How to hack DeepFreeze... ?

Deepfreeze does NOT place any restrictions on a machine, so whatever you want to do, whether it's downloading mp3's or downloading and installing ICQ or browser add-ons or WHATEVER, deepfreeze does not prevent it. What matters much more is how you are logged in: as User, or Power User, or Administrator. True, you'll have to install/download your stuff every time you sit down at the computer, but hey! you CAN do so. That's the beauty of deepfreeze: it places no restrictions onthe machine. Take a look at M$ TechNet:

Default Access Control Settings
The entire white paper is very helpful in understanding the difference between Users, Power Users, and Administrators. NOT understanding this issue causes more problems on Windows 2000 than all other problems put together. Example: you installed winzip and don't understand why the *uck it won't work. Answer: you were not logged in as administrator when you installed it. And, along these lines, you can ask your teacher/computer lab admin to promote you to Power User. Cuz Power Users have access to


in the registry, and can manipulate a lot more onthe system (read the paper). For example, let's say there is a nastycontent filtering program such as CyberPatrol preventing you fromaccessing 2600 or other web sites. Such a program probably startsautomatically from a key in HKLM under


Simply delete the key and then restart the computer, and the program will not be running. So... try to become a Power user. If you explain to your teacher that being just a User is a real pain in the butt and that you NEED to be PowerUser in order to do things, he/she MIGHT make you one. You don'tknow until you try.

Now, about hacking DeepFreeze. DeepFreeze was developed with sneaky little hackers like you, intent on *ucking up computers, in the FOREFRONT of the developer's minds. The developers of DeepFreeze knew and know how to think like hackers. They were in high-school once, too!! And, if that were not enough, they also know how to program at a very low-level (we're talking LOW, LOW level!!) in order to protect the computer. Do you know how to hack/load/unload kernel-mode device drivers? NO?! Do you know how to program in assembly REALLY well?? NO?! Do you understand encryption and how it functions in a program? NO?! Do you know how to best pack your program so that it is strongly resistant to reverse engineering? NO?? You mean you don't even know what "pack" means? JEEZ! I don't think you're gonna hack DeepFreeze then, O Miserable One!!!

On Windows 95/98/Me:

DeepFreeze is a VxD (Virtual Device Driver) located in


The only hope for most hackers of "hacking" DeepFreeze is to boot from a boot-disk and delete this file. All the other filez in c:\progra~1\hypert~1\deepfr~1 arejust other program filez. The most important file to delete is the actual DeepFreeze driver, persifrz.vxd. It IS true though, that if you delete the other filez in the DeepFreeze folder FROM A BOOT DISK thatDeepFreeze will no longer load. i'm just giving you the best andeasiest way. Delete persifrz.vxd and DeepFreeze is deader than a doorknob. AND it's only one file. persifrz.vxd IS DeepFreeze.
Cant' boot to any drive except c:\? And BIOS setup is password-protected? Oh well, you're not gonna hack DeepFreeze. AndDeepFreeze prevents, BY DESIGN, BIOS password-crackers from working.

On Windows 2000/XP DeepFreeze consists of several important filez:

There are 2 drivers and 1 service (i'll let you figure out the paths):

DepFrzLo.sys (kernel driver)
DepFrzHi.sys (filesystem driver)
dfserv.exe (service)
frzstate.exe (password dialog)
persis00.sys (password file and "on/off switch")

Probably you will need NTFSDOSPRO to boot up and mount an NTFS drive. And if you're elite, you won't have any problem getting that from someone or finding it, or carding it from an internet cafe... If you do card it from a cafe though, don't use a yahoo or hotmail e-mail address. And make sure you know the CVV on the card. Use something different like or It's available from and costs $300.

True: there is a free LINUX boot-disk which also mounts NTFS drives, but it's not nearly as good. One last thing about NTFSDOSPRO. There is no free support AND it is kinda tricky creating and using the NTFSDOSPRO boot disk. You have to first boot with a regular boot disk, then put in your NTFSDOSPRO boot disk to mount the NTFS drive. You'll see what I mean, it's not very user-friendly and little explanation is given on how to really gothrough with the entire operation.

Using NTFSDOSPRO, if you replace persis00.sys with your own persis00.sys containing your own password, then you can thaw deepfreeze using your own password. You see, persis00.sys contains the password and the on/off switch which the driver checks to see if itshould start the computer in thawed mode or frozen mode. This ispreferable to deleting the entire DeepFreeze program on Windows 2000/XP with a boot disk. All pertinent encryption seems to becontained in this one file. And, a persis00.sys from a totally different DeepFreeze doesn't seem to matter (as in one from a trial version). Post here if you discover differently.

