Jump to content











Photo
* * * * * 4 votes

CloneDisk


  • Please log in to reply
595 replies to this topic

#401 rocketero

rocketero

    Frequent Member

  • Advanced user
  • 155 posts
  •  
    United States

Posted 25 March 2014 - 09:24 PM

can one create an image of the hard disk that windows is running at the moment?  I have a disk with 3 partitions and two of the three partitions have a different OS to boot with (Windows 7 and Windows 8). So the image of this disk will have the 3 partitions on it ?



#402 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 28 March 2014 - 04:49 PM

can one create an image of the hard disk that windows is running at the moment?  I have a disk with 3 partitions and two of the three partitions have a different OS to boot with (Windows 7 and Windows 8). So the image of this disk will have the 3 partitions on it ?

 

You can backup a partition or a full disk.

 

Ideally you should make your (system)  backup offline (i.e from a winpe for instance).

 

Nethertheless, you could use MS volume shadows to perform an online (system) logical drive backup.

See here.



#403 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 28 March 2014 - 04:56 PM

Thank you Wonko! but:

 

DriverInjection is not updated since 2010 and sometimes it does not work;

MSSTMake is a command line tool. I prefer a GUI tool;

 

jg2t4.gif

 

If you give me the registry keys and a brief description of what it to be achieved, I can have a look.


  • David Lynch likes this

#404 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 March 2014 - 04:56 PM

@rocketero

http://www.msfn.org/...inside-windows/

 

:duff:

Wonko



#405 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 28 March 2014 - 05:52 PM



If you give me the registry keys and a brief description of what it to be achieved, I can have a look.

Sorry erwan.l, but I do not have the knowledge for that.

 

What I can tell you is that OfflineSysPrep is the tool that I used most of the times for this task.

 

Here is a LiveXP Script.

 

Here at reboot.pro we have a thread too.

 

Disk2vhd from Sysinternals has also a similar feature, which changes HAL to match VirtualPC. OfflineSysPrep does a convenient HAL auto detection, matching destination system.

 

So, to successfully boot a restored image that is hardware independent we have to auto detect HAL and disk (SATA) controller, and change them on the offline registry.

 

jg2t4.gif


Edited by David Lynch, 28 March 2014 - 05:54 PM.


#406 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 29 March 2014 - 03:44 PM

if I read correctly, Windows XP can use 3 different HAL/Kernel :

 

Advanced Configuration and Power Interface (ACPI) PC (ACPIPIC_UP)
- halacpi.dll (renamed to hal.dll)
- ntkrnlpa.exe 
- ntoskrnl.exe
 
ACPI Uniprocessor PC (ACPIAPIC_UP)
- halaacpi.dll (renamed to hal.dll)
- ntkrnlpa.exe 
- ntoskrnl.exe
 
ACPI Multiprocessor PC (ACPIAPIC_MP)
- halmacpi.dll (renamed to hal.dll)
- ntkrpamp.exe (renamed to ntkrnlpa.exe)
- ntkrnlmp.exe (renamed to ntoskrnl.exe)
 
These files can be found in the offline image in driver.cab or sp2.cab under \WINDOWS\Driver Cache\i386.
 
if it is all about replacing files (and probably update a reg key) in the offline image then I guess I could add this feature to CloneDisk.
 
For now, what I have done is the ability to check the HAL and Processor on the host where CloneDisk is running (can be useful when executed from a WinPE) and also against on offline image/registry.
 
3HuV5jG.png
 
n0hhKV6.png

  • David Lynch likes this

#407 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 09 April 2014 - 08:58 PM

Hello erwan.l,

 

Can CloneDisk change the volume serial number?

 

jg2t4.gif 



#408 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 10 April 2014 - 05:15 PM

You mean the volume / logical disk serial number that is to be found in the boot sector?

 

Actualy, for some time I have been thinking about a boot sector editor so indeed I might add this feature in CloneDisk.

 

 

Attached Thumbnails

  • vol.png


#409 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 April 2014 - 05:52 PM

A word of warning (in passing by).

VOL does not reflect "immediately" a changed VolumeID, and changing a volume ID may cause issues, see:
http://technet.micro...s/bb897436.aspx

And (shameless plug ;)) remember that NTFS serial is longer than what appears:
http://reboot.pro/to...ed-drive-image/

:duff:
Wonko



#410 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 10 April 2014 - 08:17 PM

Yes, sometimes we really need to change this serial.

 

jg2t4.gif 



#411 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 April 2014 - 10:03 AM

Yes, sometimes we really need to change this serial.

 

jg2t4.gif

 

Latest CloneDisk version (2.1.2) can now patch the serial number within the bootsector for NTFS/FAT32/FAT.

 

Regarding NTFS, the serial number is stored in 8 bytes whereas the system seems to use only the first 4.

See post from Wonko here.

 

CloneDisk will therefore only read and write the 4 bytes as well.

