Someone else can verifty this if they want. I downloaded HP Backup and recovery manager and installed it while fully shadowed and it installed and reported so upon reboot. I'm looking at my drive for a new hidden partition which it would install as a recovery partition yet I can't find a new drive letter however a popup stated upon reboot that it was successfully installed. WTF??? I am horrified I just screwed up my computer and now have to resize it with partition magic. Someone with a VM want to test this out by downloading the software while in shadow mode and see what it does to your machine? I'd like to have some confirmation. I'm shocked.

Ok on every reboot into full shadow mode I get popups stating that windows has detected new hardware and installs something and then states it needs to reboot. I think this is solid proof that this hp software breached powershadow. I have kept it in constant full powershadow mode since install and haven't rebooted to a normal mode yet so I think I will boot to a different snapshot and copy update over the snap that has this installed software and see what happens. Then I'm going to delete that snapshot. Hope it removes the hidden partition. How do you detect this with a hex editor?

Hi, folks: From my own hand-on experiences w/ DeepFreeze standard, these two things would NEVER have happened. (1) anything installed in Frozen mode will not survive a reboot. (2) with DP's presence(in both thawed and frozen mode), no partition manager such as paragon partition manage or partition magic are able to alter partitions. I do not know why PS would allow these things to happen. I have long suspect that PS is creating two snapshots, one normal, the other shadow at any given time, to allow switching from normal to shadow w/o any rebooting. just my wild guess.

-{ Quote: "Hi, folks: From my own hand-on experiences w/ DeepFreeze standard, these two things would NEVER have happened. (1) anything installed in Frozen mode will not survive a reboot. (2) with DP's presence(in both thawed and frozen mode), no partition manager such as paragon partition manage or partition magic are able to alter partitions. I do not know why PS would allow these things to happen. I have long suspect that PS is creating two snapshots, one normal, the other shadow at any given time, to allow switching from normal to shadow w/o any rebooting. just my wild guess." }-
Hi. folks: I need to make a correction here. What I mean by never happen is actually what DF holds for true, not never . Sorry for confusion.

Hi,

I can recal that ZopZop had a simular problem. check posts on HP backup and PoweShadow

Well this is confirmed now. Powershadow has been breached. This is the scarey part- While in full shadow mode I installed the hp software just to look at it. It installed fine and wanted to reboot to finish the setup. I didn't allow a reboot yet. I clicked the program to open it up and looked at the gui just to see what the options were and never choose to backup anything. Then I just went to the add/remove tab in windows and ran the uninstall thinking that would be safe to do so as to prevent any partition. The uninstall went fine all the while I'm still fully in shadow mode. Then I boot out of shadow mode and do a reboot. Upon reboot I select to go back into full shadow mode from the bootup prompt thinking I'll be doubly safe. Sure enough, as windows finishes loading I get a tray icon stating that it has finished loading new hardware device and needs to reboot again!? So evidently it thinks that a new drive has been loaded representing the new hidden partition. Under normal circumstances a new drive letter would be issued yet I get no new drive letter but I haven't it reboot in normal unshadowed mode yet as I'm afraid that will screw it up even more. I guess I'll have to Darik nuke boot disc this thing. Anyone else wanna download this thing and report how trashed your system gets? Better have a backup image to boot to if you do.

Got a link to the software?

-{ Quote: " a new drive letter would be issued yet I get no new drive letter but I haven't it reboot in normal unshadowed mode yet as I'm afraid that will screw it up even more." }-
Seems the only way to find out is to boot back into windows.

I tried running ghost 2003 from shadow mode with it going through the motions to make a ghost image but it just booted back into windows.

"I clicked the program to open it up and looked at the gui just to see what the options were and never choose to backup anything. Then I just went to the add/remove tab in windows and ran the uninstall thinking that would be safe to do so as to prevent any partition. The uninstall went fine all the while I'm still fully in shadow mode. Then I boot out of shadow mode and do a reboot. Upon reboot I select to go back into full shadow mode from the bootup prompt thinking I'll be doubly safe. Sure enough, as windows finishes loading I get a tray icon stating that it has finished loading new hardware device and needs to reboot again!?"

Not sure what exactly happened, but if I read this right, even though you deleted the thing in PS, when you rebooted Powershadow put it back on your box. I've never tried uninstalling software I've downloaded while in PS. I just reboot to get rid of it.

The fact that it got past PS is a worry, if it did. It could be that PS just restored your drive to the previous shadowed state prior to uninstall.

I'm unclear whether this is only while in shadow mode or if the new thing is there while unshadowed. From what I'm understanding, it's only in shadow mode that the drive shows. I've never run into anything like it, so am at a complete loss. I'd say boot out of powershadow and see what happens. It might be that the HP thing will disappear as it should.

http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html

Not a download link, but it describes the software.

I'm convinced now after using a different FDISR snapshot to try and undo the damage which failed that HP backup and recovery manager breaks powershadow and even FDISR. I had a different snapshot I could boot into and did and tried to copy over the the bad snapshot with a known good snapshot and even that failed to remove what this Hp software did.

Horus37, you're using a car to sail and a boat to race on turf and then expect things to go the right way? Especially because you later put everything on top of one another....

Was your PowerShadow installed properly with at least a reboot?

1-notwithstanding the in deep-low level features of such a BackUp program
you say you installed and then proceeded to uninstall via AddRemove.....
but the latter part is non-existent as AR needs a reboot to be performed...

2-then,instead of allowing a normal reboot to the machine and then you could have made other changes.... you changed the normal order of PowerShadow BEFORE a reboot was fully done by changing from single disk to an All disks coverage......
You not only once,but twice asked for trouble upon reboot and you finally succeeded.....but what does this mean?

dont you think that you pretended too much from PS and acted carelessly?
If PowerShadow has been 'BREACHED' so have countless programs
on this Earth everytime there's been a BSOD......

