A host protected area (HPA), also referred to as a hidden protected area, is a small, hidden space of memory on the hard drive. Except through special commands or programs, the operating system (OS) will be unable to see, interact with or manipulate the host protected area. The HPA serves various purposes, some that help the user, some that help security agencies, and some that help hackers. Programs known as being HPA-aware are able to utilize the HPA during booting but, if the user’s computer does not include aware programs, then the HPA helps everyone except the user.
On all modern computers as of 2011, the major storage area is the hard drive component. Most of the memory on this hardware is free and open, allowing users to store a number of files. There is one section that is reserved, called the host protected area, that stores a small version of everything that passes through it. This is like an advanced cache, except the information stays in the HPA much longer.
For the user, the host protected area helps during booting and recovery operations. If the user has an HPA-aware basic input/output system (BIOS), then the BIOS can use the HPA to assist in booting the computer and for diagnostic purposes. Some computer manufacturers also may store a pre-loaded OS on the HPA. When the computer is taken to a repair shop because it was hacked, the repairperson will typically access the HPA to correct the computer.
Government and law enforcement security teams also may access the host protected area to see what the user was doing with the computer if he or she is suspected of wrongdoings. The HPA holds a version of everything that has come in and out of the computer, so it will show whether the user has had or used any illegal files or programs. This computer forensics information can be incriminating and helps security teams know if the person is really doing something illegal with his or her computer.
Hackers also can manipulate the host protected area to make rootkit viruses permanent on the computer. Normally, if an antivirus program finds a rootkit — a virus that allows access to the victim’s computer — it is eliminated. If the rootkit hides in the HPA, then antivirus and even anti-rootkit programs may be unable to find it.
The host protected area contains sensitive information, such as boot information, so it is made to be hidden so users do not accidentally erase the HPA. There are some command lines and special programs that are able to read and manipulate the HPA, usually to erase the information or decrease the size of the HPA. Doing this may have wide-reaching effects, such as keeping the computer from effectively booting and turning on, so the HPA is best left alone.