How does Deep Freeze work?

[Post-It Note]

Deep Freeze ( http://www.faronics.com/CANADA/product.asp ) is a program that prevents changes to a hard drive. You can do whatever you want to the drive, but when you restart it will return the disk to its original state.

It does this without partitioning, taking up extra space, or having another hard drive to image across. Anyone have any ideas or theories on how it works? I'm going to install the trial and see what I can find out.

[Colin-uk Veteran]

maybe it keeps a compressed version somewhere? :unsure:

[mzkhadir]

ThawSpace

Deep Freeze Professional has the ability to designate a portion the hard drive as ?thawed? for permanent storage. ThawSpace can be set anywhere from 16MB to 2GB. Save documents and favourite Internet sites by mapping My Documents and Favourites to ThawSpace.

[Post-It Note]

I'm just going to say that it's a secret how it works, so going through the website is not very helpful in finding out how it works. I'm looking for how YOU think it works.

Anyways, I've installed it and started testing it out by deleting things. (of course I imaged my drive beforehand.)

[pmh]

Yeah, I'm also interested in this.

[Post-It Note]

I've delete an entire Software regedit key, and I managed to right click->delete my recycle bin. :o. Now let me restart...

Yup.. No problems. I'm going to thaw, make a really big file, freeze, and see what happens when I delete it.

[Another_Paul]

Deepfreeze is awesome for public/school computers! I have been using it for several years without any hitches. Standard will "freeze" your whole hard drive preventing any changes you after rebooting. If you have multiple harddrives you can pick and choose which ones to be "frozen". Professional will let you have a Thawed folder that will allow changes to remain the same. But the catch is that you have to buy a minimal of 10 copies of Professional instead of just one.

It's only like a 5 meg install, I have no idea how they do it! Maybe something keeps track of all the changes and reverts to the original state after it reboots.

[pmh]

I always just thought it "imaged it" but it did it into a locked file of somesort. Oh well, I have no idea.

[John Veteran]

It installs its own disk driver for each of your hard drives I noticed. I believe this is key... But I haven't been able to crack it yet. Uninstalling the driver doesn't work :(

I was able to stop the DeepFreeze process by gaining SYSTEM priviledges through a very sneaky method :shifty: (which is now blocked with SP2 :pinch:)

As much as I played with it, I couldn't break it :/ Though I'd like to try again sometime...

[pmh]

How were you able to stop it gameguy?

[The Burning Rom]

I'm not sure how it works, but I know the program itself is a pain in the arse to work with. I worked at a college that had it running on around 800 student computers. And it can get quite annoying. One of the newer versions goes into what we called "hardening" mode...where the icon in the taskbar disappears after the machine has been on for a certain period of time. Sometimes it takes 3 or 4 reboots to get it back too :angry:

What mzkhadir was talking about..."thaw space"...is a new feature of deepfreeze which allows you to designate a "partition" for deep freeze to create, which allows you to save files in, and reboot without loosing them. The only downside is when deepfreeze is uninstalled, you also wave bye bye to your thawspace and the files it contained. I sure hope they changed that in the newest version.

It's a program I'd avoid if I could. But in some situtuations (like at the college), it's one of those things that you just have to deal with.

[AcdShdw]

alright managed to mess around with it on my test system, and no matter what i do IT WONT STOP!!!!, this is one amazing piece of software

[_tux_]

so if you basicly go in and do a full format and then format over that it will still work? :p

*goes to try in virtual pc*

[Callaway]

It's a fantastic program for Windows. We use the console/enterprise version in our public labs extensively at UNLV. Essentially, as long as a user can't boot to a floppy or cd-rom (lockdown the bios), it's flawless.

Want to delete Windows directory? No problem.

Want to download a few trojans? No problem.

Want to download a virus that will infect the MBR? No problem.

Soon as the workstation reboots, reverts back to the previous settings. You can set up multiple passwords, onetime passwords, mainteanance times, and if you have the console installed, you can remotely thaw/freeze workstations with a click of the mouse (or run programs / install updates).

It kicks @SS!

If you need help, send me a /pm. I would encourage ALL Windows system admins to invest in Deep Freeze.

