In association with heise online

11 January 2013, 15:16

Linux and Windows 8: Fast Startup puts data at risk

by Thorsten Leemhuis

The new Fast Startup feature of Windows 8 puts the filesystem's integrity at risk if other operating systems are used to write to Windows partitions. Data loss is particularly likely with dual-boot configurations that involve Linux and Windows 8.

To avoid data loss and filesystem inconsistencies, users who run Windows 8 and Linux on the same computer should disable the Fast Startup feature that was introduced with Windows 8 and is active by default. The Fast Startup feature creates an issue because it doesn't shut Windows 8 down completely but switches it to a special hibernation state instead – although it looks like it has been freshly booted when switched back on because all applications have been closed. However, for the Fast Startup feature's hibernation state, Windows 8 will store Windows session information – such as the cache with the current filesystem state of any mounted FAT and NTFS partitions – in a memory image that is restored during Fast Startup.

This can easily cause data loss when other operating systems are used to write to these partitions: after waking up, the supposedly powered-down, but actually hibernating, Windows will resume operation with now obsolete data and filesystem information. The risk exists not only when Linux is installed on disk in parallel, it also arises with any other type of access – such as that from the Windows-7-based Windows PE 3.0 or from recovery systems that are booted from a CD or USB flash drive.

In tests, the problem was easily reproduced by shutting down a freshly installed Windows 8 system from the menu and then creating a few files on the Windows partitions from within a Linux distribution. After a subsequent system start, the new files did not appear in Windows. After unmounting and remounting the test partitions, and after rebooting Windows using the Windows restart feature, the files became visible but were often unreadable or corrupted. Edited files were also often damaged. Although Windows managed to repair the test system's filesystems, it took over an hour to fix an NTFS partition of 1.5TB, and some of the files that were created or modified under Linux were lost in the process.

These problems are not new. In Windows 7 and older Windows versions similar issues exist but with Windows 8's Fast Startup it is more likely to happen as more people hibernate their systems without realising that is what they are doing. Its also a potential problem when people use Suspend-to-Disk on one Linux and then boot a different Linux when coming out of hibernation, but this situation is less likely to occur in regular use.


The developers of the ntfs-3g FUSE filesystem driver that is used in most Linux distributions have known about this issue since mid-September 2012. At that time, they integrated two modifications into the driver's main development branch; the changes cause NTFS partitions to only be mountable as read-only if the driver detects a Windows system with active Fast Startup. It does that by checking a version ID in the NTFS disk's metadata (1, 2).

Zoom NTFS partitions that are being used by a Windows system in Fast Startup hibernation will at best be mounted as read-only by the ntfs-3g driver.

However, no new version of the ntfs-3g driver that includes these changes has yet been released; the current version of ntfs-3g is almost a year old. The ntfs-3g developers did, however, inform the Fedora developers, who accepted the two modifications and integrated them into a driver update for Fedora 17.

Debian, openSUSE and Ubuntu, as well as most other Linux distributions, have not yet been updated to provide this protection and the kernel's FAT driver does not detect whether a partition is being used by a Windows system that has Fast Startup enabled. Therefore, users who dual-boot Linux on a Windows 8 PC should always consider taking precautions. The unpatched ntfs-3g driver does warn users if it detects a Hibernate file in the Windows system partition; however, it cannot detect if a system has Fast Startup enabled with other partitions.

Klaus Knopper told us that Knoppix 7.05 already includes the Fast Startup patches in the ntfs-3g driver. It also apparently gives users the option to mount the partitions writable and in doing so removes the Windows Hibernate file so that Windows will perform a complete reboot at the next startup.

Next: Prevention

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit