40 replies to this topic

[Brito]

Just stumbled on a former commercial product that creates a rescue OS - I'm assuming that it's based on XP PE environment.

The good news is that it became free even thought we still need to send an email requesting for the trial-register key.

Anyone interested to give a go?

How Does RescueBoot Work?

RescueBoot creates a bootable archive copy your existing Windows operating system files, hardware drivers and other configuration information. RescueBoot archives the necessary files in a separate RescueBoot hard disk subdirectory on your Windows system drive and then modifies the archived Windows configuration information so that Windows will be able to start and run from this new location. RescueBoot provides user controlled options for protecting and hiding the archived files to prevent malicious software such as computer viruses from modifying or infecting these files.

RescueBoot can even generate and burn a bootable RescueBoot CD providing you with the RescueBoot Windows CD disaster recovery environment even in the event of a complete hard disk failure or other disk related problem that prevents starting your normal Windows configuration and the RescueBoot Windows environment from your hard disk. The RescueBoot Windows CD disaster recovery environment is an ideal solution for restoring a hard disk backup from a network, USB or FireWire device.

The RescueBoot software is extremely easy to use because the RescueBoot Wizard guides you thought the steps necessary to create a RescueBoot hard disk directory and bootable RescueBoot CD.

http://www.resqware....ts/products.htm

[AeroXP]

It supports Windows 2000.....

[Brito]

Yes, it might be a good example of boot disk to study a bit further - wonder which method are they using after all?

For the description it sounds like XP PE but it would also be possible to simple create a new copy of the windows source and add it to the boot.ini list.

But how would they get files for the CD boot work?

Is setupldr.bin file included on the software, would they use embedded software for this task or something completely different?

Lots of good questions to dig inside..

[AeroXP]

Simple, Copy by Inf.

[AeroXP]

Stop 0x7B when booting from cd. I have used the windows 2000 platform.

[Brito]

Thanks for the quick checking - guess it is based on XP PE environments then..

[TheHive]

Tried it out. It appears ok.
It builds a Rescue Directory on to the Running real OS.
You then boot onto the Rescue PE created using the gui.
Then you setup things the way you want them on the PE.
Reboot.
Create A rescue CD ISO if you want. It seems you can only run MyComputer, IE and such only if you have the RescuePE directory on the original PC you installed the application.

[John Hensley]

For the description it sounds like XP PE but it would also be possible to simple create a new copy of the windows source and add it to the boot.ini list.

ResuceBoot is not based on PE. It uses only those files already present on the user's PC and then adds Res-Q-Ware drivers that allow the normal Windows kernel to boot and run from a CD.

But how would they get files for the CD boot work?

RecueBoot is based on a patented technology that allows Windows to run from a CD containing a hard disk image file that Windows views as a hybrid hard disk containing enforced read-only files, read-write files and free space.

Is setupldr.bin file included on the software, would they use embedded software for this task or something completely different?

RescueBoot builds its file list by querying the Windows device manager and service manager to determine necessary drivers and services and also uses .INF files from the %Windir%\inf directory in addition to custom .inf files created by Res-Q-ware. The software works a lot like Windows Setup when creating the RescueBoot Windows directory because it knows how to process Windows .INF files for installing software, legacy drivers and PnP drivers.

If anyone has other questions about the inner workings of RescueBoot I would be happy to try to answer them.

John Hensley
www.resqware.com

[AeroXP]

ResuceBoot is not based on PE. It uses only those files already present on the user's PC and then adds Res-Q-Ware drivers that allow the normal Windows kernel to boot and run from a CD.

Look at Windows XPe.

RecueBoot is based on a patented technology that allows Windows to run from a CD containing a hard disk image file that Windows views as a hybrid hard disk containing enforced read-only files, read-write files and free space.

Your drivers work just like EWF or FBWF.

RescueBoot builds its file list by querying the Windows device manager and service manager to determine necessary drivers and services and also uses .INF files from the %Windir%\inf directory in addition to custom .inf files created by Res-Q-ware. The software works a lot like Windows Setup when creating the RescueBoot Windows directory because it knows how to process Windows .INF files for installing software, legacy drivers and PnP drivers.

