I've gone through quite a lengthy process of removing some malware - seen here http://www.bleepingcomputer.com/forums/topic446369.html - from a machine I've been tasked with working on for someone and It's come to my attention that there is a sneaky little partition floating on this machine.
I've come to find out there is a 'Host Protected Area' aka 'Hidden Partition Area' - HPA - which wasn't hidden when Windows was installed and I doubt the end user knows anything about it other than they may have noticed the hard drive shrink 4.74GB/4.41GiB, but they probably didn't. Anyway, the person on the virus forum told me this isn't a virus infection but I'm afraid it is, since it very well could be quite a complex and sneaky root kit hiding on this HPA.
If I reformat this machine and re-install Windows, this HPA is going to remain untouched and if it still has an infection of some sort, everything done in the other forum was for naught.
I tried using HDAT2 to remove this HPA but I wasn't successful. Upon reboot it is back. I am going to read up on hdparm, once I get my LILO booting using UUIDs so that I can plug this IDE based drive into my computer running an OS from a SATA drive which is on channel 2 and the ATA is seen as channel 0. Not sure where channel 1 went, possibly off to a singles bar? ....wow I should be a comedian.
I'm not sure why HDAT2 didn't work. It seemed to me it was the defacto tool for this job. Here is exactly what I did.
You can see the drive capacity as 35.28 GB. There is an exclamation point next to it, down the bottom you can also see that HPA_IS_ACTIVE flag is set - I believe this is an HDAT2 term and refers to the Host Protected Area being set with a MAX ADDRESS set to a size smaller than the native drive size MAX ADDRESS. Press 'Enter' to get the 'Main Menu'
HDAT2's 'Main Menu' with 'HPA Menu' highlighted
HDAT2's 'HPA Menu' with 'SET MAX ADDRESS AT command menu' selected. Again this shows that the drive has HPA enabled, which isn't done by a flag but instead from the user address space not matching the native address space.
Here is the meat of the 'SET MAX ADDRESS command menu'. You can see that there is a 4.74GB or 4.41GiB(as reported by Windows) difference. To fix this you use the SET MAX ADDRESS AT command through this utility, or something similar.
I hit the S key at the previous window and I was prompted to make sure. Hit 'Y' key to run AT command SET MAX ADDRESS.
I am informed that I need a power-on or HW reset to issue the command a second time for success. I pulled the power plug from the drive and plugged it back in and went back to the main screen in IMG293.
I repeated the steps in IMG293-IMG298 and I was told the command was completed successfully.
I am back at the 'Main Screen' and it shows that the drive is now 40.02GB or 37.27GiB as Windows would report, which happens to be the size of the Windows partition, as reported by Windows and ListParts.exe.
Just verifying in the 'HPA Menu' that HPA is disabled.
Here in the 'SET MAX ADDRESS AT command menu' you can see that the drive is no longer seeing a difference. However, upon reset I find that there is still an issue since if I go into HDAT2 again I have to do it all over again. If I boot into Windows I am able to see that the drive is still only detected as 33 GiB using ListParts.exe or Windows Explorer.
This system is running Windows XP
Edited by WrinkledCheese, 24 April 2012 - 11:46 AM.