It seems unlikely. But if it's a really bad virus, then it most likely can since windows still sees the drive.

I don't know about the latest viruses, but it could get a unassigned drive if it was designed at least a little bit to do that.

Just have secondary user accounts that are set to Limited.
Have your primary Admin user account password protected, then they can't really harm the system as they won't have access to system-wide changes, and also most malicious crap can't really get into the system when running under a limited user account.

If you want to do a dual drive/OS setup, then what I would recommend for this is having OS installed to two separate drives. Then set your BIOS to boot to the OS Drive for your guest users by default. Within their OS drive, disable any extra drives (along with your OS drive) u have connected so they can't see or have access to them. Then when u want to boot to your OS drive for your personal usage, simply use the BIOS Boot Options Hotkey to switch to your bootable OS drive on bootup.

Originally posted by Bad-Motha:

Just have secondary user accounts that are set to Limited.
Have your primary Admin user account password protected, then they can't really harm the system as they won't have access to system-wide changes, and also most malicious crap can't really get into the system when running under a limited user account.

If you want to do a dual drive/OS setup, then what I would recommend for this is having OS installed to two separate drives. Then set your BIOS to boot to the OS Drive for your guest users by default. Within their OS drive, disable any extra drives (along with your OS drive) u have connected so they can't see or have access to them. Then when u want to boot to your OS drive for your personal usage, simply use the BIOS Boot Options Hotkey to switch to your bootable OS drive on bootup.

I think I like that second option the most. My concerns aren't exclusively about viruses, so I was going to go with a dual drive anyway simply because that makes it significantly harder for any user to screw things up if they don't have access to the main account.

But I hadn't thought to have it in anything other than a dual boot setup. With my computer, it would be pretty easy to do it that way because my mobo allows me to simply select a device to boot from on only the next boot.

This virus thing was just the last detail I wanted to iron out. If they exist and can circumvent a decent A/V program, then I would have wanted to completely isolate the two drives.

Netcafes use Cloning/Ghosting software upon restart, to restore the OS image to the same point each time so any changes the user/virus has made no longer affects it The OS image itself is write protected.

You might wish to write protect the entire drive, if it's a bootable OS however, then you probably want to first disable the Windows Page File, etc, which adjust / get writen to during usage, instead having the changes based into memory only. They can still read off the drive, just not write anything new onto it or modify.

Another option is using a Sandbox or Virtual Machine software - networked and shared with outside sources. The Sandbox or VM will self contain, so both the visitor and yourself can place into it, modify, etc, but can't affect outside to your real system. Afterwards if it's a VM with OS Image, it can be reset to default image or destoryed and recreated. People are known to even release and play with viruses and malicous code inside this zone just to see what it will do, as far as the software can tell it's a full system to infect/destory and isn't aware of it's outside surroundings. However note with it being networked, make it only one direction firewalled so it can escape out.

I highly recommend using an application control software, even if it's Kaspersky Internet Security. So if any modification do get out, they will be detected, you will be notified and can confirm or deny them.

U can't really go messing around with OS files and write-protect the OS files or kernal.
For the most they usually already are, with the exception of Admin level access. Most viruses don't attack the OS directly, rather they usually inject itself into apps and cross-infect through RAM via exe or dll files.

Overall though, if you have your main system user (which is Admin of course) setup to be password protected, and only use this account for installing known trusted software, drivers, and making system-wide changes, you should be much safer overall.

Then for general usage (even for yourself) setup other user accounts on the system, but set their profile during account creation to Limited. This means they can't perform Admin-level things without the password. This method of system usage is how every Windows OS system should be setup (can't speak for other OS', but I would suggest same for those). As most malicious software easily gets in when u are always running via the Admin level access account, thus there is that freedom of running apps at Admin level all the time, which is just asking for trouble.

Yes it all does add a bit of length to system setup/config, but it's worth it.

If you go the dual drive/dual OS option, then what I would suggest is perhaps encrypting your main OS drive that u want just for you alone. This way even if it is plugged in and visable when booted up in the 2nd OS drive u have setup just for friends/family/guests, the encryption of the other drive u want to protect would help greatly and help prevent outside access, writing or deletion of data from such drive(s).