Or,better said, PowerShadow has been 'breached'... by you......perhaps.

Maybe the HP software created a HDA or DCO area/partition?

http://cmrr.ucsd.edu/Hughes/HDDEraseReadMe.txt-{ Quote: "Q: What are HPA and DCO areas?

A: HPA is an acronym for Host Protected Area. A HPA is a portion of sectors at the end of the hard drive that can not be addressed by the user. Normally this area is used to store hard drive diagnostic or recovery type software, but any type of data may reside in this area. DCO is an acronym for Device Configuration Overlay. Similar to a HPA, a DCO represents a portion at the end of the hard drive that is not user addressable. Both these areas are NOT overwritten when a windows format, secure/enhanced erase, or any other overwrite method is performed. In order for these areas to be erased they have to be first removed, and only then can the entire drive be erased." }-
Also read here http://en.wikipedia.org/wiki/Host_Protected_Area for tools that can view the HPA partition.

Mike

-{ Quote: "Horus37, you're using a car to sail and a boat to race on turf and then expect things to go the right way? Especially because you later put everything on top of one another....

Was your PowerShadow installed properly with at least a reboot?

1-notwithstanding the in deep-low level features of such a BackUp program
you say you installed and then proceeded to uninstall via AddRemove.....
but the latter part is non-existent as AR needs a reboot to be performed...

2-then,instead of allowing a normal reboot to the machine and then you could have made other changes.... you changed the normal order of PowerShadow BEFORE a reboot was fully done by changing from single disk to an All disks coverage......
You not only once,but twice asked for trouble upon reboot and you finally succeeded.....but what does this mean?

dont you think that you pretended too much from PS and acted carelessly?
If PowerShadow has been 'BREACHED' so have countless programs
on this Earth everytime there's been a BSOD......

Or,better said, PowerShadow has been 'breached'... by you......perhaps." }-
I think you are assuming iI did more to powershadow than I did to make it malfunction. I did not switch from single mode to full shadow mode in the middle of a session. The shadowed session I was in was gone into from the boot prompt into a FULL Shadow mode. Everything loaded up normally on a computer that was recently rebuilt from the ground up so I know it has no software problems. I monitor my log files for any errors. None. I installed no new software on this machine nor changed any hardware. I have used powershadow for awhile now and am very familiar with it. The install of the HP software went without errors and requested a reboot to finish it's installation. I couldn't do that as it would take me out of shadow mode so I just opened the software to see if it would even function without a reboot. Sure enough it did. Brought up the GUI for the backup function. I looked at it and didn't see a function for uninstalling it from the GUI nor to uninstall any partition. I'm assuming it didn't have that because I thought i didn't make a partition yet nor did I do any sort of backup with it. I figured I'll just be safe and uninstall it with add/remove just to make sure it didn't install a partition or anything even though I was in shadow mode still. That's the only odd thing is to uninstall software in shadow mode that I just installed. But that shouldn't matter on a reboot you'd think. So the reboot went fine, no errors and i went back into full shadow mode from the boot prompt. Then as windows continued to boot up I get all these popups. From reading erik's response he gets these popups of new hardware installed when installing an image. Don't know what to think about that. My computer is running fine. No error messages now and no more popups about new hardware being installed or needing a reboot. I see no errors in my log files. I look and there is no new drive letter but I think it may be hidden like an HPA or DCO like what Flinchlock is saying. I think that is the most reasonable thing I've head and exactly what this program installs is an HPA. Thanks flinch for looking that up. I was thinking about that exact same thing however I hadn't really started looking it up or how do defeat it outside of what HP offers. Hopefully I can get this sorted out. I'll try that Dos program you listed maybe instead of darik's nuke boot cd.

Not sure why you thought that I had switched from single mode shadow to full shadow in the middle of a session? Where did you come up with that
? If you're so confident that I did something wrong I dare you to download HP's backup and recovery software and install it in shadow mode and see what happens to your drive. Everyone seems scared to try this as no one wants to confirm that powershadow can be breached. Just for fun I might redo the whole thing and see if I can duplicate the hidden partition install while shadowed. However people with access to VM's should also try this.

-{ Quote: "Maybe the HP software created a HDA or DCO area/partition?

http://cmrr.ucsd.edu/Hughes/HDDEraseReadMe.txt
Also read here http://en.wikipedia.org/wiki/Host_Protected_Area for tools that can view the HPA partition.

Mike" }-


I think you hit the nail right on the head with that Flinchlock. That is exactly what this program does is create an HPA. What is shocking is I didn't even do the backup yet or didn't even select anything on a menu to indicate that I had created an HPA. I just installed the software and opened it up to look at the GUI. Uninstalled it then booted out of shadow mode and a normal reboot. Then BAM. I will look at how to erase this hidden partition with a proper erase utility if darik's nuke boot cd I have fails. Thanks for all your help. I'm having fun learning all this new stuff. hex editors and HPA's and DCO's and the limits of FDISR and powershadow and virtualization. It only takes me an hour to recover just using simple powershadow though and no image program as long as I can delete this pesky new hidden partition. I must say though that my computer is running fine even though all this. Found out that you can use powershadow even inside a guest account and it works. I thought it only worked in admin or limited user mode. After this I'm going to feel pretty confident how to recover from disasters.

As far as hidden partitions go...

I know for a fact the Paragon Drive Backup 8.51 Professional Edition has something called a "Backup Capsule"... "Backup Capsule to keep backup images in safe protected space on hard drive". But I have not messed with that yet.

I think I read some where ATI? also has a special partition?

Mike

Could an app that does this sort of thing with no user input/prompt or even a proper install by not rebooting be classed as malware?

Would or could any security app have warned and stopped as such?

Nice job! Now let,s see who tries this software against other virtualization software like ShadowSurfer, DeepFreeze etc, just for a comparison.