Building PE using the OPK tools also parses the Infs.


--------------

Rescue Boot Process: (used own knowledge)

1. Boot Sector reads RAW Image, BOOTIMG.BIN
2. It loads pieces as needed.
3. Windows uses the filter drivers.
4. Windows then uses a MiniNT Based Envirnoment

[John Hensley]

Stop 0x7B when booting from cd. I have used the windows 2000 platform.

Normally this is caused by a read error when reading from the hard disk image on the CD during Windows boot. If you create an ISO image and burned it to the CD you should try imaging the CD to a second ISO image file and then comparing this file with the original to ensure its not corrupt.

We used to run into this problem frequently during testing but virtually eliminated the problem on CDs that RescueBoot burns on XP by generating an SHA-1 hash for the hard disk image file on the CD and verifying the integrity of the CD after it is burned so the user would not try to boot from a bad CD.

John Hensley
www.resqware.com

[John Hensley]

Look at Windows XPe.
Your drivers work just like EWF or FBWF.

I'm very familiar with embedded Windows and EWF (Enhanced Write Filter). EWF requires a writeable cache equal to 100% of the image file size. You can verify this by reviewing the EWF implementation details here. The reason EWF requires so much cache is because EWF doesn't prevent you from over-writing existing files on the virtual image. With all of the functionality available in RescueBoot this could require up to 450MB just for the cache. This memory is in addition to the memory required to load and run Windows (minimally about 96MB).

RescueBoot can do this using only 32MB of conventional memory for the cache because it only requires a writeable cache equal to the total number of bytes in read-write files and free space on the virtual drive. This allows RescueBoot to boot and run from a CD on a computer with only 128MB of conventional memory (32MB for virtualization cache + 96MB for Windows).

If you are interested in how this is accomplished I can post a link to PDF file showing the implementation used by RescueBoot.

Building PE using the OPK tools also parses the Infs.

I wasn't aware that the OPK could build a bootable PE disk from an existing Windows end user configuration that includes all of the drivers for hardwared that has been previously installed on the computer. This sounds cool!

Rescue Boot Process: (used own knowledge)

1. Boot Sector reads RAW Image, BOOTIMG.BIN
2. It loads pieces as needed.
3. Windows uses the filter drivers.
4. Windows then uses a MiniNT Based Envirnoment

RescueBoot Boot Process:
1. ROMBIOS recoginizes El Torito CD with hard disk image file and presents BOOTIMG.BIN as a read-only hard drive.
2. ROMBIOS reads boot sector (MBR) from read-only hard drive using int 13h interface.
3. ROMBIOS executes MBR code.
4. MBR code loads and executes boot sector from active hard drive partition using int 13h.
5. Hard drive partition boot sector loads and executes NT boot loader using int 13h.
6. NT boot loader loads and initializes standard Windows kernel using int 13h.
7. Windows kernel loads and intializes boot level drivers including RescueBoot disk emulator via int 13h.
8. RescueBoot disk emulator locates BOOTIMG.BIN on CD and creates a hybrid virtual read-write hard disk device.
9. RescueBoot instructs Windows to use virtual read-write hard disk device as boot device.
10. Windows kernel continues to boot normally from RescueBoot hybrid virtual read-write hard disk.

John Hensley
www.resqware.com

[MedEvil]

If you are interested in how this is accomplished I can post a link to PDF file showing the implementation used by RescueBoot.

Yep, very interested!

RescueBoot can do this using only 32MB of conventional memory for the cache because it only requires a writeable cache equal to the total number of bytes in read-write files and free space on the virtual drive. This allows RescueBoot to boot and run from a CD on a computer with only 128MB of conventional memory (32MB for virtualization cache + 96MB for Windows).

Let's see if i got this right.
You've made your very own ntbootdd.sys and load the OS image into ram as read only and have some extra space where you redirect writes to, right?
Do you make use of the minint switch to hold the registry in ram or do you completely rely on your virtualization cache?

[John Hensley]

Yep, very interested!

Here is a link to the patent document that describes in detail the hybrid virtual drive that is used by RescueBoot. Here is a link to the patent document that describes how RescueBoot uses the hybrid virtual drive.