Originally posted by Bad-Motha:

U can't really go messing around with OS files and write-protect the OS files or kernal.
For the most they usually already are, with the exception of Admin level access. Most viruses don't attack the OS directly, rather they usually inject itself into apps and cross-infect through RAM via exe or dll files.

Overall though, if you have your main system user (which is Admin of course) setup to be password protected, and only use this account for installing known trusted software, drivers, and making system-wide changes, you should be much safer overall.

Then for general usage (even for yourself) setup other user accounts on the system, but set their profile during account creation to Limited. This means they can't perform Admin-level things without the password. This method of system usage is how every Windows OS system should be setup (can't speak for other OS', but I would suggest same for those). As most malicious software easily gets in when u are always running via the Admin level access account, thus there is that freedom of running apps at Admin level all the time, which is just asking for trouble.

Yes it all does add a bit of length to system setup/config, but it's worth it.

If you go the dual drive/dual OS option, then what I would suggest is perhaps encrypting your main OS drive that u want just for you alone. This way even if it is plugged in and visable when booted up in the 2nd OS drive u have setup just for friends/family/guests, the encryption of the other drive u want to protect would help greatly and help prevent outside access, writing or deletion of data from such drive(s).

Encryption would work too. The reason I've been straying away from using simple Limited users is because I just have a bit of an irrational aversion to people booting into my OS. The way I see it, if they can get that far in, there's really not much further for them to go.

And really any system can be brought down by an idiot that presses enough buttons.

So I'm looking at encrypting my main drive using Windows 7 Pro's bitlocker, adding a password to the BIOS, and setting the users' drive to boot by default. Should work.

Well if u want the system to be fully bootable by a guest type user that way, make sure the BIOS PW is only for entering the BIOS, not a Booting PW. As is usually an option within most BIOS as well.

Having just the BIOS entry pw would work out, as this way they can't enter the bios or change anything there without that pw. But still able to power on the system and have it boot into the OS drive u setup to boot to by default.

Originally posted by Bad-Motha:

Well if u want the system to be fully bootable by a guest type user that way, make sure the BIOS PW is only for entering the BIOS, not a Booting PW. As is usually an option within most BIOS as well.

Having just the BIOS entry pw would work out, as this way they can't enter the bios or change anything there without that pw. But still able to power on the system and have it boot into the OS drive u setup to boot to by default.

Yeah, that's what I was thinking. Theoretically I could disable drives from within the BIOS, but I'm not sure if my BIOS has that feature.

As I said, I'm in preplanning.

No not really. All u can really do is change the boot order.
If the drives are always powered on at system startup and seen by the BIOS, the OS will see them all as well.

But again on the guest OS drive, once u setup the profiles, go back into the Admin account, go into Control Panel > Admin Tools > Computer Management > Disk Management and then for drives u don't wish other to use/see, remove the drive letter for those drives. Then they will only be accessable again from this spot in the system. They will then be hidden from Cleaners, Defraggers, and even from Computer shortcut/Windows Explorer without an assigned drive letter.

Originally posted by Bad-Motha:

No not really. All u can really do is change the boot order.
If the drives are always powered on at system startup and seen by the BIOS, the OS will see them all as well.

But again on the guest OS drive, once u setup the profiles, go back into the Admin account, go into Control Panel > Admin Tools > Computer Management > Disk Management and then for drives u don't wish other to use/see, remove the drive letter for those drives. Then they will only be accessable again from this spot in the system. They will then be hidden from Cleaners, Defraggers, and even from Computer shortcut/Windows Explorer without an assigned drive letter.

I'll check anyway. You're probably right, since I don't remember seeing it in any of the dozens of trips I've made into my BIOS, but you never do know.

And yeah, I know how to hide drives, hence the thread title :P. Thanks for the refresh though...

Yes, your hard drive does not need a letter for a virus to infect it, infact windows would have a harder time removing it. Hiding a drive is nice i guess until you mount that drive and your main drive had already been infected. Note:Viruses dont care about access level permissions, windows has a huge hole there.

Note Viruses work at the system level, some viruses infect your shell and slave your computer. A skilled programmer can infect your MBR or even your BIOS. This does not happen ofden but it can happen. You can load a linux distro to leson your possablity of getting infected but even linux/unix users are not invincable. If your still worried use VM ware.