-{ Quote: "Nice job! Now let,s see who tries this software against other virtualization software like ShadowSurfer, DeepFreeze etc, just for a comparison." }-


No way. This isn't a valid test of anything, but what not do do. I looked at the HP page and found this:

Easy to run, easy to restore


HP Backup and Recovery Manager is quick and user-friendly. To run, simply go to All Programs > HP Backup & Recovery > HP Backup and Recovery Manager.

With HP Backup & Recovery Manager, file restoration is easy. To recover a deleted file, simply use the Restore Wizard. For a full system restoration, press the F11 key during bootup and then select "Recover PC" from the menu.


Now where on earth would the data come from, and why would you need to use the F11 key during boot up if it didn't have some kind of hidden partition to store the backup. This is standard Dell,HP,Lenovo..... fare. Now I am not a big fan of this approach but malware absolutely not. It's just working the way it was designed.

Installing this program without the required reboot, would surely not accomplish anything. Then real menu comes up during the boot process, also Installing while in any shadow mode is a total invitation to disaster, which unfortunately is exactly what happened.

You want some fun. Try installing Rollback while Power Shadow is in shadow mode. Again I'd just be prepared to restore a good image, cause you most likely this will an equally bad effect.

I have no doubt the result of the above actions would equally trash Returnil, Shadow User, Deep Freeze etc.

I don't use Power Shadow, but what has happened here in my mind reveals no weakness with Power Shadow whatsoever.

Pete

-{ Quote: "I'm convinced now after using a different FDISR snapshot to try and undo the damage which failed that HP backup and recovery manager breaks powershadow and even FDISR. I had a different snapshot I could boot into and did and tried to copy over the the bad snapshot with a known good snapshot and even that failed to remove what this Hp software did." }-

Of course FDISR wouldn't be able to recover. Installing a program that adds a partition and modifies the partition table and mbr while in shadow mode, and then trying to roll it back with Power Shadow did a number on the mbr/partition structure of your disk. Nothing FDISR can do to help you with that.


Powershadow, ReturnIL, are great apps for browsing, downloading and making sure stuff is safe with the ability to get rid it.

But to test install software in the shadow mode is just asking for trouble. I'd use FDISR,Rollback, or imaging for this.

Pete

-{ Quote: "Of course FDISR wouldn't be able to recover. Installing a program that adds a partition and modifies the partition table and mbr while in shadow mode, and then trying to roll it back with Power Shadow did a number on the mbr/partition structure of your disk. Nothing FDISR can do to help you with that.


Powershadow, ReturnIL, are great apps for browsing, downloading and making sure stuff is safe with the ability to get rid it.

But to test install software in the shadow mode is just asking for trouble. I'd use FDISR,Rollback, or imaging for this.

Pete" }- If you can't trust your recovery applications to bail you out of trouble then what good are they? This is case and point. So basically all a malware has to do is install a HPA or DCO into your computer and hide whatever it wants there and nothing is going to reverse that which is commercially available to fix this sort of invasion. If FDISr can't help with this then that is a HUGE problem. If imaging can't help with this then that is a HUGE problem. And it looks like restoring an image DOES NOT remove the hidden partition. You need special software for that. After using the special removal software THEN you can use and image backup. I just did a secure delete wipe with zeros on my whole hard drive with DBAN and after that and a full format I installed FDISR again in a fresh copy of windows and loaded my offline archives into a new snapshot and booted that up and STILL get the annoying popups that state "Found new hardware" ...."System settings have changed...and I need to reboot"....So this could mean a couple things... 1. There truely is a hidden partition now since the fresh restore is having the same problems as before. 2. The computer is acting like an image restore just happened according to Erik and it's normal for it to detect new hardware and have popups stating new hardware found etc.. If this is so we need to take a poll on that. However I've never seen this happen with FDISR restores of images and I've done fresh restores before like I just did and DID NOT have the popups and messages I get now. So, I conclude that I more than likely have some sort of corruption going on or hidden partition with no data in it or something I'll need to contact hp support about. This computer DID NOT come pre installed with a hidden partiton like some computers do. I have the recovery CD's instead supplied by the oem manufacturer. 3. What good is powershadow if it can't protect the MBR or recover from a partition move? 4. What good is FDISR then if it can't help you recover from MBR corruption? Virus writers routinely hammer on the MBR. If it can't recover from this then this software is over rated since all a malware writer has to do is change your MBR or your partition. If you can break FDISR with this then you could probably break Rollback the same way. So what good are these programs unless you have the software to remove the hidden partitions? As far as this comment, "I don't use Power Shadow, but what has happened here in my mind reveals no weakness with Power Shadow whatsoever." How could you say that if it installs a partition you can't get rid of? How can you say that in good conscious? What if malware was also installed into this HPA? Would you think that bypassing powershadow is not a weakness then? I'm sure it's easy for malwriters to get ahold of this sort of code to install HPA's so if installing HPA's can bypass powershadow AND FDISR I'd say that's a weakness.

