11 replies to this topic

[Arnar]

Hi all.

I have a couple of old (P4) PCs at home which I maintain myself. They are fine, when freshly setup, but over time they gradually get crappy. Kids playing games, downloading and installing crap. So I regularly do a fresh XP install from a slipstreamed XPsp3 CD that mean investing a few hours doing, installing accounts and the usual programs. No fun. Too time consuming.

So now I did some (g)oogling, looking for PC restore options. My goal was to have a backup of a freshly installed, fully updated and configured OS, which I could use to restore the PC. Preferably at boot by pressing an F key. And of course, free of charge. I found a lot of pages with discussions, but nothing that really fit my needs totally. But I did find a page that mentioned a whitepaper from Terabyte that described and provided free tools for creating a hidden bootable partition.

For making the backup, I chose Partition Saving. It's a small but excellect DOS program that can take backup of an NTFS partition.

The following assumes that you have a PC with a hard disk containing two partitions. Partition 1 (NTFS) contains your OS, in the state you want to back it up. Partition 2 is an empty 3-4GB FAT32.

1. Download mbrsetupv2.zip from Terabyte. Should the link be broken, doing a search in their knowledge base for mbrsetupv2 should lead to correct place

2. unzip and run makedisk.exe. This will create a DOS floppy boot disk, so you better have one handy. You can choose from Freedos or TBOS, I went with Freedos.

3. Boot your PC with the floppy. Your backup partition should now be your C: drive and Z: is a ramdrive with the necessary tools. Run "ossetup.bat FD" FD stands for FreeDos. This installs Freedos to partition 2. Be sure that drive C: is the restore partition. Drive C: will be formatted!!!

4. Boot to XP again. Create a folder called "savepart" on the restore drive and copy the partition saving app to it. Boot to Freedos.

5. go to C:\savepart\ and run "savepart" to start the backup process. I chose to backup only "sectors in use" and "without swap file". Save the backup in C:\restore\ and with "automatic naming"

Here you also get to choose the size of the backup files and that turned out be critical. I had several failed backups, because I got a "not enough space" error, even when I had 1Gb of free space. It seems that the program checks for space when starting on the 2nd backup file. For example, you have a system whose backup needs 2200Mb and you have 2800MB free on the restore partition. You choose your max size to be 1000MB and start the backup process. After making two 1000Mb files the program needs to start on the 3rd one. You have 800Mb left of free space, and should only need 200Mb more. But the program wants to have the full 1000Mb free and will not continue.

After the backup process, you are asked if you want a config file for helping with restoring later. Choose yes and save the file in c:\restore.

6. [Optional] Boot to XP if you want to see how everything looks on the restore drive. Boot back to Fredos

7. go to c:\ and edit autoexec.bat. It is a demo of how a file could be used to restore the PC. In the top section you need to REM out the "goto endbatch" line. And in the :restore section add the following:
cd restore
savepart -r -f <config>

where <config> is the name of you restore config file generated at the end of the backup process.

8. Run "setmbr 0 1" This will run a set of 3 mbr commands that sets you OS partition active, hides you restore partition and installs the code into the MBR that is necessary for the F9 boot option.

You should now be able to boot to XP. Watch the POST during boot, you should see a "Press F9 to restore" appearing. And in XP your restore partition is hidden.

Press F9 during boot and you are one keystroke (and 30 minutes) away from restoring your PC.


This is perhaps old news, with Windows 7 coming up, but this my way of contributing this excellent site.


p.s. One of my PCs actually does not have a floppy drive. So I setup a bootable USB pendrive, using the floppy as a source and was able to create the restore partition that way. However, its more tricky, because the USB boots as a HD, thus becoming drive C: and the restore partition is drive D: That means the the USB is hd0 and your hd with the OS and Restore partitions is hd1
That means the the osssetup.bat and mbrset.bat need to be edited to compensate for that.

Hope someone can use this

[Brito]

Very good tutorial.

I was going to point out that it's becoming more rare to find floppies is good state nowadays and suggest using a bootable CD as alternative but your USB option mentioned on the bottom of the post is also very good.

------

While looking for backup software - have you tried out driveImageXML?

It allows you to save a windows install onto a file image while running and then restore as needed from either a boot CD/USB or a special restore partition. My favorite use at the workplace for older machines is to keep the bootable OS and the backup image on the same pendisk and restore on the fly.

That is what I've been using to recover things back to a clean state.

In overall - your tutorial is definitively a good article, welcome to Boot Land!

[was_jaclaz]

That is what I've been using to recover things back to a clean state.

Unless the MBR gets corrupted, in which case you are stuck.

Always make a backup of the MBR with another utility if you use a partition/volume based imaging solution (as opposed to whole disk images).

jaclaz

[Brito]

Unless the MBR gets corrupted, in which case you are stuck.

