603 replies to this topic

[rocketero]

can one create an image of the hard disk that windows is running at the moment?  I have a disk with 3 partitions and two of the three partitions have a different OS to boot with (Windows 7 and Windows 8). So the image of this disk will have the 3 partitions on it ?

[erwan.l]

can one create an image of the hard disk that windows is running at the moment?  I have a disk with 3 partitions and two of the three partitions have a different OS to boot with (Windows 7 and Windows 8). So the image of this disk will have the 3 partitions on it ?

 

You can backup a partition or a full disk.

 

Ideally you should make your (system)  backup offline (i.e from a winpe for instance).

 

Nethertheless, you could use MS volume shadows to perform an online (system) logical drive backup.

See here.

[erwan.l]

Thank you Wonko! but:

 

DriverInjection is not updated since 2010 and sometimes it does not work;

MSSTMake is a command line tool. I prefer a GUI tool;

 

 

If you give me the registry keys and a brief description of what it to be achieved, I can have a look.

[Wonko the Sane]

@rocketero

http://www.msfn.org/...inside-windows/

 

Wonko

[David Lynch]

If you give me the registry keys and a brief description of what it to be achieved, I can have a look.

Sorry erwan.l, but I do not have the knowledge for that.

 

What I can tell you is that OfflineSysPrep is the tool that I used most of the times for this task.

 

Here is a LiveXP Script.

 

Here at reboot.pro we have a thread too.

 

Disk2vhd from Sysinternals has also a similar feature, which changes HAL to match VirtualPC. OfflineSysPrep does a convenient HAL auto detection, matching destination system.

 

So, to successfully boot a restored image that is hardware independent we have to auto detect HAL and disk (SATA) controller, and change them on the offline registry.

 

Edited by David Lynch, 28 March 2014 - 05:54 PM.

[erwan.l]

if I read correctly, Windows XP can use 3 different HAL/Kernel :

 

Advanced Configuration and Power Interface (ACPI) PC (ACPIPIC_UP)

- halacpi.dll (renamed to hal.dll)

- ntkrnlpa.exe 

- ntoskrnl.exe

 

ACPI Uniprocessor PC (ACPIAPIC_UP)

- halaacpi.dll (renamed to hal.dll)

- ntkrnlpa.exe 

- ntoskrnl.exe

 

ACPI Multiprocessor PC (ACPIAPIC_MP)

- halmacpi.dll (renamed to hal.dll)

- ntkrpamp.exe (renamed to ntkrnlpa.exe)

- ntkrnlmp.exe (renamed to ntoskrnl.exe)

 

These files can be found in the offline image in driver.cab or sp2.cab under \WINDOWS\Driver Cache\i386.

 

if it is all about replacing files (and probably update a reg key) in the offline image then I guess I could add this feature to CloneDisk.

 

For now, what I have done is the ability to check the HAL and Processor on the host where CloneDisk is running (can be useful when executed from a WinPE) and also against on offline image/registry.

 

 

[David Lynch]

Hello erwan.l,

 

Can CloneDisk change the volume serial number?

 

 

[erwan.l]

You mean the volume / logical disk serial number that is to be found in the boot sector?

 

Actualy, for some time I have been thinking about a boot sector editor so indeed I might add this feature in CloneDisk.

 

 

Attached Thumbnails

• 

[Wonko the Sane]

A word of warning (in passing by).

VOL does not reflect "immediately" a changed VolumeID, and changing a volume ID may cause issues, see:
http://technet.micro...s/bb897436.aspx

And (shameless plug ) remember that NTFS serial is longer than what appears:
http://reboot.pro/to...ed-drive-image/


Wonko

[David Lynch]

Yes, sometimes we really need to change this serial.

 

 

[erwan.l]

Yes, sometimes we really need to change this serial.

 

 

Latest CloneDisk version (2.1.2) can now patch the serial number within the bootsector for NTFS/FAT32/FAT.

 

Regarding NTFS, the serial number is stored in 8 bytes whereas the system seems to use only the first 4.

See post from Wonko here.

 

CloneDisk will therefore only read and write the 4 bytes as well.

Double click in the serial number boot sector field to modify it.

 

The serial number change is seen by the system only after a reboot or after the volume has been remounted.

Attached Thumbnails

• 

[Wonko the Sane]

CloneDisk will therefore only read and write the 4 bytes as well.

 

Wonko disapproves of this .

 

The general idea should be of having more (or better) features than existing programs.

 

Sysinternals VolumeID can already change the serial (but only partially. i.e. the "last" 4 bytes).

 

IMHO at least as an option Clonedisk should allow to change the "full" serial.

 

Please also note how there is a "queer" concidence or "pattern" on the "hidden" part of the serial on NTFS volumes, see:

 http://thestarman.pc.../mbr/NTFSBR.htm

It is interesting to note how the (3rd and 4th) and (6th and 7th) bytes repeat here!
Do you have a Serial Number where these two sets of bytes are not the same?

 

Though the reason for the "repetition" (as seen in a hex editor):

27 21 A6 C0 32 A6 C0 CE

is unknown, it is a pattern consistently found in NTFS bootsectors, and I personally would like to have it happen also on the "new" serial, possibly as a further option.

 

OT, but not much, and JFYI, the way the NTFS serial is generated (and more generally how NT based systems, also on other filesystems do that) is one of the fields that were never explored fully, whilst the DOS way to generate the "random" serial was based on date/time.

 

And, still as a JFYI, and as yet another shameless plug:

http://www.forensicf...ewtopic/t=2134/

http://www.msfn.org/...mages/?p=987748 <- (I am particularly proud of this completely unuseful spreadsheet )

http://www.msfn.org/...mages/?p=980297

 

 

Wonko

[erwan.l]

Hi Wonko,

 

I knew, or rather I was hoping you would step in

 

As indeed this "full vs half" serial number is puzzling me.

It seems that all tools outhere (volumeid.exe for example) change only 4 bytes whatever the file system is (ntfs/fa32/fat).

Hence me mimicking this but I am pretty sure these 8 bytes are not there for nothing in NTFS boot records and this especially when indeed it seems that there is a pattern in the 4 pseudo useless bytes.

 

But it is a fact that windows systems seem to care only about 4 bytes for NTFS (vol.exe reads 4 bytes, always).

 

What would you advise?

Give the user a choice for NTFS boot records to patch either 4 or 8 bytes?

Actually for me it could be as simple as write any user input bytes between 1 and 8 ...

 

Regards,

Erwan

[Wonko the Sane]

What would you advise?

Give the user a choice for NTFS boot records to patch either 4 or 8 bytes?

Actually for me it could be as simple as write any user input bytes between 1 and 8 ...

I personally would like a 3 (three) step approach:

1. Normal (only the "visible 4 bytes) i.e. replicating exactly what VolumeId does (which I believe is "wrong")
2. Advanced (the whole 8 bytes BUT with the user actually inputting ONLY 6 bytes, and have the program automatically replicate 2nd and 3rd to 5th and 6th - if seen as "serial" or 6th and 7th to 3rd and 4th if seen as "RAW" bytes)
3. Reckless (the whole 8 bytes, "freestyle")

 

Wonko

[erwan.l]

I personally would like a 3 (three) step approach:

1. Normal (only the "visible 4 bytes) i.e. replicating exactly what VolumeId does (which I believe is "wrong")
2. Advanced (the whole 8 bytes BUT with the user actually inputting ONLY 6 bytes, and have the program automatically replicate 2nd and 3rd to 5th and 6th - if seen as "serial" or 6th and 7th to 3rd and 4th if seen as "RAW" bytes)
3. Reckless (the whole 8 bytes, "freestyle")

 

Wonko

 

Ok, here is what I have done (NTFS bootsector / offset $48):

 

-case 1 : user can enter 8 bytes ("freestyle" mode)

-case 2 : user can enter 4 bytes ("normal" mode)

In such case, I however make sure that offset $4d=offset $4a and that offset $4e=$4b

[David Lynch]

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth  

 

 

[Wonko the Sane]

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth

http://xkcd.com/221/


Wonko

[erwan.l]

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth

 

 

Done : each time you will double click in the serial number to change it, the inputbox will propose a random 4 bytes number.

