Transactional NTFS

[Amaroq_Starwind]

So, Transactional NTFS seems like an extremely helpful feature, as it can prevent damage to the filesystem and files on it in the event something goes wrong, such as multiple programs trying to edit the same file, unexpected power loss, etc.

https://docs.microsoft.com/en-us/windows/desktop/fileio/transactional-ntfs-portal 

But in classic Microsoft fashion, they're considering deprecating the Transactional NTFS API because nobody is using it. Which is stupid, because if they decide to deprecate it, then nobody is going to

want to use it... And yet the need for the features in Transactional NTFS is actually quite prevalent in a number of real-world scenarios, and I feel like the only way to get Microsoft to not deprecate it is for people to actually start using it. If more people were to actually try to use Transactional NTFS, then others might want to follow the example, and more, and more. I do not wish to see Transactional Filesystems go the way of WinFS (I still mourn for you, Windows Future Storage), and I will be deeply saddened if it does.

Not only could Microsoft's own products probably try to make better use of TxF, but I feel like maybe Anti-Malware solutions could make better use of it too. For example, if Malwarebytes were to implement Transactional NTFS support, it could probably be helpful for remediation purposes, not to mention they could mention in a blogpost (or even in advertisements) that MB3 would officially support Transactional Filesystems, and other Anti-Malware vendors might even take notice.

Does anyone here want to help spread the word regarding Transactional NTFS, try to work support for it into your programs, and/or discuss ways existing software could be updated to utilize it (for example, in what ways might AV software make use of it)?

And because it's directly related, what are your thoughts about WinFS? Would an open-source, cross-platform spiritual successor be viable, and how would you try to make use of it? As WinFS isn't actually a filesystem, but instead an operating system component that operates on metadata, I think it could potentially be supported on (and perhaps be greatly to beneficial to) a wide range of systems.

Further Reading:

https://en.wikipedia.org/wiki/WinFS
https://en.wikipedia.org/wiki/Transactional_NTFS
https://en.wikipedia.org/wiki/Transaction-Safe_FAT_File_System

Seriously, give me your thoughts! (By the way, Wikipedia lies about WinFS being reincarnated as part of ReFS, which doesn't even support TxF.)

[Amaroq_Starwind]

Still trying to think of ways that Malwarebytes could hypothetically make use of TxF besides basic data loss prevention during remediation steps... Drawing up blanks at the moment though.

[exile360]

Malwarebytes is actually really careful about how it handles deleting files off disk.  It always creates a backup first in quarantine, then 'breaks' the file before reboot to prevent it from running again on system start to ensure it can't try to protect itself, then deletes it using a script and a very serious driver that loads very early in the boot process to obliterate the file from disk.

With that said, were such a file to get 'broken'/corrupted somehow by some other program trying to access it at the same time, that wouldn't do any harm because A it's malware and you don't want it intact anyway and B there's already a copy created in quarantine in case it's an FP so that it may be restored if needed.

if there was some other purpose for this API that you had in mind then let us know, but if it's just to keep detected threats from being corrupted somehow then that's a non-issue due to how Malwarebytes handles its detections (always creating an encrypted copy in quarantine first before making any attempt to remove the file).

[Amaroq_Starwind]

I mean when doing things like trying to restore a maliciously altered file to its original state, trying to correct issues with the registry, having a fallback in the event of false positives, verifying updated components during installation, updating logs, sanitizing and/or immunizing files, etc. If I do come up with something more immediately useful however, I'll make a note of it, but somebody else might figure out that use before I do. 

Malwarebytes was just one of many examples though, and there are lots of other things that could probably benefit from using TxF. As I said before, Microsoft Office is an example of a program that would hugely benefit from TxF, and the same with any program that stores settings in either an INI file or an XML file.

[exile360]

Malwarebytes doesn't really do most of those things, and at least in the paid version it protects its own files and data via the self-protection driver so no outside processes would be able to touch them (and the same goes for anything in quarantine).

[exile360]

Malwarebytes also always creates backups of the registry hives when making modifications, just like with files and everything else it deals with.  It also stores a full set of default configuration files and databases in a backup folder in case something goes wrong with the software like a bad update etc. so such measures are already in place, just using more traditional methods.

[Amaroq_Starwind]

I just really hate seeing things like TxF and WinFS fizzle out and die. It is honestly depressing to see that much work go into something, and then it either gets completely unused (in the case of TxF) or outright cancelled (WinFS), often because it was ahead of its time in some fashion.

I don't want TxF to go the way of WinFS, and that's why I want to see more things use it even if it would be seemingly redundant.

[exile360]

I hated seeing most of the new GUI stuff MS had planned/implemented in early Longhorn builds when Vista finally arrived and to see straight up regression in 8/8.1/10 to something that looks more archaic than Windows XP, but it happens unfortunately.

[Amaroq_Starwind]

Can you think of any ways you'd make use of TxF, if you were a software developer?

[exile360]

Not really, but that's probably because I'm not a software developer  

The closest thing I've ever done to writing code is to compose my own batch files to make various tools/tweaks/automated fixes etc., but that's about it, nothing too deep.