-{ Quote: "If you can't trust your recovery applications to bail you out of trouble then what good are they? This is case and point. So basically all a malware has to do is install a HPA or DCO into your computer and hide whatever it wants there and nothing is going to reverse that which is commercially available to fix this sort of invasion. If FDISr can't help with this then that is a HUGE problem. If imaging can't help with this then that is a HUGE problem. And it looks like restoring an image DOES NOT remove the hidden partition. You need special software for that. After using the special removal software THEN you can use and image backup. I just did a secure delete wipe with zeros on my whole hard drive with DBAN and after that and a full format I installed FDISR again in a fresh copy of windows and loaded my offline archives into a new snapshot and booted that up and STILL get the annoying popups that state "Found new hardware" ...."System settings have changed...and I need to reboot"....So this could mean a couple things... 1. There truely is a hidden partition now since the fresh restore is having the same problems as before. 2. The computer is acting like an image restore just happened according to Erik and it's normal for it to detect new hardware and have popups stating new hardware found etc.. If this is so we need to take a poll on that. However I've never seen this happen with FDISR restores of images and I've done fresh restores before like I just did and DID NOT have the popups and messages I get now. So, I conclude that I more than likely have some sort of corruption going on or hidden partition with no data in it or something I'll need to contact hp support about. This computer DID NOT come pre installed with a hidden partiton like some computers do. I have the recovery CD's instead supplied by the oem manufacturer. 3. What good is powershadow if it can't protect the MBR or recover from a partition move? 4. What good is FDISR then if it can't help you recover from MBR corruption? Virus writers routinely hammer on the MBR. If it can't recover from this then this software is over rated since all a malware writer has to do is change your MBR or your partition. If you can break FDISR with this then you could probably break Rollback the same way. So what good are these programs unless you have the software to remove the hidden partitions? As far as this comment, "I don't use Power Shadow, but what has happened here in my mind reveals no weakness with Power Shadow whatsoever." How could you say that if it installs a partition you can't get rid of? How can you say that in good conscious? What if malware was also installed into this HPA? Would you think that bypassing powershadow is not a weakness then? I'm sure it's easy for malwriters to get ahold of this sort of code to install HPA's so if installing HPA's can bypass powershadow AND FDISR I'd say that's a weakness." }-

Horus, the problem here is what you are doing.

1. No surprise there is a hidden partition. THAT is how the HP software works. So of course it installs one. Assuming you read the web page just what did you the pressing F11 at boot was for.

2. I am not sure what restore Erik is talking about. I've never had it with FDISR, or images. Can you guess what HP support is going to tell you. I can. First you didn't install it properly because you didn't reboot. Then you compounded it by trying to uninstall before the install was complete, and third you installed with something that was goiing to brute force make it go away. They will tell you, that you failed to follow the instructions and they can't be responsible, and they would be right.

3. Repeat after me at least 100 times. FDISR IS NOT SECURITY SOFTWARE. It is designed to recover from things that corrupt the system like bad software installs, that almost never touch the MBR or Partition table.

You keep saying Powershadow installed a hidden partition. It did no such thing. THe HP software did that. Remember PowerShadow is designed to undo file changes to files within the partition it protects. What do you expect when you install something that creates a new partition on the disk.

Can malware writers design code that can circumvent these programs. OF course. Is it likely. No. There just isn't a wide enough base to make it economical.

Horus, there is nothing wrong with experimenting and testing and playiing, but you must do two things. First you must understand how the software works or don't install it. And secondly if you are going to play like you have been, you'd be well advised to buy something like VMware's workstation. It is bullet proof, and is an excellent way to see what will happen with easy recovery. How do you think I've run the tests I've run.

Pete

This situation is where a cloned HD of the master may come in handy.???

Horus I know your a tad shirty and disappointed about what's happened but surely there must be a way to fix the prob.

Peter do you think Rollback can survive this?

Thanks,

Chris

-{ Quote: "Repeat after me at least 100 times.
Pete" }-

Pete, please write more posts :D

Horus if you would like to try something.

The link below will show how to force the Device Manager to show non present devices.

Once you have done the required settings go into device manager and show hidden devices then have a look at Storage Volumes.See if you can see the hidden partition.
http://www.techmentors.net/Articles/os_windows/2006_05/TID149.asp

If it shows as a non present or ghosted device you may be able to use the right click menu items.???

-{ Quote: "Horus, the problem here is what you are doing.

1. No surprise there is a hidden partition. THAT is how the HP software works. So of course it installs one. Assuming you read the web page just what did you the pressing F11 at boot was for.

2. I am not sure what restore Erik is talking about. I've never had it with FDISR, or images. Can you guess what HP support is going to tell you. I can. First you didn't install it properly because you didn't reboot. Then you compounded it by trying to uninstall before the install was complete, and third you installed with something that was goiing to brute force make it go away. They will tell you, that you failed to follow the instructions and they can't be responsible, and they would be right.

3. Repeat after me at least 100 times. FDISR IS NOT SECURITY SOFTWARE. It is designed to recover from things that corrupt the system like bad software installs, that almost never touch the MBR or Partition table.

You keep saying Powershadow installed a hidden partition. It did no such thing. THe HP software did that. Remember PowerShadow is designed to undo file changes to files within the partition it protects. What do you expect when you install something that creates a new partition on the disk.

Can malware writers design code that can circumvent these programs. OF course. Is it likely. No. There just isn't a wide enough base to make it economical.

Horus, there is nothing wrong with experimenting and testing and playiing, but you must do two things. First you must understand how the software works or don't install it. And secondly if you are going to play like you have been, you'd be well advised to buy something like VMware's workstation. It is bullet proof, and is an excellent way to see what will happen with easy recovery. How do you think I've run the tests I've run.

Pete" }-


1. My issue is not that FDISR can't do certain things, it's that it's not well known that it can't do certain things to help you recover.

So far let's see... Um, don't mess with the MBR or partition table, don't intall a hidden partition, don't intall a kernal driver that self updates, don't install another application like it such as rollback into it, don't flash the bios, don't um, what else? Where's the list?


2. Erik said that when he restores an image he gets popups about new hardware found etc. I think it might be ATI specific maybe as I have posted on the ATI forums about this and they reported that they also get popups when restoring an ATI image. If that's the case there is something in my bios that detected a change and that means something go through powershadow. I suppose if I flashed the bios while shadowed I'd expect permanent changes but this software wasn't even installed fully. So my guess is it did something during the install to the bios that is irreversible. Lesson learned. I don't think it had anything to do with me backing out the install. I think it had something to do with the install. Once you flash the bios, a faulty uninstall of a flash utility won't matter. However what is not known that they don't tell you is that during this install, REGARDLESS if you reboot or not, the bios gets changed permanently during the install perhaps. That is the million dollar question and why I was contacting HP.