Before attempting to delete the drivers on Windows 2000 with a boot disk though, try it at home first. Because the computer may not start up. In other words, it may be necessary to delete certain keys in the registry as well, in order for the computer to not "crash" before iteven starts!

Use In Ctrl5 to monitor your own installation of DeepFreeze 2000/XP. Available here:

It will tell you each and every file and registry key installed by the program. There may be serious problems if you don't delete certain important "pointers" and "references" to the DeepFreeze driver on the Windows 2000 platform. I don't know. Try it and see. Maybe not. Now, here are TWO methods of hacking DeepFreeze you probably haven't thought of:

#1 IF your school/lab is using the trial version of DeepFreeze (and this is more common than you think: schools are really hurting for money nowadays!!), and IF you can access BIOS setup, you can forward the date and DeepFreeze will no longer work (you'll see the blinking red X flashing on the DeepFreeze system-tray icon.) Then simply uninstall DeepFreeze. By the way, there are two keys in the registry under


which must be deleted in order to be able to re-install a fresh trial version of DeepFreeze. One starts with Rebar, and i'll let you figure out the other one. It may be only the Rebar that is necessary to delete.

#2 Find out which computer your computer lab administrator has the DeepFreeze Administrator program installed on. At his desk? In his office? Most of the time now, administrators are taking advantage of DeepFreeze's OTP (One-Time Password) feature. In order to thawDeepFreeze, they go to the computer which needs to be "thawed" andshift+double-click on the DeepFreeze icon in the system tray, whichbrings up the password dialog box (frzstate.exe). They then jot downthe token which appears in the window's title bar. They then go backto THEIR computer which has the DeepFreeze Administrator program, open up DFAdmin, and input the token in order to generate a one-time password. This OTP will then work, one time only, to restart the computer in thawed mode. After restarting a second time, the computer is frozen once again, automatically. Now, IF you can get your hands ona DeepFreeze Administrator program, maybe by purchasing it from HyperTechnologies... then, all you need to do is copy one file from your administrator's DFAdmin program, take it home, place it in yourDFAdmin program, and you can generate OTP's for your school's computers.


dfadmin.exe is necessary to copy and replace, and it is small enough to save to a floppy or e-mail to yourself. You see, when DeepFreeze Administrator is first set up, the administrator chooses a phrase or master password which is used to make the encryption unique for his/her network. And this encryption is contained totally in dfadmin.exe You might want to think of a way toget your administrator to thaw the computer, and then watch which computer he goes to to obtain the OTP. Are you with me?

#3 IF your administrator is naive enough to be using permanent passwords for DeepFreeze, then you can use something called KeyKatch. Go to This puppy works great. Just be sure to install it in the keyboard port, NOT the mouse port -- an easy mistake. Regular software-based keyloggers, etc., won't work because they will not be there when the computer is restarted.

Think about it:
the administrator is never going to enter the password and then NOT restart the computer! And when he/she restarts the computer, of course, the keylogger would be gone. UNLESS your school's computers have two drives, and one is not frozen, and you can configure your keylogger to save the log file to the unfrozen drive. Of course, you'll have to re-install the keylogger program to read your log file. As you can see, except for #1 above, there is no EASY way to hack
DeepFreeze. Cuz whatever you do, you're not really doing, it all goes away when you restart the computer. I hope this little post helps you to understand more about how it might be done though, IF a person is DETERMINED to beat it. Of course, being THAT determined might get you in serious trouble at your school, too. So, remember that, first and foremost. Of course, you might approach your computer science teacher/network administrator and tell him or her that you know how to hack DeepFreeze and you would like his/her permission to hack it (he'll KNOW youcan't). Then, once permission is secured, get access somehow to thecomputer with DFAdministrator on it and copy dfadmin.exe If you have permission to hack DeepFreeze, you might even be able to get help from a janitor or the assistant principle or something in order to getphysical access to the computer. You'll have to have your own copy of DFAdmin first, and then you'll have to be able to log on to the computer with DFAdmin on it. If winlogon greets you and you can't logon, you'll need NTFSDOSPRO to copy dfadmin.exe using a boot disk. The only other possibility would be to somehow e-mail the administrator a trojan which would allow you to access his computer remotely and copy dfadmin.exe. (SubSeven, BackOrifice, etc.) I think that's how the FBI would do it! he-he...