I can't disable Deep Freeze

Status
Not open for further replies.
I installed deep freeze so that I could limit my small sister's acount, but while doing that I also limited myself, the uninstall doesn't appear in the controlpanel, and when i install any hardware they say "you don't have the privailige" pleaaaaaase HELP!!!
 
I use DeepFreeze at work on my public use machines and there is one really important function that I think you missed. DeepFreeze affects entire partitions - you can't ignore plain folders through normal means. You could always thaw the machine while you're on it and freeze it when you're away, but the pain with that is the number of reboots you'll have to go through. You have to reboot to complete either a thaw or freeze. If you have a systray icon you should be able to Shift+double click to get the password box to perform these changes.
 
Deep Freeze In Deep Trouble

A black-hat computer programmer in Argentina with a grudge against Faronics, Emiliano Scavuzzo, has written a program to thaw Deep Freeze without knowing the password. It works on almost ALL versions of Deep Freeze, including the latest version, v5.60.120.1347, released Oct-20-2005 to supposedly thwart his program—it does not! You can use Deep Unfreezer to test for the vulnerability on your own machines:

(Disclaimer: this tutorial and information is provided as is, and is intended for network administrators currently using Deep Freeze on their networks, to provide them with up-to-date vulnerability information on the inherent security flaws in the Deep Freeze program. It is intended to be used for testing purposes only, and is not to be construed as a "hacking tutorial on how to hack Deep Freeze". Author is not responsible for abuse of this information. At the end of the article are a couple of tips on how to secure your machines running vulnerable Deep Freeze installations.)

Deep Freeze Unfreezer
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html

Method 1:

To perform the test you must first grant yourself the "Debug Programs" privilege (revoked by Deep Freeze) by escalating to the Local System account using Task Scheduler from the command line (Start/run, cmd):

1) Type: at 11:23pm /interactive taskmgr.exe (add one or two minutes from the current time). [ENTER]
2) Once Task Manager launches, End Task explorer.exe
3) On the Task Manager menu, choose File / New Task (Run...), Type explorer.exe to launch the explorer shell under the System account which has Debug Privileges
4) Run Deep Unfreezer from the System account.

Or,

Method 2:

Use ntrights.exe from the Windows Server 2003 Resource Kit, a free download, http://tinyurl.com/6p6cy, to grant yourself the SeDebugPrivilege.
Syntax: ntrights -u Users +r SeDebugPrivilege
If you use ntrights, you must be the only user logged on, and you must logoff and logon again before the privilege takes effect. [If desired, you can use showpriv.exe, also from the Resouce Kit, to enumerate SeDebugPrivilege privileges for users and groups after logging off and logging on again to verify that the privilege has actually been granted to your account.]

Then run Deep Unfreezer, View Status, click on the Boot Thawed button, Save Status, and restart the machine. If the machine reboots in thawed mode, your version of Deep Freeze is vulnerable, and you should take measures to provide additional security on your machines.

Deep Freeze Evaluation versions are also vulnerable to this attack. Deep Freeze Evaluation versions can be taken off machines by an attacker by forwarding the system date past 60-days which will expire Deep Freeze, causing the computer to restart in thawed mode, allowing Deep Freeze to be uninstalled. If you're using an evaluation version of Deep Freeze, here's how to perform this test:

Method 1:

1) Switch to the System account, as described above
2) Double-click the time in the system tray
3) Forward the date past 60-days
4) Restart in thawed mode
5) Use DeepFreezeSTDEval.exe to uninstall Deep Freeze. Deep Freeze is not uninstalled through Add/Remove Programs. It is uninstalled with the installation file, and ONLY with the installation file. Yes, the same file is used to install and uninstall. If you don't have it, download it here. It's a free download:

Deep Freeze Evaluation -Trial Version - v5.60.120.1347
http://www.faronics.com/exe/DeepFreezeSTDEval.exe

Or,

Method 2:

Use ntrights.exe from the Windows Server 2003 Resource Kit to grant yourself the SeSystemtimePrivilege.
Syntax: ntrights -u Users +r SeSystemtimePrivilege
You must logoff and logon again for the new privilege to take effect.

A perpetrator can easily fit the required files on a thumb drive or even email them to himself:

deepunfreezer1.1.exe 96.0 KB
ntrights.exe 32.0 KB
showpriv.exe 32.0 KB
deepfreezestdeval.exe 2.46 MB

Special Note:

Faronics came out with v5.60.120.1347 on 10-20-2005 as a response to Deep Unfreezer. It proved to be an impotent move. Emiliano's response to the new version? "rename frzstate2k.exe to anything else. Then attach to DF5Serve.exe instead". Does that work? Yes, it does. Thus, the newest version of Deep Freeze, intended to thwart Deep Unfreezer, continues to be vulnerable.