[Callaway]

I'm not sure how it works, but I know the program itself is a pain in the arse to work with. I worked at a college that had it running on around 800 student computers. And it can get quite annoying. One of the newer versions goes into what we called "hardening" mode...where the icon in the taskbar disappears after the machine has been on for a certain period of time. Sometimes it takes 3 or 4 reboots to get it back too :angry:

What mzkhadir was talking about..."thaw space"...is a new feature of deepfreeze which allows you to designate a "partition" for deep freeze to create, which allows you to save files in, and reboot without loosing them. The only downside is when deepfreeze is uninstalled, you also wave bye bye to your thawspace and the files it contained. I sure hope they changed that in the newest version.

It's a program I'd avoid if I could. But in some situtuations (like at the college), it's one of those things that you just have to deal with.

No offense, but you don't know wth you're talking about. The thawspace has been around since for years, and you don't even need it. All it is is a temporary partition which is created before Windows loads where changes can be made that will not be erased. It's much easier and faster for the workstation to simply create a logical partition and set that drive letter as unthawed or not frozen.

As for the icon, you can choose to have the icon show in thawed / frozen or not at all. Most admins will set it to display when the workstation is thawed, so that a quick peek at the desktop will tell them somoene forgot to lock the station down.

[pmh]

Hmm, There has to be someflaws, somewhere.

[acoustikrage]

my middle school used it when i was in the tech group that maintained the school network. only our group knew the password for it, and somehow it leaked out, and there was this big scandal. it is a very helpful program at school.

[Callaway]

Hmm, There has to be someflaws, somewhere.

Nope...none. Unless you can boot to a floppy or cd-rom, forget it.

We also use corporate edition of Ghost, which needs to rewrite the MBR in order to boot to the boot partition. If the workstation is still frozen, nopers....DF erases the changes and boots Windows.

One downside to the product is you can only make changes in thawed mode. So if you need to make a change, thaw, reboot, make changes, freeze, hope things are good...if not, thaw, reboot, make changes, freeze, etc.

One recommendation to admins, don't store the workstation file, configuration files, or console settings on the local workstation (depends on what version you're running). Quite easy to pull the passwords out of the files.

[_tux_]

i just had an idea how it works...

it either has its own driver and when u delete a file it just marks it as deleted (but wont let the clusters be overwritten) and on reboot it just unmasks them all :)

dunno about file changes though :/

[ultraviolet7]

Unless you can boot to a floppy or cd-rom, forget it.

i consider this a fairly big flaw but not one that is the fault of the makers of deepfreeze. gaining access to booting from those divices is a rather trivial matter on most computers even if it is set not to boot from them and locked with a password. i don't really know anyway that deepfreeze would be able to stop this though since their drivers only can take over once the OS has booted.

[pmh]

Nope...none. Unless you can boot to a floppy or cd-rom, forget it.

We also use corporate edition of Ghost, which needs to rewrite the MBR in order to boot to the boot partition. If the workstation is still frozen, nopers....DF erases the changes and boots Windows.

One downside to the product is you can only make changes in thawed mode. So if you need to make a change, thaw, reboot, make changes, freeze, hope things are good...if not, thaw, reboot, make changes, freeze, etc.

One recommendation to admins, don't store the workstation file, configuration files, or console settings on the local workstation (depends on what version you're running). Quite easy to pull the passwords out of the files.

I don't care how carefully the code was debugged, I bet that there is some screw up in there. Just because no one has found it yet doesn't mean it doesn't exsist.

[genghis]

this pice of software is like ah bad habit u just cant kick

i found the only way of getting rid of this is a complete low level format of your hard disk.

imagine tinking u have formated to reinstall windows only to reboot and find that nuting has changed.

or pc crashing on u while ur working on end of semester report and have to reboot!!!!! report vanishes !!!!!!!!!

i have been there!

on the up side if u have trial version software, install but dont activate

then freeze .

now everytime u reboot and run it, it'll be like first time...counter resets to zero.

Edited September 8, 2004 by genghis

[xTrinity]

How to kill DeepFreeze:

I did this many times, temporarily disabling DeepFreeze to put files on the computer and then restoring it. It does NOT use an image of your drive. I'm not surely exactly how it operates, but its not an image. I believe it tracks every write to the harddrive and reverses it. That explains how this method works.