3. That part..." FDISR IS NOT SECURITY SOFTWARE. It is designed to recover from things that corrupt the system like bad software installs, that almost never touch the MBR or Partition table" - especially that last part (that never touch the MBR or Partition table) should be an asterisk on the website that sells FDISR or bootback.



4. I don't keep saying Powershadow installed a hidden partition. I know that the HP software did what it was designed to do. I'm stating that powershadow didn't stop the creation of a hiddnen partiton and can't reverse it when that happens and that is a problem. According to their website they guarantee no problems. Im just trying to figure out how come this kind of change is not reversable. Looks like a bios change during software install which you can't stop but I'm contacting HP about this to get clarification about what happens during the install process that is irreversible to the bios. The way powershadow works is BEFORE the the reboot. It doesn't operate like FDISR freeze. The changes are undone BEFORE the reboot takes place when you come out of shadow mode. At least that's my understanding of it. One curious thing I keep coming back to is if I install and then uninstall something while in shadow mode will that force it to get reinstalled when coming out of a shadow mode or would it matter? In my case it might have reinstalled what I uninstalled maybe. Probably not but.... Why don't more brave souls try to this software and see what it does to their system. Surely in a VM this wouldn't have negative consequences right?

FWIW...

I have used GHOST 2003 (99.99% of the time I just use the DOS GHOST.EXE file/program instead of the starting from the GUI while Windows is running) and mostly image a partition as opposed to the whole disk.

I ALWAYS (100%) get a message about needing a reboot for new hardware/driver (whatever the messages is).

I assume that GHOST is setting a bit someplace that says to rescan for new hardware.

I have NEVER, NEVER, NEVER for 97 more times, had a problem.

Please see this post http://www.wilderssecurity.com/showthread.php?t=177197 about the HDDerase DOS program.

http://cmrr.ucsd.edu/Hughes/HDDEraseReadMe.txt-{ Quote: "Q: Can hdderase.exe erase the host protected area (HPA) or the device configuration overlay area (DCO)?

A: Yes. A message will appear if a HPA and/or DCO exist(s) on the selected drive and prompt the user if he/she wants the areas to be erased. Accepting removes the HPA and/or DCO via set max address (ext) and device configuration restore commands, respectively. A subsequent secure erase will then erase the entire drive. Declining leaves the HPA and/or DCO intact, and a subsequent secure erase may or may not erase over the HPA/DCO, depending on the manufacturer. CMRR Secure Erase protocol requires erasure only of all user-accesible records. If your drive is locked by a non-HDDerase password and if either option 3, 4, 5, or 6 is chosen, then the HPA and/or DCO will NOT be detected or reset.
***Note: the device configuration restore command disables ANY settings
previously made by a device configuration set command--thereby placing the drive in its factory default state." }-
MIke

Norton Ghost 2003 here as well and I always restore from Windows and have never had a "found new hardware/restart" prompt.

Could this be because I partition the drive before making any images?

-{ Quote: "Peter do you think Rollback can survive this?

Thanks,

Chris" }-

Interesting question. Might be an interesting VM exercise.

-{ Quote: "Horus if you would like to try something.

The link below will show how to force the Device Manager to show non present devices.

Once you have done the required settings go into device manager and show hidden devices then have a look at Storage Volumes.See if you can see the hidden partition.
http://www.techmentors.net/Articles/os_windows/2006_05/TID149.asp

If it shows as a non present or ghosted device you may be able to use the right click menu items.???" }-

Hidden partitions should be that hard to find. When I imaged my new Thinkpad tablet, Shadowprotect saw both partitions and imaged them both. I could also restore both of them. Not really difficult.

Horus

Where did you find the link to download the HP recovery manager.

I mean it may exist as a ghost volume.In the pic below only my current hooked up HD with three partitions show as a dark grey in device manager.

All the other lighter coloured volumes (ghosts) are from different partitioned slave drives that I have had hooked up at one stage.
190798

http://hddguru.com/content/en/software/2005.10.02-MHDD/ MHDD, another DOS based freeware for low-level HDD diagnostics, "MHDD /EnablePrimary /DisableBIOS" in DOS prompt and use NHPA command to uncut the HPA.

I guess HPA =/= hidden partition, HPA reduce the HDD size, seems a little bit like physically smaller HDD. Besides, the last partition/extents should be resized to a smaller size. Both may cause windows detect a new hardware/volume.

-{ Quote: "Of course FDISR wouldn't be able to recover. Installing a program that adds a partition and modifies the partition table and mbr while in shadow mode, and then trying to roll it back with Power Shadow did a number on the mbr/partition structure of your disk. Nothing FDISR can do to help you with that.


Powershadow, ReturnIL, are great apps for browsing, downloading and making sure stuff is safe with the ability to get rid it.

But to test install software in the shadow mode is just asking for trouble. I'd use FDISR,Rollback, or imaging for this.

Pete" }-
Hi Peter, I agree with you but do u know what is in my mind? Actualy I expect such software to protect MBR, PBR, Partition table etc. Any instant recvery software with such a feature will protect against malware like KillDisk, BootKits etc( remember PowerShadow surviving KillDisk virus!).

-{ Quote: "Hi Peter, I agree with you but do u know what is in my mind? Actualy I expect such software to protect MBR, PBR, Partition table etc. Any instant recvery software with such a feature will protect against malware like KillDisk, BootKits etc( remember PowerShadow surviving KillDisk virus!)." }-

HI Aigle

For all we know, Powershadow may have protected the MBR, which may ultimately have created the mess. This HP software(which I can't find) has to create the partition, and write stuff to that partition, then it has to be rebooted. What does it do on the reboot. Also we have established there probably is a bug in the microsoft routine that reads the partition table, so it probably returned and error and then who knows what happened.

