Why does cipher /w fill up temporary files instead of writing to the raw disk?

security windows hard-drive command-line cmd.exe

11,536

Solution 1

Looking over cipher /? from command line I see that the cipher command/app does much more than just the operations that occur when using the /w option. As stated in the help it is used to display and alter the encryption of directories and files on NTFS partitions.

It seems to me that the /w switch with this command is just a simple function that works with files and folders only on NTFS partitions as per it's core functionality description via chipher /?.

cipher /?

Displays or alters the encryption of directories [files] on NTFS partitions.

/W        Removes data from available unused disk space on the entire
          volume. If this option is chosen, all other options are ignored.
          The directory specified can be anywhere in a local volume. If it
          is a mount point or points to a directory in another volume, the
          data on that volume will be removed.

A few specific things to point out per the Microsoft post "How to use Cipher.exe to overwrite deleted data in Windows~" regarding this tool's specific functionality. . .

this command/app was apparently designed in the days of Windows 2003 (maybe it's even older) so consider using another tool if it doesn't suffice for your task/operation needs.
there's a mentioned gotcha with the /w option functionality with files smaller than 1 KB so if smaller than 1 KB files is important to you, use another tool.
it states it can take a long time to complete if there's a lot of free space to be overwritten so it's not like they are claiming this tool is an efficient raw disk I/O beast—use another tool if that's a problem for your needs.

Knowing all this it seems the additional I/O overhead and bottleneck risks you mention were not of any importance or concern when this functionality was designed.

This tool does nothing special with this functionality (working with files and folders on NTFS partitions) that another native Windows method could not do; this specific functionality is not robust.

See the "How to zero fill a virtual disk's free space on windows for better compression" post and the answer on there regarding fsutil for another native Windows method to zero fill free space.

FSUTIL
fsutil volume diskfree f:
Which showed this report:
Total # of free bytes        : 249899469856
Total # of bytes             : 249997291520
Total # of avail free bytes  : 249899469856
I used Total # of avail free bytes in the following commands:
fsutil file createnew F:\clear 249899469856
fsutil file setvaliddata F:\clear 249899469856
fsutil file setzerodata offset=0 length=249899469856 F:\clear
del f:\clear
It took about 4 hours to write 250GB of zeros.

_Source

Further Resources

CIPHER.exe

/w:PathName

     Remove data from unused portions of a volume.
     PathName can indicate any directory on the desired volume.
     Cipher does not obtain an exclusive lock on the drive.
     This option can take a long time to complete and should only be used when necessary.

How to use Cipher.exe to overwrite deleted data in Windows~

Note The cipher /w command does not work for files that are smaller than 1 KB. Therefore, make sure that you check the file size to confirm whether is smaller than 1 KB. This issue is scheduled to be fixed in longhorn.

Data that is not allocated to files or folders is overwritten. This permanently removes the data. This can take a long time if you are overwriting a large amount of space.

Solution 2

Is there a particular reason it wipes disks using files instead of writing to the raw disk, or was this likely just a design oversight?

Writing to a raw disk while it is mounted is incredibly risky -- if another process creates or appends to a file, cipher could potentially overwrite that data. Even worse, if the filesystem itself creates data (like directory entries), cipher could end up overwriting that too, causing filesystem corruption.

Overwriting free space using a normal (albeit very large) file removes this risk, as the filesystem driver will ensure that any space allocated to this file will not be used for other purposes.

11,536

Hashim Aziz

Updated on September 18, 2022

Comments

Hashim Aziz over 1 year

The Windows command cipher /w can be used to securely wipe a hard drive's free space without the use of third-party tools or GUIs:

cipher works by creating a folder called EFSTMPWP on the root of the target drive; inside this folder, it successively fills three temporary files with zeroes, ones, and random numbers respectively, one after the other, to the size of the empty space left on the drive.

By the time a file has taken up all of the drive's empty space, it's effectively forced the file system to overwrite all data held in its free space with the file's newly-written data, rendering any data previously held there permanently irrecoverable.

I understand Windows doesn't typically grant users access to the raw drive like Linux does, but I'm confused as to why Windows' own utilities would choose to write data indirectly to files in this way and be subjected to disk I/O bottlenecks in the process, instead of simply writing to the raw disk itself.

Is there a particular reason it wipes disks using files instead of writing to the raw disk, or was this likely just a design oversight?
- Vomit IT - Chunky Mess Style over 5 years
  
  Let me know if you are truly looking for a logical answer or if this was just to scrutinize Microsoft and/or this tool their developers designed or whatever. I can draw a logical conclusion based on what detail MS provides for us to read, and some plain old common sense.
- Hashim Aziz over 5 years
  
  @PimpJuiceIT A logical inference from a mixture of MS documentation and technical knowledge is precisely what I'm looking for, and your answer fits the bill fine. Note that I've rolled back any edits you made to the question that diverged from the original question I was asking. If the question is closed then so be it, but I'd rather not drastically change the core of what I'm asking just to ensure it remains open. If it does get closed, then I'll make a Meta thread for it, as I've seen questions with a similar format and am convinced that according to the Help Center it's on-topic.
fixer1234 about 5 years

From user AlienDrew: That "gotcha" that Pimp Juice IT mentions only applies to versions lower than Windows Vista. If you read the article that Microsoft has on Cipher, you find that it was scheduled to have that 1kg file bug fixed in longhorn (Windows Vista's codename). So using cipher /w should be fine on Windows Vista, 7, and 10. (cont'd)
fixer1234 about 5 years

I downloaded the cipher.exe version that was included with Vista (6.0.6002.18005), and tested it on a drive of my own consisting of many 1kb and smaller test files. I can conclude that, indeed, the bug is no longer there.