Win9x:

Use floppy to boot into DOS. Goto DeepFreeze folder and rename/delete it. Restart computer and volia! DeepFreeze is gone. Do anything you need want to the computer, and the changes stay. Boot back into DOS, restore the DeepFreeze folder and volia! DeepFreeze will forever restore the computer to the state in which you modified it to.

This proves that DeepFreeze does not use images or any kind of backup.

WinXP/2k:

A bit harder since WinXP/2k has no native DOS. You will need to use the Windows install disc to get into the DOS recovery mode thingy. Then do the above and it will work fine.

Although this only works if the sys admin is an idiot. Who in their right mind would install DeepFreeze and then allow someone to boot with a floppy or CD? As long as you can boot into DOS, you can remove DeepFreeze. If you cannot boot into DOS, there's no way to remove DeepFreeze. A smart sys admin would password the BIOS and boot only the harddrive. Of course, not everyone is that bright :p

EDIT: DeepFreeze is written in an extremely low level assembly. It makes direct calls to the processor and memory, bypassing Windows altogether. Have fun with SoftIce on this. There's a reason why this software is thousands of dollars :). But if you want to try, tokens are the key.

Edited September 8, 2004 by xTrinity

[+orgitnized Subscriber¹]

Very similar to Fortres Clean Slate and they both have their flaws.

Deep Freeze and Clean Slate both have incompatibilities with software, especially installers. And NO, it DOES NOT matter whether or not a thaw space is used, or the software is enabled or disabled.

I have it and have used it at a few schools.

Clean Slate and Deep Freeze are both a pain in the arse when it comes to managing a lot of the workstations at once. This is especially true in Novell networks. If you don't have the Client for Microsoft Networks installed it's a pain because it wants to read workstation names, which are exactly the same if you image the workstations. This is because the Novell client doesn't care at all about the "workstation" name, but more about the NDS or eDir name instead.

It serves its purpose in respects to using it on unmanaged networks or networks that aren't at all volatile. I make changes to 500 computers at the same time, and the last thing I want to do is load up another management console and try to disable some machines and not others, etc. To me, it's a pain. I have much better luck without the software. For stand-alone machines and what-not, I can see the purpose. Heck, even on NT networks with mixed clients I can see a better purpose. But on Novell networks, I don't need it at all. Everything is locked down with policies and backed up by imaging the machines anyway, so it's just a waste of money in that respect. Kids essentially could screw the machines up every night and it wouldn't even matter one bit. Not that they can, because policies restrict them from doing it, but it wouldn't matter anyway.

They did tell me that the driver was the biggest part of the program, so gameguy is on the right track. Since it's installed and loaded right at bootup, all changes get discarded. I stopped using it once we found a a way to break security in Fotres and Faronics-brand products that would render the workstation immediately inoperable. They fixed it when we called them about it (in their next release) but it just wasn't that impressive.

It does have its uses, but I would use it on something that's really unmanaged, like stand-alone machines that aren't governed by any type of security or administration.

[Callaway]

How to kill DeepFreeze:

I did this many times, temporarily disabling DeepFreeze to put files on the computer and then restoring it. It does NOT use an image of your drive. I'm not surely exactly how it operates, but its not an image. I believe it tracks every write to the harddrive and reverses it. That explains how this method works.

Win9x:

Use floppy to boot into DOS. Goto DeepFreeze folder and rename/delete it. Restart computer and volia! DeepFreeze is gone. Do anything you need want to the computer, and the changes stay. Boot back into DOS, restore the DeepFreeze folder and volia! DeepFreeze will forever restore the computer to the state in which you modified it to.

This proves that DeepFreeze does not use images or any kind of backup.

WinXP/2k:

A bit harder since WinXP/2k has no native DOS. You will need to use the Windows install disc to get into the DOS recovery mode thingy. Then do the above and it will work fine.