Bottom line is installing a program that needs to modify the MBR and partition table while shadowed is an invitation to the disaster that occurred.

If anyone can provide a link to this HP software I'd like it. I have searched and I can't find it. Hmm

Pete

http://h20331.www2.hp.com/Hpsub/cach...0-225-121.html

*EDIT* It's gone. dead link. I guess they pulled it.

Hmmnn,I did send HP a link to this thread and asked for a tech to respond a coupla days ago.

Also asked if their backup modifies any part of the system with no user input or prompt but haven't received a reply as yet.

"If" I get a personal reply will post it.

-{ Quote: "http://h20331.www2.hp.com/Hpsub/cach...0-225-121.html

*EDIT* It's gone. dead link. I guess they pulled it." }-
This site seems to be available: ("http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html") copy/paste, or link below:

http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html

-{ Quote: "HP Backup and Recovery Manager

HP provides free data and system file protection for its business desktops, notebooks, and workstations.
<...>which can be stored in a protected area on the primary hard drive, <...>
*Up to 8GB of the hard drive is reserved for the system recovery software.
" }-

Also (from the above HP WebPage):

Related links
» HP Backup and Recovery Manager (http://h20331.www2.hp.com/Hpsub/downloads/HP_Backup_and_recovery_Manager.pdf)datasheet (.pdf, 149K)
» HP CMS Document and demo library (http://h20331.www2.hp.com/Hpsub/cache/284408-0-0-225-121.html)
» HP Backup and Recovery Manager Flash demo (javascript:function winopen(){window.open('http://h10010.www1.hp.com/wwpc/pscmisc/vac/us/en/sm/IM/hp_backup_1001.htm','newwin','status=0,toolbar=0,height=450,width=700,menubar=0,scrollbars=no,resizable=no');}winopen();)

I have been pleased with HP Printers and HP's Support, never tried their Computers,
but my Dell came with a (small) Partition containing just a pre-boot Hardware Testing (DOS) Program,
newer Dells also have a Restore (to factory load) Partition.

Dell provides a method to copy from and delete this Partition, but HP's method of also protecting (storing) your Personal Data seems to be a step beyond, in utility.

I also use the Roxio/Symantec Go-Back 'restore' which needed up to a 6GB 'free area' to install on C:\ drive, it specifically protects "C:\ drive" only.

It provides a simple method to return, following a test of a program, if you want something saved, you copy that to another Drive (or Partition).
_____________________________________________________________________________________________________

BTW: I would advise avoiding ANY attempt at BIOS Flash from Windows (use the 'boot from floppy method' for best safety) but doing it from within something like PS would just about guarantee you a doorstop. Most BIOS 'chips' are surface mount (no socket) and a 'flash-gone-wrong' can only be fixed by a MotherBoard Replacement.
_____________________________________________________________________________________________________

Any MalWare that could 'Flash your BIOS' or Create a 'protected' Partition without your 'approval' could well mean the end of your system or a non-removable 'resident' malware, but then a "Tin Whisker" could do that for you with no internet connection required:)

I talked to an HP tech support person and they must make like 8 dollars an hour as they are not very technical for free. Basically they state that the full install and reboot will enable you to access an area in the software that allows you to do an uninstall of the partition and that it's not really vendor specific as I've found 2 free programs that will get rid of the partition if one did exist which i can't find. So it's possible the bios got changed but the partition didn't get fully implemented or was botched etc. and the full partition does not show up because it's a corrupted partition. Whatever the case the computer registered a change that's like a bios flash maybe. I'm not sure why the change is irreversible. I would tend to think that the smart thing to do is to fully install the program again, reboot, bootup the GUI and run the uninstall utility and see what happens. You can't run the uninstall utility until you reboot and fully install the software. That's why I didn't see the uninstall section before I rebooted innitially I think. The free tech support people were very short with answers. So unless i want to pay for the next step I might just download the software again and do a normal install and see what happens. However I don't think this partition is proprietaryas I said before. I have found many programs that erase HPA/DCO's for free. However I'm wondering if this is the same area that the computer stores info about bad disk sectors etc and if that got erased and then got written over gain without not knowing it was a bad sector well then that might be another area to explore. However I'm not sure. I&quot;ll talk to their free tech support again and see what I can pull out of them. I'm investigating a link between this and the ext usb hdd, a link to a bad sector that got erased the last time I zero'd my drive and got rewritten as a good sector but is really bad, a link to a corrupt hard drive firmware data area,,,etc. Just don't know what the program changed during the install as their tech support doesn't want to go too indepth for free.
Hopefully I won't have to wipe my cmos or pull the button battery out of this thing.

-{ Quote: "Hmmnn,I did send HP a link to this thread and asked for a tech to respond a coupla days ago.

Also asked if their backup modifies any part of the system with no user input or prompt but haven't received a reply as yet.

"If" I get a personal reply will post it." }-

Two things.

1) What do you think HP techsupport is going to do with this link. They won't have a clue what powershadow does, and I'll bet the just say the problem is with powershadow.

2) "if" you get a reply please don't post it, unless you specifically asked them if you could and it contains their permission. Otherwise that posting would be a TOS violation and will be pulled. You should be able to give us an idea of their response in your own words.