Let's see if i got this right.
You've made your very own ntbootdd.sys and load the OS image into ram as read only and have some extra space where you redirect writes to, right?

There is no need to use ntbootdd.sys because the the hard disk image file on an El Torito boot CD appears as a standard ROMBIOS supported hard disk. NTLDR treats it like a normal hard drive. NTLDR reads the Windows kernel and provides an interface to allow the kernel to load all of the boot level drivers into memory.

RescueBoot adds some extra boot level drivers that know how to get to the hard disk image file on the CD and then make the image file appear as a normal hard disk. The RescueBoot drivers grab only enough memory to cache writeable files and free space on the virtual drive and then prevent existing read-only files from being changed to writeable. When Windows is booted from the CD the file system will not allow you to change the read-only attribute of a file located on virtual disk. This means read-only files always remain read-only and all other files including any newly created files remain writeable.

To speedup boot times and program loading the RescueBoot drivers also contain a read-ahead cache and the files are arranged in an optimal order when creating the hard disk image file.

Do you make use of the minint switch to hold the registry in ram or do you completely rely on your virtualization cache?

We don't use the minint switch because it increases the memory requirements. We assume much of the registry will only be read and never written back to the virtual drive so we don't worry about reserving enough memory to cache the entire registry.

John Hensley
www.resqware.com

[thunn]

Most impressive project! I'll have to restore an old image to try it though, it doesn't install on builds higher than XP SP2 and I'm running XP SP3, now available as a beta release in a few languages.

On the other hand, the fact that this project builds core os images from windows 2000 is great, I still have my old amd950 running w2k, same os image up for over a year now and doing well, I can't wait to try rescueboot out!
..

We don't use the minint switch because it increases the memory requirements. We assume much of the registry will only be read and never written back to the virtual drive so we don't worry about reserving enough memory to cache the entire registry

very nice.

Attached Thumbnails

• 

[John Hensley]

Most impressive project! I'll have to restore an old image to try it though, it doesn't install on builds higher than XP SP2 and I'm running XP SP3, now available as a beta release in a few languages.

Thanks for the kind words. I'm glad you mentioned XP SP3 because I been working on other projects and had not even though about needing to add support for the new service pack. I'll try to find time this week to test with the new service pack and make any needed changes to support it. When I added support for SP2 it only required adding a couple of lines to one of the .INF files so hopefully it will be just as simple to get things working on SP3.

John Hensley
www.resqware.com

[thunn]

I've been testing XP SP3 for a few months with my projects here, I could give you a list of new files if you like, of course that's easy enough w/windiff. BartPECore (listed in my sig.) is my current production project, both pe projects (nativePE is the other) support xp sp3 sources.

RescueBoot builds its file list by querying the Windows device manager and service manager to determine necessary drivers and services and also uses .INF files from the %Windir%\inf directory in addition to custom .inf files created by Res-Q-ware

I think some strategies you've mentioned may fuel some ideas for the future, good stuff!
btw,
the detailed .pdf docs are most informative, thx for those!!
They should answer many questions for those that care to read them.

My next test will use a stock xp sp2 system, no fixes or apps other than 7z.

[Galapo]

Musings/questions:

1) I wonder if the services etc could be used to replace FBWF or BootSDI?

2) I wonder if the filesystem accepts junctioning, eg junctioning an external programs folder to, say, 'x:\Program Files'?

3) Is writable space on BOOTIMG.BIN reserved in the actual image (like BootSDI) or in ram (like FBWF)?

4) This is all very interesting!

Regards,
Galapo.

[MedEvil]

Thanks for the info John, your rescueboot sounds more and more interesting the more i hear!

Please correct the url of your links. You used backslashes instead of slashes, not all browser are ok with that.



PS: Can it be, that i remember your name from Qualcom?