I wouldn't get stuck.

I rarely encounter such situation as most viruses these days seem to have drawn their attention more into installing themselves as windows rootkits and less into MBR corruption.

If the MBR needed to be restored, I'd simply use MBRfix.

http://www.sysint.no...ting/mbrfix.htm
http://www.sysint.no...US/Default.aspx
(mirror with older version) http://christianarvi...php?dir=mbrfix/

[was_jaclaz]

If the MBR needed to be restored, I'd simply use MBRfix.

http://www.sysint.no...ting/mbrfix.htm
http://christianarvi...php?dir=mbrfix/

Sure, that will restore the CODE from the "internal copy" it has, and procure "from thin air" the DATA.

Oh, comeon!

BTW the download link you gave is NOT the "official" NOR the "latest" one, which is here:
http://www.sysint.no...US/Default.aspx
New version 1.3 released on 5th August 2009


And don't come to me saying that then you would use TESTDISK to re-create the DATA, just do a backup of the FULL MBR (and possibly of hidden sectors if you use grub4dos or similar not MBR-self-contained loaders) and make your life easier.

It takes NO MORE than 10 seconds to backup, using any of the several little programs available.


And accidents DO happen:
http://www.boot-land...?showtopic=6282


jaclaz

[Brito]

Sure, that will restore the CODE from the "internal copy" it has, and procure "from thin air" the DATA

ahaha.. you're being too picky..

I'm not really worried about the original MBR as long as it works and we're talking about old pentium's that use the plain generic code without fuzz.

BTW the download link you gave is NOT the "official" NOR the "latest" one,

It's updated enough, I didn't found the link on the original page.

I'll update the previous post.

[ktp]

I wouldn't get stuck.

I rarely encounter such situation as most viruses these days seem to have drawn their attention more into installing themselves as windows rootkits and less into MBR corruption.

If the MBR needed to be restored, I'd simply use MBRfix.

http://www.sysint.no...ting/mbrfix.htm
http://www.sysint.no...US/Default.aspx
(mirror with older version) http://christianarvi...php?dir=mbrfix/

Help forums show that more and more users are infected with MBR rootkits.
An excellent article about "Stealth MBR rootkit" is here :
http://www2.gmer.net/mbr/

It contains tool (mbr.exe) to detect and fix the rootkit. It is part of gmer.exe rootkit detector and remover.

As was_jaclaz said, It is important to have an up-to-date FULL MBR backup of all your disks. Maybe by using wimb's MBR_Backup.cmd as mentioned in this topic: http://www.boot-land...?showtopic=8178

Sample infected MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net



device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\atapi -> 0x80f5a168

NDIS: VMware Accelerated AMD PCNet Adapter -> SendCompleteHandler -> 0xffab4530

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x0365340 

malicious code @ sector 0x0365343 !

PE file found in sector at 0x0365359 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Sample non-infected MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net



device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover



device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 

kernel: MBR read successfully

user & kernel MBR OK

[Wonko the Sane]

As was_jaclaz said, It is important to have an up-to-date FULL MBR backup of all your disks.

Sure it is , but NOT actually for the mentioned MBR Rootkit:

An excellent article about "Stealth MBR rootkit" is here :
http://www2.gmer.net/mbr/

The rootkit itself makes a backup of the MBR and places it on sector 62.

In this sense it is a (completely crazy ) way to have a backup on sector 62.

I would rather suggest :

dsfo \\.\Physicaldrive0 31744 C:\1STTRACK.HD0

dsfo C:\1STTRACK.HD0 0 512 C:\COPY_MBR.HD0

dsfi C:\1STTRACK.HD0 e 0 C:\COPY_MBR.HD0

dsfi \\.\Physicaldrive0 32256 C:\1STTRACK.HD0

Wonko

[Zerojinny]

Great thanks Arnar!

I am looking for a Tool like IBM BMGR.

BMGR is good solution but it's not freeware.

MBR is very useful tool and it work great!

[Wonko the Sane]

I am looking for a Tool like IBM BMGR.

Also:
(for simple things) Partita:
http://www.pedrofrei...om/crea1_en.htm

A full-fledged app:
http://www.boot-land...p?showtopic=334
http://mbldr.sourceforge.net/


Wonko

[Zerojinny]

Also:
(for simple things) Partita:
http://www.pedrofrei...om/crea1_en.htm

A full-fledged app:
http://www.boot-land...p?showtopic=334
http://mbldr.sourceforge.net/


Wonko

Great thanks Wonko the Sane!

[Wonko the Sane]

Great thanks Wonko the Sane!

Just in case (and should the "512 bytes long ONLY" be NOT a requirement) grub4dos can also be used.
It could also allow a sort of "super-hidden" partition:
http://www.boot-land...?...ic=7138&hl=


Wonko