Pete

-{ Quote: "I talked to an HP tech support person and they must make like 8 dollars an hour as they are not very technical for free. Basically they state that the full install and reboot will enable you to access an area in the software that allows you to do an uninstall of the partition and that it's not really vendor specific as I've found 2 free programs that will get rid of the partition if one did exist which i can't find. So it's possible the bios got changed but the partition didn't get fully implemented or was botched etc. and the full partition does not show up because it's a corrupted partition. Whatever the case the computer registered a change that's like a bios flash maybe. I'm not sure why the change is irreversible. I would tend to think that the smart thing to do is to fully install the program again, reboot, bootup the GUI and run the uninstall utility and see what happens. You can't run the uninstall utility until you reboot and fully install the software. That's why I didn't see the uninstall section before I rebooted innitially I think. The free tech support people were very short with answers. So unless i want to pay for the next step I might just download the software again and do a normal install and see what happens. However I don't think this partition is proprietaryas I said before. I have found many programs that erase HPA/DCO's for free. However I'm wondering if this is the same area that the computer stores info about bad disk sectors etc and if that got erased and then got written over gain without not knowing it was a bad sector well then that might be another area to explore. However I'm not sure. I&quot;ll talk to their free tech support again and see what I can pull out of them. I'm investigating a link between this and the ext usb hdd, a link to a bad sector that got erased the last time I zero'd my drive and got rewritten as a good sector but is really bad, a link to a corrupt hard drive firmware data area,,,etc. Just don't know what the program changed during the install as their tech support doesn't want to go too indepth for free.
Hopefully I won't have to wipe my cmos or pull the button battery out of this thing." }-

Horus

You still don't say where you downloaded the software from. I doubt the bios was affected. You probably screwed the disk with the reboot from the shadow mode of PS.

Tell me where you got this software. I can't find any link on the HP site for a download.

Pete

-{ Quote: "This site seems to be available: ("http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html") copy/paste, or link below:

http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html

Also (from the above HP WebPage):

Related links
» HP Backup and Recovery Manager (http://h20331.www2.hp.com/Hpsub/downloads/HP_Backup_and_recovery_Manager.pdf)datasheet (.pdf, 149K)
» HP CMS Document and demo library (http://h20331.www2.hp.com/Hpsub/cache/284408-0-0-225-121.html)
» HP Backup and Recovery Manager Flash demo (javascript:function winopen(){window.open('http://h10010.www1.hp.com/wwpc/pscmisc/vac/us/en/sm/IM/hp_backup_1001.htm','newwin','status=0,toolbar=0,height=450,width=700,menubar=0,scrollbars=no,resizable=no');}winopen();)

I have been pleased with HP Printers and HP's Support, never tried their Computers,
<...>
Any MalWare that could 'Flash your BIOS' or Create a 'protected' Partition without your 'approval' could well mean the end of your system or a non-removable 'resident' malware, but then a "Tin Whisker" could do that for you with no internet connection required:)" }-The links above (same as post #38 ) work fine, except the Flash Demo http://h10010.www1.hp.com/wwpc/pscmisc/vac/us/en/sm/IM/hp_backup_1001.htm as did the link from first page of this thread.

I don't know if there could be any software protection or recovery from a BIOS or Firmware corruption that is applied beyond the Operating System.

Horus seems to have confirmed the fact that it is possible to damage your system in spite of PowerShadow 8)

-{ Quote: "The links above (same as post #38 ) work fine, except the Flash Demo http://h10010.www1.hp.com/wwpc/pscmisc/vac/us/en/sm/IM/hp_backup_1001.htm as did the link from first page of this thread.

I don't know if there could be any software protection or recovery from a BIOS or Firmware corruption that is applied beyond the Operating System.

Horus seems to have confirmed the fact that it is possible to damage your system in spite of PowerShadow 8)" }-

Yeah, all those links work, but they aren't for downloading software. I'd like to download the software.

As to damaging the system in spite of Powershadow. I don't buy it in the sense you are saying it. No software can prevent damage if you do something you shouldn't. Installing something like he did while in shadow mode just guarantee's trouble.

Actually this whole thread does leave me unsure about Power Shadow for one reason. Where are they? They should be interested in this even if it isn't there softwares fault. This is the concern that keeps me away from this software.

Pete

My thoghts on Powershadow is it's very similiar to shadow protect. Also when it BSOD on my sytem tech support just said maybe it's because I have RAID and they didn't even want to investigate further. So support a little lacking in my opinion. Also there is better software to be had to do similar things. Just my opinion though.

Thanks,

Chris

-{ Quote: "My thoghts on Powershadow is it's very similiar to shadow protect. Also when it BSOD on my sytem tech support just said maybe it's because I have RAID and they didn't even want to investigate further. So support a little lacking in my opinion. Also there is better software to be had to do similar things. Just my opinion though.

Thanks,

Chris" }-

ReturnIL has the same problem with Raid, but they are looking into it.

I like Power Shadow but support is almost non-existent. You can E mail them and get a response. The forum doesn't help.

After hearing everyones' experience with PS, I would like to add my own experience of a bad mishap. I blame myself and not PS, I was messing around with disk editor, and not knowing exactly how the program worked I trashed my system while in full shadow mode. I'll take a guess and say that PS is good at protecting system files and settings, however not against tools that would alter the partition(s) or hard disk data as viewed by disk editor & sector editor as I found out the hard way. I remeber pressing something in the hard disk & or sector editor editor and it filled my entire hard drive with 1 & 0 s' I closed the editor and everything was ok until I rebooted. Then my harddrive seemed to be gone nothing was being read as existing upon boot. So I had to use PM and redo my partition C D then used my ghost image and restored C in under 40 sec then after OS rebooted, plug in the external and drag and drop my programs installs and data into D. All is well. That was a learning experience for me. :)

I am not sure this is the proper thread to post this in...and maybe you are all already aware of it anyway; if so I apologize. In the Powershadow forum the administrator reported that Powershadow 2.6 does not protect the MBR but that 2.82 does.

Does anyone know if this is true and if so did any one ever determine if it is still possible to activate 2.82? I am thinking of switching to 2.82, if I can figure out how to install and then apply the english language files.

http://powershadow.freeforums.org/viewtopic.php?t=70&sid=0d123facaf949088e66afd8469f26cb9

I think I remember somebody posted about 2.8.2 protecting the MBR. I believe Mike is going to test it sometime after his vacation.