Deep Freeze protects over four million computers world-wide and over one million Macs (yes, there's a Deep Freeze for Mac). And most of them are vulnerable to this attack (not sure about the Macs though). At this time Faronics does not have a fix, nor an immune version. If you are a network administrator in charge of maintaining a network of machines protected by Deep Freeze, please be advised of this situation and be prepared.

Faronics does not seem to be taking this seriously. They only made a token effort to thwart Deep Unfreezer in their latest version. Until they get serious about things, Deep Freeze is going to be melting away in the eyes of those who have grown to love and trust the program.

One of the main issues is the fact that so many computers these days allow Administrator status. Even a lot of internet cafes use Windows XP Home edition, with the user logged in as Administrator. The developers at Faronics are committed, however, to protecting the machine even from Administrators! The problem with that is, as you know, whatever is taken away from an Administrator, the Administrator can give back to herself. So if, for example, Deep Freeze removes DebugPrivileges, users can simply grant it back to themselves.

Another issue is their commitment to non-restrictive use. Their commitment with Deep Freeze is to protect the machine non-restrictively. That has worked... until now. I think they may be forced at this point to admit Administrator accounts can't be guaranteed protection any longer. Unless they can secure these issues, I don't see any other way.

A couple of things come to mind to protect against this: you could use Appsec.exe with Group Policy:

Microsoft Appsec.exe: Application Security Through Group Policy
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp

or, you could use another program from Faronics in conjunction with Deep Freeze, a program called Anti-executable.

Faronics Anti-Executable
http://www.faronics.com/html/AntiExec.asp

The above two options would prevent a perpetrator on your network from running Deep Unfreezer.

Another obvious option is to not allow Administrator status on machines any longer (this is an issue Windows Vista addresses. Every Administrator will have two tokens, one for UAP and one for full-rights). If you give users only regular, limited accounts, they won't be able to grant themselves the "Debug Programs" privilege.

The worry-free days of "freeze it and forget it" with Deep Freeze may be coming to an end. We'll see. Emiliano just released his second version of Deep Unfreezer, which disables the latest version of Deep Freeze, v5.60.120.1347. This latest version of Deep Freeze was intended to thwart Deep Unfreezer. It failed. Deep Unfreezer still worked, even before Emiliano updated it to specifically include Build 1347.

To learn the current version of Deep Freeze, visit this page:
http://www.faronics.com/html/support.asp

rebootrestore3bs.jpg
 
I hope to be helpful with these answers

1. press the shift key and double click the deep freeze icon on the task bar. You will be asked your password, after this you willbe able to unable deep freeze by selecting "boot thawed". Restart and that's all.

2. If you forgot your password you can uninstall deep freeze by running the same installer exe you've used.

good luck
 
Frozen Mode

When Deep Freeze is in frozen mode you cannot use the installation file to uninstall it. The machine must be in thawed mode to uninstall.
 
thawing deep freeze

1. install deep freeze on a test system (and remember the pw this time)
2. unfreeze the test system
3. boot the test system to a non-win os like knoppix
4. mount the test system's unfrozen partition
5. copy Persi0.sys from the root of the unfrozen partition
6. boot the target computer to knoppix
7. replace Persi0.sys on the target's frozen partition
8. reboot the target (should come up unfrozen)
9. use the deep freeze installer to uninstall before you accidently freeze it again
 
Deep Freeze

Linux-Newb said:
I installed deep freeze so that I could limit my small sister's acount, but while doing that I also limited myself, the uninstall doesn't appear in the controlpanel, and when i install any hardware they say "you don't have the privailige" pleaaaaaase HELP!!!
I've just deleted folder Faronics.So I can't diable Deep Freeze.I want to uninstall deep freeze.Can you help me? Thank you!
 
worked for me

I know this is an old post but it worked for me :) I followed the steps by user553sel using a Ubuntu live cd to change the Persi0.sys around. I used a trial version of deepfreeze 6.3 to thaw a 6.0 version. You have to mount the NTFS partition in ubuntu and it takes root privilges to write to it. If you have a question about how to do that just google it and you should be able to figure it out pretty easy. It took me some command line stuff to get it working. You can use a flash drive or even your email account to backup the file.
 
Status
Not open for further replies.
Back