Returnil

Discussion in 'sandboxing & virtualization' started by biatche, May 14, 2007.

Thread Status:
Not open for further replies.
  1. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    confused me,from where comes your E partition ?
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    what happens if you install Returnil on C: ?
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    That would be an interesting experiment. Perhaps the programmer made some implicit assumptions in implementation that, in your somewhat unusual configuration, are simply not correct..., just a thought.

    Blue
     
  4. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I don't think Diskpart will tell you the windows Device numbers. Where have you seen that? To see device number - drive associations, download Windows Object Explorer (WinObjEx.zip) from http://www.freewebs.com/four-f/ , run winobjex.exe, and use the magnifying glass button to search for "\GLOBAL??\C:". You will see the assigned device number in this tool.
     
  5. dartsmaster

    dartsmaster Registered Member

    Joined:
    Jan 16, 2005
    Posts:
    5
    Location:
    England
    Thanks for all the comments.
    Sorry, I assumed the Diskpart info corresponded with the Device number. I have downloaded and run WOE as hojtsy suggested and it shows:

    C:\Device\Harddisk\Volume14
    E:\Device\Harddisk\Volume13
    F:\Device\Harddisk\Volume12
    G:\Device\Harddisk\Volume11
    H:\Device\Harddisk\Volume10
    I:\Device\Harddisk\Volume9
    J:\Device\Harddisk\Volume8
    K:\Device\Harddisk\Volume7
    L:\Device\Harddisk\Volume6
    M:\Device\Harddisk\Volume5
    N:\Device\Harddisk\Volume4
    O:\Device\Harddisk\Volume3
    P:\Device\Harddisk\Volume2
    Q:\Device\Harddisk\Volume1
    R:\Device\Harddisk\Volume15 (Pagefile)
    S:\Device\Harddisk\Volume16
    T:\Device\Harddisk\Volume17
    U:\Device\Harddisk\Volume18

    which explains why Returnil is protecting the Q partition. It would seem that that the volume numbers have been allocated in reverse order on the first hard disk. Can this be corrected? o_O
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    NOD32 wasn't one of them. I tried it with KAV 7.0 and Fprot. I have no doubt NOD32 would have also done the trick.
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Be careful: there is no backslash in HarddiskVolume1. It is incorrect to write Harddisk\Volume1.
    I have no idea how to change device number assignments. Anyway it's Returnil what needs to be fixed to protect the real system partition, which is not always \Device\HarddiskVolume1. It is easy to find out the device number of the system partition from the registry location HKLM\System\Setup\SystemPartition
     
  8. dartsmaster

    dartsmaster Registered Member

    Joined:
    Jan 16, 2005
    Posts:
    5
    Location:
    England
    Yes, sorry. My typo error. :rolleyes:

    I have to agree it would be better for Returnil to recognise the true system partition regardless of the volume number. Perhaps this could be implemented in a future release? I really like the idea behind the program and it's a great pity I cannot use it on my system at the moment. It's worrying that there are probably many people around the world using Returnil to protect their C partition when in fact it's protecting another partition entirely. :'(
     
  9. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Are you saying that you have now installed it on C: and it still doesn't work ?
     
  10. dartsmaster

    dartsmaster Registered Member

    Joined:
    Jan 16, 2005
    Posts:
    5
    Location:
    England
    Yes, it still protects the Q partition regardless of where it's installed.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Downloaded the latest Icesword and ran it with Returnil mode on.

    Instant bsod.

    Rebooted and reran Icesword with Returnil mode off and no probs.

    Can anyone confirm?

    Vista install.

    Not a great prob as I will just run Icesword out of virtual mode.

    Icesword download link
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    Just to let you know that we are aware of the reports and that we are investigating. I will report back as soon as I have discussed this in-depth with the lead Dev

    Mike
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hello dartsmaster and hojtsy,
    Please reply with a screenshot of the Data information for the following registry keys:

    1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

    SystemBootDevice

    2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RVSystem

    Parameters

    This will help the dev team to see what is happening and to formulate a solution for this issue.

    Thanks
    Mike
     
  14. whoman

    whoman Registered Member

    Joined:
    Nov 15, 2006
    Posts:
    13
    Coldmoon,
    I have been trying Returnil both for security and
    privacy concerns, and it seems to be working flawlessly.
    I am confused by one thing!
    If all changes to my system partition occurs in memory(ram) and not to disk, where is the 650mb file I download to my system partition stored? I have 500mb ram, separate data partition, no VP.
    Task Manager showed Ram and pagefile usage barely
    changing. Also is the actual(original)pagefile used?
    Thanks - trying to understand this great software
     
  15. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Been thinking about any hidden advantages to using Returnil, besides the obvious ones.
    Maybe I am completely off track but would this program be capable of defeating at least some keyloggers? I was thinking that a keylogging program must keep its logs somewhere on the system drive before sending the info out somewhere. If Returnil is cloning the system drive in RAM, then is this info (such as online banking passwords etc) safer from the keylogger calling home?
    Not understanding much about keyloggers, maybe it is just wishful thinking!