I not sure you can get it free anymore. I think June 11th was the cut-off date. You could give it a shot. All it needed was a name and e-mail address. Even a fake one would work. See this thread for more details. Post 10 has a link to the conversion files. http://www.wilderssecurity.com/showthread.php?t=172533&highlight=powershadow+2.8.2

I have already downloaded the zip file with Powershadow 2.82 and the english translation files I just haven't tried to install it since I was unsure if I could still register it for free. Plus I am unsure about trying to install in Chinese and then apply the English files. Other than the possible MBR difference 2.6 works great here and I am hesitant to screw it up.

The hardest part for me was actually installing while answering the Chinese prompts. I just kept choosing the button on the left. Lol. The adding of the translation files was very easy. There was a read me included with it explaining what to do. I wish I could give you an answer about the registration :-\ .

I personally couldn't use version 2.6, that is the only reason I tried 2.82. Hopefully somebody can confirm this, but if your running decent security software and using common sense, the chances of installing something malicious that would write to the MBR while using PS 2.6 is very slim. Again, somebody would have to confirm this because I'm not that familiar with the different types of malware.

edit: If you do decide to try, I think you have to uninstall 2.6 first.

Thanks for the info Innerpeace. I guess unless I can confirm that registration for free is still possible with 2.82 that I will stick with the 2.6 version. It runs on my system with no problems whatsoever. The only reason I was thinking of switching anyway was the MBR issue. LIke you said; I am hopeful that the odds of encountering malware that would screw with my MBR are low and that my other security would protect me anyway.

Innerpeace,

Out of curiosity, what was the reason you couldn't use version 2.6? Also, do you know why version 2.82 will reportedly not create a shortcut on the desktop? I read in one of the posts (don't remember which thread or post) that even creating a shortcut for yourself on the desktop wouldn't work without the whole folder the executable is in on the desktop.???

The first time I tried 2.6, after my session, I went to reboot and had problems. My machine had to run a checkdisk to fix things. This was the first major crash that I had after almost 2 years. I get quickly wary of programs that crash on me. It was probably some kind of conflict. Since there was another version, I tried it and it worked. I haven't used it much, but have had no problems.

I almost forgot about the shortcuts. I had to go back and read the installer read me and it said what you said. The shortcut on my desktop size is 694 bytes and size on disk is 4.00KB. In my start menu, I just created a folder with the name PowerShadow and in it placed a shortcut the the exe. I honestly have no idea why it doesn't create shortcuts. Just taking a guess as I think this program is used in a lot of Chinas' schools is to keep it hidden and running all the time. To keep the kids from changing the settings. This is just a wild guess though.

My father had tried to install 2.6 on his machine after I told him how great it ran on mine and it crashed his system (xp media center edition) upon reboot. He had to do a system restore to get right again. I doubt I could get him to try again with another version...in Chinese no less. :o

I suppose I will stick with 2.6 just hate the thought of having a version that will rotect the MBR out there and me not running it. LOL

Thanks again for the information Innerpeace. Have a good night.

No problem. I was lucky I guess, I didn't have to do a system restore. I probably have some things screwed up, but they haven't showed themselves yet. Its been a month though. My setup is in my sig except I was running Comodo instead of OA2 at the time. Everything was disabled when installing 2.6.

I haven't ran into to many people running 2.82 here at Wilders. My version does try call out after about 30 minutes, but I block it with my firewall. I have the updates unchecked also ???. Before I installed it, I did scan the installer with all my scanners and uploaded it to VirusTotal and it was clean. It works here and I'm becoming more comfortable with it.

-{ Quote: "Horus

You still don't say where you downloaded the software from. I doubt the bios was affected. You probably screwed the disk with the reboot from the shadow mode of PS.

Tell me where you got this software. I can't find any link on the HP site for a download.

Pete" }- Peter you won't be able to download it as your computer will be scanned to make sure it's the correct one for the software. If it doesn't pass the test you won't be able to download it and there is no way to directly link to it. This is new as of 5 days ago I never saw this new validation system. People over at HP must be paying attention and instituted this new system so not just anybody can go over to their website and start downloading programs. A week ago you could but now you can't. I went online with yet another tech support person and they refused to supply me with a link. If you try to go on their website and pretend you have the correct hardware you have to submit to their software scan which is very thorough. If you don't have HP computer and have exactly the version and hardware that that the software calls for you'll be blocked from going further into their website.

-{ Quote: "Peter you won't be able to download it as your computer will be scanned to make sure it's the correct one for the software. If it doesn't pass the test you won't be able to download it and there is no way to directly link to it. This is new as of 5 days ago I never saw this new validation system. People over at HP must be paying attention and instituted this new system so not just anybody can go over to their website and start downloading programs. A week ago you could but now you can't. I went online with yet another tech support person and they refused to supply me with a link. If you try to go on their website and pretend you have the correct hardware you have to submit to their software scan which is very thorough. If you don't have HP computer and have exactly the version and hardware that that the software calls for you'll be blocked from going further into their website." }-

Okay, fair enough. Anyway the lesson should be don't install any software in the shadow mode unless you know a reboot isn't required. For some types of installs, the only safety net is hopefully something like FDISR but most assuredly a full image.

pete

Hi, folks: I like to believe that PS is an excellent virtualization application, but two puzzles have been bothering me to this day: (1) why would PS be able to switch from normal mode to shadow mode w/o reboot ? (2) why in shadow mode, can any given partition,including hidden one , be able to add into disk and survive the reboot? IMO, the shadow mode is the integral part of the whole application, it is designed to repel any structural changes, such as addition/deletion of partition, and if this fails, the other safety feature is to reverse any unexpected changes. I know for facts, these two things will never happen to DeepFreeze. Are all virtualization apps having different frameworks?