[erwan.l]

http://xkcd.com/221/


Wonko

 or 

 

 

[Wonko the Sane]

Yep , though on Dilbert most probably an Ayn Random number generator is used
http://xkcd.com/1277/


Wonko

[erwan.l]

Version 2.1.4 out.

 

I needed a simple partition editor in WINPE environement where I did not have the MMC.

 

 

Latest changelog :

 

added : create disk will now offer mbr, gpt or raw

fixed : create partition was adding one sector too much

fixed : create unique partition was not wiping partitions above 1st partition.

added : partition editor (using IOCTL_DISK_GET_DRIVE_LAYOUT)

added : delete partition in partition editor

added : create partition in partition editor

added : gpt support in partition editor (using IOCTL_DISK_GET_DRIVE_LAYOUT_ex)

added : gpt support in create partition (using IOCTL_DISK_SET_DRIVE_LAYOUT_ex)

added : gpt support delete partition (using IOCTL_DISK_SET_DRIVE_LAYOUT_ex)

modified : create a GPT partition when there is no partition yet

[misty]

@erwan.l

Wow!!! I have barely scratched the surface and I'm already impressed with Clonedisk.

I did a quick test this morning in WinFE (based on WinPE 5.0) with a SANPolicy value set as 4 and NoAutoMount enabled.

On booting the system I ran a few diskpart commands -

Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: MINWINPC

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

HITACHI HTS723216L9SA60
Disk ID: 2344A9FF
Type   : SATA
Status : Offline (Policy)
Path   : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1F02)#ATA(C00T00L00)
Current Read-only State : Yes
Read-only  : Yes
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

There are no volumes.

DISKPART> attrib disk clear readonly

DiskPart failed to clear disk attributes.

Note that I could not clear the readonly disk attribute. I then used the new version of Clonedisk and cleared the readonly flag. Did a quick test in Diskpart -
 

Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: MINWINPC

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

HITACHI HTS723216L9SA60
Disk ID: 2344A9FF
Type   : SATA
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1F02)#ATA(C00T00L00)
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0                             Partition     30 GB  Healthy    Offline
  Volume 1                             Partition    118 GB  Healthy    Offline

DISKPART>

I had to assign drive letters manually afterwards. Also noted that running this command may have also cleared the readonly flag on a different disk - I'll verify this later as I'm about to start work.

It's worth noting that (IMNSHO) Clonedisk is intuitive to use and the UI does not appear overly cluttered with features. I look forward to playing around with it - fantastic work!

Regards,

Misty

[misty]

@erwan.l
Just noticed that the about button refers to the new version as 2.1.3. Also changelog needs updating.

Regards,

Misty

[erwan.l]

@erwan.l
Just noticed that the about button refers to the new version as 2.1.3. Also changelog needs updating.

Regards,

Misty

 

Hi Misty,

 

Thanks the positive feedback.

 

I'll take care of the about box and changelog.

 

Regards,

Erwan

[Wonko the Sane]

If you give me the registry keys and a brief description of what it to be achieved, I can have a look.

and @David Lynch

 

I have looked a bit at the thingy.

 

It seems to me like the easiest "manual" way is to use the AEK inftoreg tool (and NO other tool but that specific one):

http://www.mdgx.com/files/INFTOREG.ZIP

to convert the "F6 floppy" Mass storage driver .INF to a .REG and then merge this .REG to the "offline" Registry.

 

This converter - though not the easiest to use and seemingly completely UNlike documented - creates from the .INF file not only the "normal" driver entries but also the CDDB (Critical Devices DataBase) ones.

A minimal amount of "manual interaction" is needed to do the conversion, and it is possible that the reason why DriverInjectionGUI may sometime fail is because of it's "automagic" nature, that is tricked by some "overcomplex" "F6 floppy" .inf's

 

Probably a good idea (not only restricted to this specific topic) for erwan.l (time and will permitting of course) would be to either modify the offline registry tool:

http://reboot.pro/to...fline-registry/

to be able to parse a .REG file or create a converter from .REG to offline Registry tool commands.

 

@David Lynch

Can you test the above approach on *something* on which DriverInjectionGUI fails?

 

Wonko