Although this only works if the sys admin is an idiot. Who in their right mind would install DeepFreeze and then allow someone to boot with a floppy or CD? As long as you can boot into DOS, you can remove DeepFreeze. If you cannot boot into DOS, there's no way to remove DeepFreeze. A smart sys admin would password the BIOS and boot only the harddrive. Of course, not everyone is that bright :p

EDIT: DeepFreeze is written in an extremely low level assembly. It makes direct calls to the processor and memory, bypassing Windows altogether. Have fun with SoftIce on this. There's a reason why this software is thousands of dollars :). But if you want to try, tokens are the key.

yes, but both of your scenarios require booting to somoething other than the hard drive. This is the only known means of bypassing DeepFreeze.

Try bypassing it without booting to another device.... ;) Any half-@ss admin should lockdown down the BIOS...

[Callaway]

Very similar to Fortres Clean Slate and they both have their flaws.

Deep Freeze and Clean Slate both have incompatibilities with software, especially installers. And NO, it DOES NOT matter whether or not a thaw space is used, or the software is enabled or disabled.

I have it and have used it at a few schools.

Clean Slate and Deep Freeze are both a pain in the arse when it comes to managing a lot of the workstations at once. This is especially true in Novell networks. If you don't have the Client for Microsoft Networks installed it's a pain because it wants to read workstation names, which are exactly the same if you image the workstations. This is because the Novell client doesn't care at all about the "workstation" name, but more about the NDS or eDir name instead.

It serves its purpose in respects to using it on unmanaged networks or networks that aren't at all volatile. I make changes to 500 computers at the same time, and the last thing I want to do is load up another management console and try to disable some machines and not others, etc. To me, it's a pain. I have much better luck without the software. For stand-alone machines and what-not, I can see the purpose. Heck, even on NT networks with mixed clients I can see a better purpose. But on Novell networks, I don't need it at all. Everything is locked down with policies and backed up by imaging the machines anyway, so it's just a waste of money in that respect. Kids essentially could screw the machines up every night and it wouldn't even matter one bit. Not that they can, because policies restrict them from doing it, but it wouldn't matter anyway.

They did tell me that the driver was the biggest part of the program, so gameguy is on the right track. Since it's installed and loaded right at bootup, all changes get discarded. I stopped using it once we found a a way to break security in Fotres and Faronics-brand products that would render the workstation immediately inoperable. They fixed it when we called them about it (in their next release) but it just wasn't that impressive.

It does have its uses, but I would use it on something that's really unmanaged, like stand-alone machines that aren't governed by any type of security or administration.

Deep Freeze and Clean Slate both have incompatibilities with software, especially installers.  And NO, it DOES NOT matter whether or not a thaw space is used, or the software is enabled or disabled.

Deep Freeze does not interact w/ any installers whatsoever. It doesn't interact at all with the workstation until reboot...You can do whatever you want with it and it could care less.

Clean Slate and Deep Freeze are both a pain in the arse when it comes to managing a lot of the workstations at once.  This is especially true in Novell networks.  If you don't have the Client for Microsoft Networks installed it's a pain because it wants to read workstation names, which are exactly the same if you image the workstations.  This is because the Novell client doesn't care at all about the "workstation" name, but more about the NDS or eDir name instead.

It serves its purpose in respects to using it on unmanaged networks or networks that aren't at all volatile.  I make changes to 500 computers at the same time, and the last thing I want to do is load up another management console and try to disable some machines and not others, etc.  To me, it's a pain.  I have much better luck without the software.  For stand-alone machines and what-not, I can see the purpose.  Heck, even on NT networks with mixed clients I can see a better purpose. 

We use 99% Novell on close to 5000 workstations, it's not even an issue with Deep Freeze (nor AD). The Console version of Deep Freeze kicks butt, serious commie butt. All you have to do is install the workstation seed, and you can see the workstations just fine. You don't even need the MS Client installed...The Console is beautiful.

But on Novell networks, I don't need it at all.  Everything is locked down with policies and backed up by imaging the machines anyway, so it's just a waste of money in that respect.  Kids essentially could screw the machines up every night and it wouldn't even matter one bit.  Not that they can, because policies restrict them from doing it, but it wouldn't matter anyway.

If you're administering some +1000 machines, I fail to see how having DF installed is a waste of money. If anything, it will save you money in manpower, time, and network usage by NOT having to reimage all your machines. Used in conjunction with any imaging software (like Ghost) and life suddenly became enjoyable.