Double click in the serial number boot sector field to modify it.

 

The serial number change is seen by the system only after a reboot or after the volume has been remounted.

Attached Thumbnails

  • clonedisk_sn.png


#412 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 April 2014 - 10:39 AM

CloneDisk will therefore only read and write the 4 bytes as well.

 

Wonko disapproves of this :(.

 

The general idea should be of having more (or better) features than existing programs.

 

Sysinternals VolumeID can already change the serial (but only partially. i.e. the "last" 4 bytes).

 

IMHO at least as an option Clonedisk should allow to change the "full" serial.

 

Please also note how there is a "queer" concidence or "pattern" on the "hidden" part of the serial on NTFS volumes, see:

 http://thestarman.pc.../mbr/NTFSBR.htm

It is interesting to note how the (3rd and 4th) and (6th and 7th) bytes repeat here!
Do you have a Serial Number where these two sets of bytes are not the same?

 

Though the reason for the "repetition" (as seen in a hex editor):

27 21 A6 C0 32 A6 C0 CE

is unknown, it is a pattern consistently found in NTFS bootsectors, and I personally would like to have it happen also on the "new" serial, possibly as a further option.

 

OT, but not much, and JFYI, the way the NTFS serial is generated (and more generally how NT based systems, also on other filesystems do that) is one of the fields that were never explored fully, whilst the DOS way to generate the "random" serial was based on date/time.

 

And, still as a JFYI, and as yet another shameless plug:

http://www.forensicf...ewtopic/t=2134/

http://www.msfn.org/...mages/?p=987748 <- (I am particularly proud of this completely unuseful :w00t: spreadsheet ;))

http://www.msfn.org/...mages/?p=980297

 

 

:duff:

Wonko



#413 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 April 2014 - 11:23 AM

Hi Wonko,

 

I knew, or rather I was hoping you would step in :)

 

As indeed this "full vs half" serial number is puzzling me.

It seems that all tools outhere (volumeid.exe for example) change only 4 bytes whatever the file system is (ntfs/fa32/fat).

Hence me mimicking this but I am pretty sure these 8 bytes are not there for nothing in NTFS boot records and this especially when indeed it seems that there is a pattern in the 4 pseudo useless bytes.

 

But it is a fact that windows systems seem to care only about 4 bytes for NTFS (vol.exe reads 4 bytes, always).

 

What would you advise?

Give the user a choice for NTFS boot records to patch either 4 or 8 bytes?

Actually for me it could be as simple as write any user input bytes between 1 and 8 ...

 

Regards,

Erwan



#414 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 April 2014 - 12:37 PM

What would you advise?

Give the user a choice for NTFS boot records to patch either 4 or 8 bytes?

Actually for me it could be as simple as write any user input bytes between 1 and 8 ...

I personally would like a 3 (three) step approach:

  1. Normal (only the "visible 4 bytes) i.e. replicating exactly what VolumeId does (which I believe is "wrong")
  2. Advanced (the whole 8 bytes BUT with the user actually inputting ONLY 6 bytes, and have the program automatically replicate 2nd and 3rd to 5th and 6th - if seen as "serial" or 6th and 7th to 3rd and 4th if seen as "RAW" bytes)
  3. Reckless :ph34r: ;) (the whole 8 bytes, "freestyle")

 

:duff:

Wonko



#415 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 April 2014 - 01:42 PM

I personally would like a 3 (three) step approach:

  1. Normal (only the "visible 4 bytes) i.e. replicating exactly what VolumeId does (which I believe is "wrong")
  2. Advanced (the whole 8 bytes BUT with the user actually inputting ONLY 6 bytes, and have the program automatically replicate 2nd and 3rd to 5th and 6th - if seen as "serial" or 6th and 7th to 3rd and 4th if seen as "RAW" bytes)
  3. Reckless :ph34r: ;) (the whole 8 bytes, "freestyle")

 

:duff:

Wonko

 

Ok, here is what I have done (NTFS bootsector / offset $48):

 

-case 1 : user can enter 8 bytes ("freestyle" mode)

-case 2 : user can enter 4 bytes ("normal" mode)

In such case, I however make sure that offset $4d=offset $4a and that offset $4e=$4b



#416 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 11 April 2014 - 03:32 PM

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth EMaRr.gif5h0qs.gif 

 

jg2t4.gif 



#417 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 April 2014 - 03:48 PM

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth EMaRr.gif

http://xkcd.com/221/

:whistling:
Wonko

#418 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 April 2014 - 04:34 PM

A button to generate a random serial would be nice too. Call me lazy, yes, you can tell the truth EMaRr.gif5h0qs.gif

 

jg2t4.gif

 

Done : each time you will double click in the serial number to change it, the inputbox will propose a random 4 bytes number.


