Index the EFI File System (ESP) partition

[ericgl]

Hi David,

I was wondering if it may be possible to index and monitor the special EFI File System (AKA ESP) partition, without assigning a drive letter to it.
Normally, it does not get a drive letter assigned, it's protected from browsing in Windows Explorer, it's FAT32 and around 100MB in size.

The reason I'm asking this is because it may help detect a malicious rootkit which would modify or create files there.
Would it be possible to index it and search within it using its unique volume name instead of a drive letter?

I know I can get a list of volume DeviceIDs using, for example, powershell:

Code: Select all

gcim win32_volume | FT -property Label,DriveLetter,DeviceID,SystemVolume,Capacity,Freespace,FileSystem

If it's possible, please show me how to do this.
Thanks.

[void]

Currently, no.

Everything doesn't have a way to monitor this type of unmounted file system.

It might be possible to index FAT volumes using \\?\harddiskvolumex or \\?\Volume{GUID} in a future release.

[NotNull]

Hi David,

Too bad you only want David to answer your question ....

2023-04-13 17_11_45 - Everything (1.5a) 1.5.0.1342a (x64).png (60.82 KiB) Viewed 3075 times

[ericgl]

NotNull,
So it is possible!
Can you explain what to do?

[NotNull]

void is right (duh ..) : this can't be indexed and monitored.
But there is a workaround: creating a (static) filelist and loading that into Everything.
Run the following PowerShell script (after changing the settings to match your system):

Code: Select all

$EVERYTHING = "C:\Program Files\Everything 1.5a\Everything64.exe"
$VolumeGUID = "{11111111-aaaa-2222-bbbb-333333333333}"
$EFI_out = "T:\EFI.efu"


start-process $EVERYTHING   -Verb RunAs   -wait   -ArgumentList @('-createfilelist', """$EFI_out""", "\\?\Volume$VolumeGUID\EFI" )
 
start-process $EVERYTHING   -ArgumentList @('-newwindow', '-filelist', """$EFI_out""" )

You will need to re-run this script to get current data.


To browse through the EFI folder:

• Start 7-zip's filemanager (7zfm.exe) elevated
• Paste the following in the address bar and press ENTER

  Code: Select all

  \\.\PhysicalDrive0\

• Browse to 0.EFI system partition.img (might be called different on your system)
• Browse to EFI
• Done.

EDIT: I thought that an elevated Explorer would be able to access this EFI folder, but it simply does not understand these paths.

[ericgl]

NotNull,

Thanks for the info.
Actually, it seems that simply running 7-zip elevated, and pasting the GUID of the EFI System partition (ESP) into its address bar does the trick!
Well, I guess using \\.\PhysicalDrive0\ is probably better, as one does not need to know the GUIDs of the partitions.
Hope Everything could do that as well.

[void]

Everything 1.5.0.1344a adds support for indexing unmounted FAT volumes.

To add an unmounted FAT volume to your index:

• In Everything, from the Tools menu, click Options.
• Click the FAT tab on the left.
• Right click in the list of FAT volumes and click Add....
• Change the volume name to: \\?\Volume{01234567-0123-0123-0123-0123456789ab}
• Change the mount path to: \\?\Volume{01234567-0123-0123-0123-0123456789ab}
• Click OK.
• Uncheck monitor changes. (Everything will be unable to monitor unmounted FAT volumes -if enabled, the volume will appear offline)
• Click OK.

Please note you will need to run Everything as administrator to index the EFI volume.



How can I get volume name for EFI system partition?

[ericgl]

Hi David,

Thanks, it works.
However, entries in that partition appear twice - as offline (greyed-out) and as online.

[void]

Have you possibly added \\?\Volume{01234567-0123-0123-0123-0123456789ab} as a folder index under Tools -> Options -> Folders?

Could you please send your Tools -> Debug -> Statistics to support@voidtools.com

One will appear greyed-out as Everything is trying to monitor this volume.
Everything cannot monitor unmounted non-NTFS volumes.

[ericgl]

Oh, you're right.
I had added the ESP as a folder index under Tools -> Options -> Folders from of my previous attempts to index it.

Sorry about that.

[void]

Folder indexes of \\?\Volume{xxx} paths will also work with 1344a.

Folder indexes will behave the same as FAT indexes.

There's no advantage in using a Folder index over a FAT index.
Please feel free to remove either one.

Monitoring folder indexes can be disabled by unchecking "attempt to monitor changes" under Tools -> Options -> Folders -> \\?\Volume{xxx}



I've noticed searching for \\?\ forces Everything to use wildcards and match the whole filename.
You can also index the FAT/folder paths as \\.\Volume{xxx} instead of \\?\Volume{xxx} to avoid this issue.
Alternatively, search for:
\\?\**
\\?\volume{xxx}\**

[ericgl]

Yeah, just noticed that myself.
It is better to index the FAT ESP folder path as \\.\Volume{GUID} instead of \\?\Volume{GUID}.
That way, right-clicking on the result list works.