Disk protection software makes a strong promise: A computer returns to a known state every time it restarts, no matter what happened in between. The mechanism behind it is kernel-level write redirection. This article explains how it intercepts disk writes, holds them apart and discards them on reboot.
Understanding Kernel-Level Write Redirection
Kernel-level write redirection protects a disk by intercepting the writes meant for it and sending them elsewhere, so the original data never changes. It runs in kernel mode, where device drivers operate, which gives it three properties that ordinary security software lacks.
For example:
- It works beneath the file system, at the level of disk sectors rather than files, so it governs every write without exception, including changes to the operating system and the registry.
- It is transparent to everything above it. Applications issue writes and see them succeed, unaware that each one has been diverted rather than committed.
- It protects by mechanism, not permission. A write aimed at a protected sector never reaches it, so no privilege level and no malware holding administrative rights can override the rule.
The protection is therefore a property of the input/output path itself, not a policy software is trusted to honor.
How Write Redirection Protects the Disk
Write redirection protects a disk in three stages, from intercepting a write to discarding its effects. Each stage runs inside the kernel driver.
Intercepting Write Operations
Every write on a Windows system travels through a stack of drivers before it reaches the physical disk. A request passes from the file system driver to the volume manager, then to the disk driver, and finally to the storage hardware. At each stage, it is carried as an input/output request packet. Kernel-level write redirection inserts a filter driver into this path, positioned so that writes aimed at a protected volume pass through it before they reach the disk.
Because the filter works at the sector level, beneath the file system’s view of files and folders, it sees raw block writes rather than named files. That vantage point is what makes it complete: an installer adding a program, the operating system rewriting the registry, and ransomware encrypting the drive all reduce to sector writes, and the same mechanism intercepts every one. The driver does not judge whether a write is legitimate; it controls where the write goes.
Redirecting Writes to a Temporary Overlay
Once a write is intercepted, the filter sends it to a separate region called an overlay rather than to the sectors it was addressed to, leaving those original sectors untouched. To keep the system consistent, the driver maintains a map of which original sectors have been redirected and where their contents now sit in the overlay.
That map is what makes the redirection invisible. When the operating system later reads one of those sectors, the filter consults the map and returns the data from the overlay, so the running system sees its own changes even though the disk beneath it has not changed. Reads of sectors that were never written pass straight to the original disk. Writing each change once, rather than copying the original first, is what separates this redirect-on-write approach from copy-on-write and the extra disk operations it incurs.
Discarding Changes on Reboot
The reversal happens not through a cleanup routine but through the act of forgetting. When the system restarts, the driver discards the map of redirected sectors and releases the overlay for reuse. With no map to consult, every read resolves to the original sectors, which were never altered while the system ran.
The disk is then identical, sector for sector, to its frozen state, and it returns there at once, because nothing has to be scanned, repaired, or rolled back. The change malware wrote, the setting a user altered, and the file someone deleted all vanish for one reason: the overlay that held them is gone, and the original data was never touched. Anything that must survive a restart is written outside the protected volume, which the filter leaves alone.
Discover Deep Freeze
Deep Freeze applies kernel-level write redirection to hold endpoints in a known-good state. It freezes the disk to a baseline you define and redirects every change to an overlay that clears on restart, returning the machine to that baseline.
See how Deep Freeze protects your systems.
FAQs
What is the Difference Between Write Redirection and Snapshots?
A snapshot saves a point-in-time copy you roll back to, and snapshots accumulate until deleted. Write redirection instead never lets the protected data change, discarding every change on reboot.
Does Write Redirection Impact System Performance?
The cost is small. Each change is written once to the overlay, avoiding copy-on-write’s read-and-double-write cycle. The rest is a fast lookup that chooses the disk or the overlay for each read.
Can Write Redirection Protect Against Firmware-Level Attacks?
No. Write redirection guards a disk volume from inside the operating system’s storage path. Firmware lives in separate flash memory that this path never reaches, so an implant in the BIOS, UEFI, or drive controller survives a reboot.
What Data Persists After a Reboot in a Write-Redirected System?
Only data written outside the protected volume. Everything else is discarded when the overlay clears, so data you need to keep must be saved somewhere unprotected, such as a separate partition or network drive.
your Deep Freeze license count and free for up to 3 years