    Ken
     
  16. dartsmaster

    dartsmaster Registered Member

    Joined:
    Jan 16, 2005
    Posts:
    5
    Location:
    England
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    "SystemBootDevice"="multi(0)disk(0)rdisk(0)partition(1)"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RVSYSTEM]
    "Parameters"=hex:43,00,00,00,00,00,00,00,01,00,00,00,d6,07,00,00,08,00,00,00,\
    42,30,36,30,44,37,37,35,2d,43,30,46,45,2d,34,39,43,00,3a,00,5c,00,57,00,49,\
    00,4e,00,44,00,4f,00,57,00,53,00,5c,00,42,00,4f,00,4f,00,54,00,53,00,54,00,\
    41,00,54,00,2e,00,44,00,41,00,54,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,\
    52,00,45,00,54,00,55,00,52,00,4e,00,49,00,4c,00,5c,00,52,00,56,00,53,00,59,\
    00,53,00,54,00,45,00,4d,00,2e,00,44,00,41,00,54,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,43,00,3a,\
    00,5c,00,52,00,45,00,54,00,55,00,52,00,4e,00,49,00,4c,00,5c,00,52,00,56,00,\
    53,00,59,00,53,00,54,00,45,00,4d,00,2e,00,49,00,4d,00,47,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    43,00,3a,00,5c,00,48,00,49,00,42,00,45,00,52,00,46,00,49,00,4c,00,2e,00,53,\
    00,59,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00
    :eek:
     
  17. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I have just the same as dartsmaster

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    "SystemBootDevice"="multi(0)disk(0)rdisk(0)partition(1)"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RVSYSTEM]
    "Parameters"=hex:43,00,00,00,00,00,00,00,01,00,00,00,d6,07,00,00,08,00,00,00,\
    42,30,36,30,44,37,37,35,2d,43,30,46,45,2d,34,39,43,00,3a,00,5c,00,57,00,49,\
    00,4e,00,44,00,4f,00,57,00,53,00,5c,00,42,00,4f,00,4f,00,54,00,53,00,54,00,\
    41,00,54,00,2e,00,44,00,41,00,54,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,\
    52,00,45,00,54,00,55,00,52,00,4e,00,49,00,4c,00,5c,00,52,00,56,00,53,00,59,\
    00,53,00,54,00,45,00,4d,00,2e,00,44,00,41,00,54,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,43,00,3a,\
    00,5c,00,52,00,45,00,54,00,55,00,52,00,4e,00,49,00,4c,00,5c,00,52,00,56,00,\
    53,00,59,00,53,00,54,00,45,00,4d,00,2e,00,49,00,4d,00,47,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    43,00,3a,00,5c,00,48,00,49,00,42,00,45,00,52,00,46,00,49,00,4c,00,2e,00,53,\
    00,59,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00
     
  18. login123

    login123 Registered Member

    Joined:
    Jul 12, 2007
    Posts:
    178
    Coldmoon, thanks very much for this superb application. It is great. And thanks also for all the help you offer on this forum.

    I do have a question, though. Have read all this thread. Still do not understand where the files and folders go when they are bigger than the available RAM.

    An actual example. I ran Kaspersky's online scan in Sandboxie. . .no matter why, it is complicated. Wound up with a huge sandbox folder, over 5 gig. More that 50,000 files. I have 2 gig RAM. If returnil's protection had been on, where would the "overflow" have been stored?

    Thanks in advance. :)
     
  19. whoman

    whoman Registered Member

    Joined:
    Nov 15, 2006
    Posts:
    13
    Coldmoon,

    I too wait with much interest on this file "overflow" question. I think this is an important question regarding how returnil might handle sensitive data or leave traces of it on our hard drive. Also how does it work in conjunction with programs such as Truecrypt and pagefile encryption programs? Could the data be compromised or somehow stored elsewhere on the disk?

    Thanks again
     
    Last edited: Jul 16, 2007
  20. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Running all 3 with no problems with Returnil ON ! :D XPproS2 fully patched.
     

    Attached Files:

  21. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    A great piece of software. More I test it the more I like it.

    But although I read all the posts I do not think that a question is properly answered.
    How is it possible to clone the entire system partition in memory?
    Although I agree that it is not needed to copy everything in memory for fuctioning properly the above statement does not convince me.

    I booted with system protection on and then added, in the system partition, video files that occupied more than 30 GB new space. And I only have 2GB of ram.

    From what I can understand Returnil uses a system similar to EAZ-FIX or DeepFreeze to virtualize the partition. The data resides in the partition and not in Ram. Retrunil drivers redirect the new or modified files on the free sectors of the partition and eliminate the changes when the windows session ends and the pc is rebooted.

    I also saw that with the protection on, chkdsk reports unknown errors just like it happens when I use RollBack RX.

    Did I miss something here? o_O
     
  22. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    re chkdsk

    suggest you turn returnil off and then run chkdsk with fix

    Originally I had errors which I had locked with returnil - now fixed.

    CHKDSK has been notoriously unstable with Xp. Even now the command prompt chkdsk still reports "free space marked as allocated". Last time I check MS acknowledged this issue saying it wasn't important but to do with the way NTFS
    works.

    If you fix from the windows CHKDSK it should be ok.
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the Icesword - Returnil test Long View and I had the same results with XP pro SP2 with no probs running both.

    Will try with the Vista Ultimate drive when I hook it up again a bit later.
    Ice+Rnil.jpg
     
  24. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I do see your point, I guess asking for the answer in simple laymans terms is tuff, however I think you may be relating looking at the issue of the size of RAM with the size of the actual files in the wrong way. I mean look at MOJO pack for example. Something about stuff being virtual makes things more quantum lol,
     
  25. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    How about creating a pro edition which allows configuration of multiple protected partitions? I would be willing to pay a licence fee for it...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.