Jump to content











Photo
- - - - -

How to copy locked Windows files?


  • Please log in to reply
14 replies to this topic

#1 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 05 February 2017 - 09:43 AM

I have a USB drive that contains a WindowsToGo flat-file installation on a 16GB NTFS single partition.

So it has a normal Windows folder structure \Users, \Program Files, \Windows, etc.

I want to make a fixed VHD of 16GB containing all those files.

 

I don't want to use any VHD tools because the USB drive is a 500GB drive containing a 16GB NTFS partition. I need to make a fixed VHD from it of approx. 16GB (not a 500gb VHD!). i.e. I don't want a fixed VHD of the whole USB drive.

 

I created a new empty 16GB fixed .VHD file, attached it and formatted it as NTFS.

 

I am running on a normal MBR-booting Win10 x64 SSD system (it was Home but I have now upgraded it to Pro).

 

 

Now I want to copy all the files from the WinToGo USB drive to the VHD.

The problem is when the copy process hits certain files (mostly in the \Windows folder), it fails to copy them.

 

I have tried xcopy, robocopy, Hobocopy, Shadospawn, spyhunter, OSForensic, VSSCopy and many other tools - all without success. They all report copy errors. I suspect because Win10 may be getting confused and thinks that some of these files are actually it's own system OS files (i.e. it thinks it is running WinToGo) and so not allowing access to them?

 

I have not tried WinPE (or forensic PE), I suspect that these may work, but that is not the point. I want to copy the files from a normal Windows 10 system.

 

Does anyone have any ideas?

 

P.S. I am trying robocopy /B /MIR again and it seems to be working so far... I did try this before when I had Win 10 Home and I don't think it worked (if I remember correctly). So maybe /B requires Pro or higher for VSS???

Scratch that! - it is following the symbolic links- e.g. it hits the My Documents symbolic link and then tries to copy all my Windows OS's Documents folder! If I use the /sl switch, then I get 'program cannot access the file') when trying to access my Documents and Settings\Steve\ntuser.dat file, etc....


Edited by steve6375, 05 February 2017 - 10:14 AM.


#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 February 2017 - 10:12 AM

Sure, lot of them ideas, and also (hopefully) a solution.

Here:

http://reboot.pro/to...s-now-possible/

 

As a side note please take into account (you will have to check if this applies) that starting from Windows Vista (and increasingly in 7 and later) there is wide use of hardlinks, thus a file (even if copied correctly) may result in a new instance of the file, and as such will occupy more space than the original.

 

JFYI (if needed):
http://schinagl.priv...lextension.html

 

This said, in your specific case, I am pretty sure that you can easily create a RAW file containing a dd-like copy of the 16 Gb partition (+a MBR and hidden sectors) and then "convert" it to "fixed VHD" (i.e. add the CONECTIX footer), manually or using a dedicated tool *like* Clonedisk or the simpler:
http://reboot.pro/to...mand-line-tool/

http://reboot.pro/to...images/?p=83781

 

 

:duff:

Wonko



#3 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 05 February 2017 - 10:29 AM

Yes, thanks, the symbolic link issue is the one I am hitting now! See P.S. on first post!

I either need to 'raw copy' the whole volume, or maybe somehow offline it and then copy all files?

 

I can make a dynamic VHD from the 500GB USB drive using tools like DisktoVHD (which makes a 500GB dynamic VHD of about 17GB in size) and then reduce\convert this to a fixed\static VHD but this gives me a 31GB VHD when I only want a 16GB VHD containing 10GB of files...



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 February 2017 - 10:39 AM

Forget (temporarily) about the VHD.

 

Think RAW.

 

Use a sparse file (for the target image).

 

If the 16 Gb partition is first partition on the "source" disk then you can do a (partial) dd-like image just fine (nad then edit the MBR partition table to remove addresses of "other" partition(s)).

 

If the partition is not the first one, you can still create a (sparse) target image of suitable size, write to it the MBR and the "sectors before", dd the volume then correct the "sectors before" (as said I am pretty sure you can do that just fine), and finally convert the whole stuff to (static) VHD.

 

:duff:

Wonko



#5 Wonko the Insane

Wonko the Insane

    Frequent Member

  • Advanced user
  • 498 posts
  • Location:The Inside of the Asylum (gate is wide open)
  • Interests:Oh, so you hate me too? Well, join the club! There are weekly meetings at the corner of Fuck You St. and Kiss My Ass Blvd.

Posted 05 February 2017 - 10:51 AM

Have you tried mounting the Windows volume offline from Linux, then copying from there? Not sure if this would be a good approach, since permissions/owners might not be retained intact.

 

Or maybe you can robocopy but use whatever switches allow for excluding symlinks/junctions, then manually recreate them?

 

If all else fails, raw copying will surely work.



#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 February 2017 - 11:05 AM

Alternatively, since you are into experimenting, see if strarc (possibly with a few tricks) can be used for 10 as well (it should):
https://tinyapps.org...eplacement.html

 

Strarc solves elegantly the link issues, in case you have errors with 8.3 compatibility messages:

http://serverfault.c...y/650290#650290

 

:duff:

Wonko


  • steve6375 likes this

#7 Zoso

Zoso

    Silver Member

  • Advanced user
  • 610 posts
  •  
    Isle of Man

Posted 05 February 2017 - 11:13 AM

hi steve6375,

try earlier versions of clondisk, i use 1.9.6 for this (file copy option) and it has the option to also copy ACLs or not.

having wrote this, I have not used this method for w8 and later but it may be worth a try.

