{
	"id": "7bc6a38d-2774-4991-bbf7-30859be6918e",
	"created_at": "2026-04-06T03:36:43.956096Z",
	"updated_at": "2026-04-10T13:13:02.39908Z",
	"deleted_at": null,
	"sha1_hash": "b177b1d5183604e06badd9d64d951e2277007271",
	"title": "The Dangers of VHD and VHDX Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 503025,
	"plain_text": "The Dangers of VHD and VHDX Files\r\nBy Will Dormann\r\nPublished: 2019-09-04 · Archived: 2026-04-06 03:12:31 UTC\r\nRecently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with\r\nCERT BFF. (The slides from my presentation are available in the SEI Digital Library.) Although my primary goal\r\nwas to find bugs in kernel file-system-parsing code, a notable part of my research was investigating attack vectors.\r\nIn particular, I focused on VHD and VHDX files on Windows systems. In this post, I describe some of the risks\r\nassociated with these two file types.\r\nVHD and VHDX Files\r\nThe VHD (Virtual Hard Disk) file format, originally introduced with Connectix Virtual PC, can store the contents\r\nof a hard disk drive. Eventually, Microsoft Hyper-V adopted this disk image format. Windows 7 and newer\r\nsystems include the ability to manually mount VHD files. Starting with Windows 8, a user can mount a VHD by\r\nsimply double-clicking on the file. Once mounted, a VHD disk image appears to Windows as a normal hard disk\r\nthat's physically connected to the system. VHDX (Virtual Hard Disk v2) images are functionally equivalent to\r\nVHD images, but they include more modern features, such as support for larger sizes and disk resizing.\r\nVHD/VHDX and File System Corruption\r\nAfter fuzzing file system images with BFF, I was able to find several different ways to crash Windows as the\r\nresult of it mounting a corrupted disk. Physically plugging in a USB mass storage device with a corrupted file\r\nsystem was the obvious attack vector. However, many security concepts are negated when physical access to a\r\nsystem is granted. VHD and VHDX files eliminate the requirement for physical access to a victim system. If a\r\nuser simply double-clicks on a VHD or VHDX file that contains a specially crafted file system, they risk crashing\r\nWindows or worse, as illustrated below.\r\nhttps://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nPage 1 of 5\n\nMark of the Web\r\nMark of the Web (MOTW) was introduced in Windows XP SP2 and allowed Windows to tag files on the local file\r\nsystem with information about the Internet Explorer security zone from which the files originated. This MOTW\r\nfeature has evolved to handle more and more file types and scenarios. The recurring theme is that files that came\r\nfrom the Internet (e.g., a web page or an email) may be dangerous, and therefore should be treated with more\r\ncaution.\r\nFor example, starting with Microsoft Office 2010, documents tagged with an MOTW that indicated that they came\r\nfrom the Internet are opened in Microsoft Office Protected View. Documents in Protected View are restricted in\r\nwhat they can do, thus reducing the attack surface of potentially dangerous documents. Here's what a user might\r\nsee when opening a document in Protected View:\r\nhttps://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nPage 2 of 5\n\nStarting with Windows 10, Windows Defender SmartScreen restricts the execution of certain file types if they\r\noriginated from the Internet. Here's what a user might see when SmartScreen blocks an unsafe executable:\r\nHow does Windows know if a file originated from the Internet? It uses the MOTW tag associated with the file in\r\nquestion. If Windows Explorer or other compliant ZIP utilities are used to extract the contents of a ZIP file, each\r\nfile contained within a ZIP file carries the MOTW of the ZIP file container.\r\nhttps://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nPage 3 of 5\n\nVHD/VHDX Files and MOTW\r\nFrom a user experience perspective, starting with Windows 8, VHD and VHDX files can have a function similar\r\nto ZIP files. That is, the user double-clicks on the file to show its contents in Windows Explorer. The important\r\ndifference is that the files contained within a VHD or VHDX container do not retain the MOTW of the container\r\nfile.\r\nWhat does this mean from the end user's perspective? Any file contained within a VHD or VHDX file will not\r\nreceive the same protections that Windows provides against files that originated from the Internet. To help\r\nunderstand what that means, I created a video that demonstrates several differences between a MOTW-tagged (in\r\na ZIP) file and one that does not contain the MOTW tag (in a VHD):\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nVHD/VHDX Files and Antivirus\r\nI have found no evidence that any currently deployed antivirus software will scan the files contained within a\r\nVHD or VHDX file. However, for those running an enterprise, the lack of the ability to scan these files leaves a\r\nblind spot for certain files until they arrive at the endpoint. If the contents of VHD and VHDX files are not\r\nscanned by email and web gateway security products, those products have no hope of detecting malware\r\ncontained within VHD or VHDX files.\r\nI created a VHD that contains the EICAR anti malware testfile and uploaded that file to VirusTotal. Here are the\r\nresults:\r\nThere is no evidence that any of the scanners configured in VirusTotal scanned the contents of a VHD file.\r\nISO and IMG Files\r\nhttps://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nPage 4 of 5\n\nMalware spread via ISO files is already happening in the wild. Just like VHD and VHDX files, the contents of\r\nISO or IMG files do not carry the MOTW of the containing file. And just like VHD and VHDX files, starting with\r\nWindows 8, ISO and IMG files can be opened with a double click. Unlike VHD and VHDX files, however, there's\r\na better chance that a deployed antivirus product may detect malware contained in an ISO or IMG file.\r\nI performed the same EICAR test as above with VirusTotal, but this time the eicar.com file was detected within an\r\nISO file. Here are the results:\r\nWhile these results are not great, there is at least some evidence that some security products will scan the file\r\ncontents of an ISO file.\r\nConclusion and Recommendations\r\nVHD and VHDX files can be dangerous. Due to the combination of kernel-level file system parsing and also lack\r\nof MOTW tagging to their contents, allowing VHD or VHDX files to arrive at endpoints increases the risk\r\npresented to those systems. The following strategies can help minimize this risk:\r\nBlock VHD, VHDX, IMG, and ISO files at email gateways.\r\nUnregister the VHD, VHDX, IMG, and ISO file extensions in Microsoft Windows Explorer.\r\nRestrict VHD, VHDX, IMG, and ISO files at web gateways. (There are some legitimate reasons for these\r\nfiles to be downloaded, so ensure that any restrictions do not block legitimate business needs.)\r\nSource: https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nhttps://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html"
	],
	"report_names": [
		"the-dangers-of-vhd-and-vhdx-files.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446603,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b177b1d5183604e06badd9d64d951e2277007271.pdf",
		"text": "https://archive.orkl.eu/b177b1d5183604e06badd9d64d951e2277007271.txt",
		"img": "https://archive.orkl.eu/b177b1d5183604e06badd9d64d951e2277007271.jpg"
	}
}