Another interesting thing: In W2012 the searching (search-ms WITHIN SYSTEM folders actually GIVES results (indexed or manually found)... In W8 it doesn't (even when system folders are set for searching and system drive added to index)...
It's absolutely certain that it does not rely on any registry key. The check is hardcoded in format.com. So..why don't you just patch format.com? Load it with IDA, locate references to error string, examine code to find the check and patch the control statement.
Maybe not everyone is a pro in IDA. I also would like to do some things I have in mind but the knowledge for those actions is missing. Good Tutorials are pretty rare.
Yup why not fire it up in a debugger if possible and have a look, still dont make no sense put some breakpoints.
PM me a link to format.com and I'll patch it for you guys, if someone is willing to test it, as I have no spare drives currently and no 8.1 installation to test myself.
Here you have it (both x64 and x32), but maybe another files will be needed as well: ...removed... Size: 27,6 kB MD5: a34a2ab77fb19db1fa95a19ebffb9406 *Format.rar
The error string is not in the executable. But I found the call to the QueryDataRedundancyCount API: Code: call ds:__imp_?QueryDataRedundancyCount@DP_DRIVE@@UAEJPAK0@Z ; DP_DRIVE::QueryDataRedundancyCount(ulong *,ulong *) cmp dword ptr [esp+778h+var_680], ebx ja short loc_405F3C So I've patched the jump above(ja) op to a plain jump(jmp) so if this is what controls it, it will bypass it. If this patch doesn't work then this needs further analysis. It links to 2 related libraries: ifsutil.dll (this is where the QueryDataRedundancyCount API is imported from) and ulib.dll from which it imports a bunch of file system related APIs (I believe the actual formatting happens through APIs in this library). The majority of those APIs are undocumented. So if this patch doesn't work, I need these 2 libraries (versions that come along with this format.com). dl. dropboxusercontent .com /u /64810339/Format_Nodens_patched_ReFS.7z Let me know if it works. (spaces in link cause I can't post links..)
So did anyone test the patched format.com yet? I see a thanks on my post, does that mean it's working?
Hello and sorry for delay, it was busy week... ...unfortunately it still doesn't work. I will send you another two dlls, what you have mentioned.
LOL, that was simple. Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT] "AllowRefsFormatOverNonmirrorVolume"=dword:00000001
Ran uReFS.dll through a disassembler and checked what registry values it reads/writes. This was the first hit and with a sensible name to boot, so not much work.
I consider this topic solved... Request for moderators or admins: Please change topic name to solved, thanks...
Lol khagaroth it did not occur to me to check for registry keys because someone claimed they already did. Heh. You saved me quite some time I'd waste checking those libraries. @moderate: It sounds like an incompatible library. I suggest running one of those games under dependency walker and check library versions on both cases. See which one is different and pack it along. There should be no other difference.