[ktp]

@John Hensley
I run Rescue Boot first time, and it got fatal errors. I see these lines in the log:

{COPY_REG } [LEAVE_PROCESS_SECTION] RetCode = {0x00000000} UnloadRegistry
{COPY_SYSTEM} [ENTER_PROCESS_SECTION] UpdateAndEnableRescueBootDriver
{COPY_SYSTEM} [LEAVE_PROCESS_SECTION] RetCode = {0x00000000} UpdateAndEnableRescueBootDriver
[ASSERTION FAILED] @ line #402 in .\CopySystem.cpp
{COPY_SYSTEM} Current Privilege levels:
{COPY_SYSTEM} 0x0 - SeBackupPrivilege
{COPY_SYSTEM} 0x0 - SeRestorePrivilege
{COPY_SYSTEM} 0x0 - SeShutdownPrivilege
{COPY_SYSTEM} 0x0 - SeDebugPrivilege
{COPY_SYSTEM} 0x0 - SeIncreaseQuotaPrivilege
{COPY_SYSTEM} 0x0 - SeSystemEnvironmentPrivilege
{COPY_SYSTEM} 0x3 - SeChangeNotifyPrivilege
{COPY_SYSTEM} 0x0 - SeRemoteShutdownPrivilege
{COPY_SYSTEM} 0x2 - SeUndockPrivilege
{COPY_SYSTEM} 0x0 - SeSecurityPrivilege
{COPY_SYSTEM} 0x0 - SeTakeOwnershipPrivilege
{COPY_SYSTEM} 0x2 - SeLoadDriverPrivilege
{COPY_SYSTEM} 0x0 - SeManageVolumePrivilege
{COPY_SYSTEM} 0x0 - SeSystemProfilePrivilege
{COPY_SYSTEM} 0x3 - SeImpersonatePrivilege
{COPY_SYSTEM} 0x0 - SeSystemtimePrivilege
{COPY_SYSTEM} 0x3 - SeCreateGlobalPrivilege
{COPY_SYSTEM} 0x0 - SeProfileSingleProcessPrivilege
{COPY_SYSTEM} 0x0 - SeIncreaseBasePriorityPrivilege
{COPY_SYSTEM} 0x0 - SeCreatePagefilePrivilege
{COPY_SYSTEM} Previous Privilege levels:
{COPY_SYSTEM} 0x0 - SeBackupPrivilege
{COPY_SYSTEM} 0x0 - SeRestorePrivilege
{COPY_SYSTEM} 0x0 - SeSecurityPrivilege
{COPY_SYSTEM} 0x0 - SeTakeOwnershipPrivilege
{COPY_SYSTEM} 0x0 - SeManageVolumePrivilege


I guess there is protected storage area in the registry that causes the problem.
Since it is protected, this should be considered as a warning, not a fatal error.

[Brito]

Hi John, welcome to our community!

Thank you for personally answering our doubts - this is a very professional work indeed.

Currently the only options we have to use a non-PE XP environment in read only media are based on MS files (Win2003 SDI/ISO Ram boot & XP embedded) and non MS as Diskless Angel (trial/commercial) for example.

Since these drivers are made available for free - would you allow us to use them in XP based projects discussed here?

Author rights and credits properly respected and mentioned of course.

[MedEvil]

Have you read the patents?

That's a fine piece of work, better than Microsofts attempt.
John really put in that bit of extra effort to make a good program, a great one!

John!

[Brito]

The mentioned links aren't working?

But I got an idea from the previous work description..

[thunn]

As a side note, I unpacked John's RescueBoot Setup which contains 3 things..

A windows .msi installer
A setup stub
A Windows XP imapi hotfix

I'm guessing the hotfix is for users with few or no xp updates, curious.

Because I'm still on an XP Sp3 system, I made an administrative install image on a local folder, which allows access to the program's files.
More later after an actual test..

[MedEvil]

The mentioned links aren't working?

But I got an idea from the previous work description..

They didn't use to work this morning in some browsers, because John used by accident backslashes instead of slashes. Only IE has no problem with that sort of thing.

But someone/he fixed the problem by now, i checked.

So if you have problems, something else is wrong.

[Brito]

Using IE was able to read the files.

btw: They're also available online on the patent search engine

http://www.freepaten...om/6999913.html
http://www.freepaten...om/6993649.html

This seems to have taken a lot of research and background done with XP embedded back in 2002.

We would surely give good use to this write filter here.