  • David Lynch likes this

#419 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 11 April 2014 - 04:37 PM

 or 

 

8ptBX9u.jpg

 

:)


  • David Lynch likes this

#420 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 April 2014 - 04:54 PM

Yep :), though on Dilbert most probably an Ayn Random number generator is used ;)
http://xkcd.com/1277/

:duff:
Wonko

#421 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 13 April 2014 - 08:35 PM

Version 2.1.4 out.

 

I needed a simple partition editor in WINPE environement where I did not have the MMC.

 

PF7eyDp.png

 

Latest changelog :

 

added : create disk will now offer mbr, gpt or raw
fixed : create partition was adding one sector too much
fixed : create unique partition was not wiping partitions above 1st partition.
added : partition editor (using IOCTL_DISK_GET_DRIVE_LAYOUT)
added : delete partition in partition editor
added : create partition in partition editor
added : gpt support in partition editor (using IOCTL_DISK_GET_DRIVE_LAYOUT_ex)
added : gpt support in create partition (using IOCTL_DISK_SET_DRIVE_LAYOUT_ex)
added : gpt support delete partition (using IOCTL_DISK_SET_DRIVE_LAYOUT_ex)
modified : create a GPT partition when there is no partition yet

  • misty likes this

#422 misty

misty

    Gold Member

  • Developer
  • 1032 posts
  •  
    United Kingdom

Posted 14 April 2014 - 06:54 AM

@erwan.l

Wow!!! I have barely scratched the surface and I'm already impressed with Clonedisk.

I did a quick test this morning in WinFE (based on WinPE 5.0) with a SANPolicy value set as 4 and NoAutoMount enabled.

On booting the system I ran a few diskpart commands -





Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: MINWINPC

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

HITACHI HTS723216L9SA60
Disk ID: 2344A9FF
Type   : SATA
Status : Offline (Policy)
Path   : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1F02)#ATA(C00T00L00)
Current Read-only State : Yes
Read-only  : Yes
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

There are no volumes.

DISKPART> attrib disk clear readonly

DiskPart failed to clear disk attributes.
Note that I could not clear the readonly disk attribute. I then used the new version of Clonedisk and cleared the readonly flag. Did a quick test in Diskpart -
 
Microsoft DiskPart version 6.3.9600

Copyright (C) 1999-2013 Microsoft Corporation.
On computer: MINWINPC

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

HITACHI HTS723216L9SA60
Disk ID: 2344A9FF
Type   : SATA
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1F02)#ATA(C00T00L00)
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0                             Partition     30 GB  Healthy    Offline
  Volume 1                             Partition    118 GB  Healthy    Offline

DISKPART>
I had to assign drive letters manually afterwards. Also noted that running this command may have also cleared the readonly flag on a different disk - I'll verify this later as I'm about to start work.

It's worth noting that (IMNSHO) Clonedisk is intuitive to use and the UI does not appear overly cluttered with features. I look forward to playing around with it - fantastic work!

Regards,

Misty

#423 misty

misty

    Gold Member

  • Developer
  • 1032 posts
  •  
    United Kingdom

Posted 14 April 2014 - 06:57 AM

@erwan.l
Just noticed that the about button refers to the new version as 2.1.3. Also changelog needs updating.

Regards,

Misty

#424 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2735 posts
  • Location:Nantes - France
  •  
    France

Posted 14 April 2014 - 07:05 AM

@erwan.l
Just noticed that the about button refers to the new version as 2.1.3. Also changelog needs updating.

Regards,

Misty

 

Hi Misty,

 

Thanks the positive feedback.

 

I'll take care of the about box and changelog.

 

Regards,

Erwan



#425 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14825 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 April 2014 - 10:31 AM

If you give me the registry keys and a brief description of what it to be achieved, I can have a look.

and @David Lynch

 

I have looked a bit at the thingy.

 

It seems to me like the easiest "manual" way is to use the AEK inftoreg tool (and NO other tool but that specific one):

http://www.mdgx.com/files/INFTOREG.ZIP

to convert the "F6 floppy" Mass storage driver .INF to a .REG and then merge this .REG to the "offline" Registry.

 

This converter - though not the easiest to use and seemingly completely UNlike documented - creates from the .INF file not only the "normal" driver entries but also the CDDB (Critical Devices DataBase) ones.

A minimal amount of "manual interaction" is needed to do the conversion, and it is possible that the reason why DriverInjectionGUI may sometime fail is because of it's "automagic" nature, that is tricked by some "overcomplex" "F6 floppy" .inf's :unsure:

 

Probably a good idea (not only restricted to this specific topic) for erwan.l (time and will permitting of course) would be to either modify the offline registry tool:

http://reboot.pro/to...fline-registry/

to be able to parse a .REG file or create a converter from .REG to offline Registry tool commands. :dubbio:

 

@David Lynch

Can you test the above approach on *something* on which DriverInjectionGUI fails?

 

:duff:

Wonko


  • David Lynch likes this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users