I run it from XP most of the time also and find XP does not have as many issues with copy/paste operations as the later MS version do.

#8 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 05 February 2017 - 11:18 AM

I can make a partition image using RMPrepUSB - Drive->File - P1 (actually it is a .imgPTN file already).

7zip can open this image as an archive.

I can then extract the files to the new 16GB VHD.

But 7zip does not like some files, e.g. \System Volume Information\WPSettings.dat (which doesn't matter) and cannot create \Users\All Users symbolic link, etc. 

 

I think the only way this is going to work properly is by working with raw images (as WtS says)...
 



#9 Vortex

Vortex

    Frequent Member

  • Advanced user
  • 231 posts

Posted 05 February 2017 - 11:26 AM

Hi steve6375,

 

You can try the the strarc tool with the volume shadow copy client to copy locked files :

 

http://ltr-data.se/opencode.html/

 

http://vscsc.sourceforge.net/

 

About strarc :

 

The command line switches and parameters are quite similar to the *nix tar utility and it can easily be used to clone an entire NTFS volume including everything, files, directories, their time stamps, attributes and security information, compression attribute, alternate data streams, junctions, hard links etc.

 

 

Example:

  strarc -cjd:C:\dir | strarc -xd:D:\dirbk

This will clone the C:\dir directory tree to D:\dirbk but will not follow
junctions in the C:\dir directory tree but instead clone the junction itself to
the D:\dirbk location. Example: If there is a volume mount point C:\dir\mnt
then a new junction D:\dirbk\mnt will be created to point to the same volume,
the contents of the target volume of the mount point will not be copied.

 

http://ltr-data.se/files/strarc.txt
 


  • steve6375 likes this

#10 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 05 February 2017 - 11:52 AM

Thanks!  :)

strarc works perfectly!

 

I had a Windows Server 2016 installation as a flat file inside a .imgPTN file and I wanted to convert this to a .VHD file.

 

I switched to the .imgPTN file ( seen as D: by Windows) and mounted a new 16GB fixed VHD as Q:

 

C:\temp>strarc.exe -cjd:d:\ | strarc -xd:q:\
strarc: Cannot create 'System Volume Information\IndexerVolumeGuid': Cannot create a file when that file already exists.
strarc: Cannot create 'System Volume Information\WPSettings.dat': Cannot create a file when that file already exists.

 

 

 

I copied the VHD file to my E2B drive and I can now boot from the VHD file to Windows Server 2016!

:lol:

 



#11 Vortex

Vortex

    Frequent Member

  • Advanced user
  • 231 posts

Posted 05 February 2017 - 12:38 PM

Hi steve6375,

 

Olof Lagerkvist's strarc is very powerful. There is an option to exlude paths and files :

 

strarc -c [-afjnr] [-z:CMD] [-m:f|d|i] [-l|v] [-s:ls8] [-b:SIZE]
       [-e:EXCLUDE[,...]] [-i:INCLUDE[,...]] [-d:DIR] [ARCHIVE] [LIST ...]
-e     Exclude paths and files where any part of the relative path matches any
       string in specified comma-separated list.

  • steve6375 likes this

#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 February 2017 - 12:47 PM

Those "System Voiume Information" related errors may most probably be avoided by stopping the Windows Search service, that seems like a *new* thing in windows 8.x and later, coincidentally:
http://www.msfn.org/...-attached-vhds/

 

From what I can understand, as soon as you attach the .vhd, the OS (the Windows Search service) instantly creates the "System Volume Information" folder, and when strarc copies it those files are already present.

 

And, just to keep things as together as possible, the original report by Vortex :thumbsup: about using VSS (also cited in the given tinyapps page):
http://reboot.pro/to...-copy/?p=173053

 

:duff:

Wonko



#13 steve6375

steve6375

    Platinum Member

  • Developer
  • 6541 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films,guitars
  •  
    United Kingdom

Posted 05 February 2017 - 12:50 PM

Yes, there is a way of stopping it by deleting the folder and then quickly making a file of the same name...



#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 February 2017 - 12:54 PM

Yes, there is a way of stopping it by deleting the folder and then quickly making a file of the same name...

Yep :), but that doesn't solve the issue at all, that way it will anyway prevent the strarc from copying the original one, disabling the Windows Search before attaching the target vhd should allow strarc to operate correctly and copy the original to the target.

 

:duff:

Wonko



#15 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1334 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 06 February 2017 - 06:53 PM

Missed this thread yesterday but you have already found strarc and it looks like you got it to work correctly for you. What I usually do in these cases is also using a shadow copy and then use strarc to copy all files but adding the -e switch to skip some. In particular I usually:

 

strarc -c -j -e:"System Volume Information,\Temp\,\Temporary Internet Files\,\Cache\,.tmp,pagefile.sys,hiberfil.sys,\$NtUninstall"

 

Don't forget the -j switch. It is important to use that switch to get all symbolic links, junctions etc correct. It is not needed for hard links though, they are archived only once even without special switches. (You can select if you want to archive or extract them as separate files using -s:l switch though.)


  • steve6375 likes this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users