Thehost protected area (HPA) is an area of ahard drive orsolid-state drive that is not normally visible to anoperating system. It was first introduced in theATA-4 standard CXV (T13) in 2001.^[1]

The IDE controller hasregisters that contain data that can be queried usingATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a host protected area. The commands are:

• IDENTIFY DEVICE
• SET MAX ADDRESS
• READ NATIVE MAX ADDRESS

Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.

This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.

The HPA is useful only if other software or firmware (e.g.BIOS orUEFI) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.

• HPA can be used by various booting and diagnostic utilities, normally in conjunction with theBIOS. An example of this implementation is thePhoenixFirstBIOS, which usesBoot Engineering Extension Record (BEER) andProtected Area Run Time Interface Extension Services (PARTIES).^[2]
• HPA can also be used to store data that is deemed illegal and is thus of interest to government and policecomputer forensics teams.^[3]
• Somerootkits hide in the HPA to avoid being detected by anti-rootkit andantivirus software.^[2]
• SomeNSA exploits use the HPA for application persistence.^[4]

Identification of HPA on a hard drive can be achieved by a number of tools and methods:

• ATATool by Data Synergy
• EnCase by Guidance Software
• Forensic Toolkit by Access Data
• hdparm by Mark Lord
• The Sleuth Kit (free, open software) by Brian Carrier (HPA identification is currently only supported on Linux.)^{[citation needed]}

• Device Configuration Overlay (DCO)
• GUID Partition Table (GPT)
• Master boot record (MBR)

• The Sleuth Kit
• International Journal of Digital Evidence
• Wiki Web For ThinkPad Users

• AT Attachment
• Computer forensics
• Computer security procedures
• Information technology audit

• Articles with short description
• Short description is different from Wikidata
• All articles with unsourced statements
• Articles with unsourced statements from February 2025