26/2003 01:08 AM 122,880 2507RM.exe
> 05/26/2003 01:10 AM 32,768 2507RM_silent.exe
> 04/22/2003 10:45 PM 549 PL2507S.inf
> 05/26/2003 01:03 AM 1,544 PL2507U.INF
> 05/28/2003 04:16 AM 1,446,512 Setup.exe
> 08/18/2003 02:32 AM mac
> 5 File(s) 1,604,253 bytes
> 1 Dir(s) 0 bytes free
>
> F:>
>
> The volume serial number 74DC-8894 is ENTIRELY generated by Windows, it is
> not located on the disc anywhere so parsing the file system (or searching
> the disc) will not get you this number. For ISO-9660 and Joliet file
> systems I have found the Windows code for serial generation in the WDK
> source for CDFS which I used to generate the serial number myself (it is
> basically just a “special” checksum of bytes from the PVD or SVD of the
> most recent session). So for UDF I need to know what is done to generate
> the Windows Volume Serial Number.
>
> It was brought to my attention that the symbols
> UdfUpdateVolumeSerialNumber and UdfSerial32 can be found for UDFS.sys and
> if anyone has access to the source to those functions I think that would
> be just about all I need, or at least a detailed description on what is
> done.
>
> Thank you,
>
> Andrew Dangerfield
>
> It was brought to my attention that the symbols UdfUpdateVolumeSerialNumber
and UdfSerial32 can be found for UDFS.sys and if anyone has access to the
source to those functions I think that would be just about all I need
Reverse engineering can also help.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> You might want to try Process Monitor to see what requests are sent to NTFS
to obtain the number.
We are speaking about UDFS and not NTFS
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Craig,
Thank you for the response but you are mistaken and do not understand my problem fully. Also, why do you say I ask for the impossible? I have already gotten this information so I can do what Windows does to generate the volume serial number for CD and DVD media that contains either CD audio or an ISO-9660/Joliet file system, but since the UDFS source code is not released like CDFS is (in the WDK source) I can’t track down what is done in any source code I have access to.
This is an optical disc issue and the Volume Serial Number for optical disc file systems such as ISO-9660/Joliet and UDF that is displayed using the ‘dir’ command is NOT in the file system, Windows generates this number ENTIRELY. Once again, the volume serial number IS NOT located anywhere on the CD or DVD so parsing the file system or searching the disc is worthless because the serial number is NOT located on the disc AT ALL. Trust me, I know this is the case, I work in the CD/DVD forensics industry. My question regards only UDF, not FAT, NTFS, or any other file systems so FAT and NTFS documentation will not help me with my issue.
Thank you,
Andrew Dangerfield
Have you read fatgen103.docx? How about the fastfat sources in the WDK?
You ask for the impossible. The “Volume Serial Number” displayed by a dir
command is a part of the filesystem. It is located in the extended BPB in
the first sector of a FATnn volume. I do not know and it is not documented
by Microsoft where that information is located in a NTFS volume.
You might want to try Process Monitor to see what requests are sent to NTFS
to obtain the number. It might take a few hours to experiment and using
windbg discover which sector contains that information. Then grab those
sectors from a few different NTFS volumes that you have used dir to see the
correct value and compare.
Then if you are correct try Process Monitor and see what blocks of the UDF
media are read when doing a dir. If the same media is placed into another
computer will it display the same volume serial number? Use windbg and when
that data is read trace the call back up to user mode and see how it
computes the number. It will be slow and tedious. Try using a support
incident via MSDN to see if they will provide this info.
wrote in message news:xxxxx@ntfsd…
> Craig,
>
> Thank you for the response but you are mistaken and do not understand my
> problem fully. Also, why do you say I ask for the impossible? I have
> already gotten this information so I can do what Windows does to generate
> the volume serial number for CD and DVD media that contains either CD
> audio or an ISO-9660/Joliet file system, but since the UDFS source code is
> not released like CDFS is (in the WDK source) I can’t track down what is
> done in any source code I have access to.
>
> This is an optical disc issue and the Volume Serial Number for optical
> disc file systems such as ISO-9660/Joliet and UDF that is displayed using
> the ‘dir’ command is NOT in the file system, Windows generates this number
> ENTIRELY. Once again, the volume serial number IS NOT located anywhere on
> the CD or DVD so parsing the file system or searching the disc is
> worthless because the serial number is NOT located on the disc AT ALL.
> Trust me, I know this is the case, I work in the CD/DVD forensics
> industry. My question regards only UDF, not FAT, NTFS, or any other file
> systems so FAT and NTFS documentation will not help me with my issue.
>
> Thank you,
> Andrew Dangerfield
>
>>Have you read fatgen103.docx? How about the fastfat sources in the WDK?
>>You ask for the impossible. The “Volume Serial Number” displayed by a dir
>>command is a part of the filesystem. It is located in the extended BPB in
>>the first sector of a FATnn volume. I do not know and it is not
>>documented
>>by Microsoft where that information is located in a NTFS volume.
>>
>>You might want to try Process Monitor to see what requests are sent to
>>NTFS
>>to obtain the number. It might take a few hours to experiment and using
>>windbg discover which sector contains that information. Then grab those
>>sectors from a few different NTFS volumes that you have used dir to see
>>the
>>correct value and compare.
>
>Reverse engineering can also help.
Yes, that is a road I may need to go down. I have a lot of other more important functionality to implement now though (displaying a Windows serial number is not very critical and I support everything but UDF now anyway) and I was hoping someone at Microsoft who works on file system handling could help me out to save me a lot of time.
A bigger problem I have with reverse engineering is that if anyone questions how our application generates the serial number I wouldn’t have concrete proof that what is done is exactly what Windows does. With CD audio discs and ISO-9660/Joliet file system I could actually show someone the Windows code from the WDK CDFS source to prove I know exactly how Windows generates the serial number. If I were to reverse engineer what goes on with UDFS then I would not have any such proof. I would just feel much better if I could get definitive proof of what is done either by seeing the code for those functions I mentioned finding symbols for in UDFS or just by a decent description from someone at Microsoft. Then I can always say that I got the information directly from someone at Microsoft and the results would be MUCH less questionable.
Not much goes on for ISO-9660/Joliet and CD audio serial generation so I imagine UDF is very similar. For ISO-9660 all the explanation would have to be is something like this:
- Go to PVD (sessionstart sector + 16) for the most recent session and read the 2048 bytes of user data.
- Run the bytes through the following algorithm:
{
union {
UCHAR Bytes[4];
unsigned long SerialId;
} Checksum;
Checksum.SerialId = 0;
while (ByteCount–)
Checksum.Bytes[ByteCount & 0x3] += *(Buffer++);
}
Not too much going on at all and I would guess UDFS is extremely similar especially since there is a symbol for UDFS named UdfSerial32 and for ISO-9660/Joliet in CDFS there was a function named CDSerial32. I already tried running every sector on a UDF test disc through CDSerial32 and the result never matched the actual Volume Serial Number so the checksum algorithm must be different or possibly UDFS does not send one sector full of data to generate the serial like the other algorithms do.
Anyone out there have access to UDFS source to help me out? I think I just need some insight into the functions UdfUpdateVolumeSerialNumber() and UdfSerial32() (this is the most important one).
Thanks in advance.