The unofficial Shadow Defender Support Thread.

Yes I'm XP sp3, 32 bit and harddrive only and I haven't set ram cache

Patrick

 

What DOESN'T conflict with EMET? The more I see/hear about problems regarding it the more I convince myself to forego these fancy new mitigation techniques and just lessen my attack surface from the getgo as much as possible.

But we've eliminated SSD, and it being 32/64 bit inherent. The thing is, many report no problems with the newer versions. So to anyone having problems - do all of you have EMET mitigation techniques enabled on your box? Or even DEP (only) always on, or enabled for SD (or all programs) anyway?

 

EMET isn't absolutely necessary to find trouble. The other day, i was trying to troubleshoot and i ended up installing Win7 from scratch. I had installed all drivers and a few applications and for the first time, i enabled immediately DEP for all programs (through control panel, advanced system options). After a while, while i was installing more applications, BSOD and severe data corruption. I 've never seen this before. Checkdisk was repairing all over the place. Everything was corrupted. I 've done this procedure with the same drivers and programs dozen of times, never had it before. But it was the only time i had enabled DEP for all programs since the start. The other times, i was just updating Windows and my DEP settings were then greyed out, but enabled for all programs (verified from comand prompt).

So, i am not ever using EMET again and keeping DEP only for Windows.

 

Obviously, commiting RAM buffer changes to the SSD should be faster than commiting disk buffer changes onto the same disk. Is this what you meant?

 

I have just sent an e-mail to Tony suggesting the implementation of data compression for the SD RAM buffer. At the moment the RAM buffer seems to be filling up very quickly, so I assume that the buffer contents are uncompressed. If he could use compression for the RAM buffer contents then the buffer will take longer to fill-up and people will be able to have longer Shadow Mode sessions in RAM.

Maybe he could even give an option to the user to define how strong the compression would be: Users could select light, medium or high compression for the RAM buffer, this would affect how quickly their assigned RAM buffer would fill-up. I can't see a speed problem even when using high compression, as RAM is superfast anyway. Of course compression should only be used while the RAM buffer is active: It should be turned off automatically when the program switches to disk buffering; this would be essential especially with older or less powerful systems, in order to keep the virtual system speed at acceptable levels.

I've also reminded him of my earlier suggestion to use a secondary disk for the buffer when SD switches from RAM to disk buffering. I have a small SSD which I could dedicate for SD buffering, this way all my other disks can be on Shadow Mode and only one disk will take the hits.

Lets see what he thinks about this.

 

Wouldn't RAM-buffer compression result in operational slowdown?

TS

 

SkyDrive corrupted after making a backup in Shadow Mode

Problem: I update a cloud backup using SkyDrive, in Shadow Mode. After the backup has been completed normally (no errors), I reboot. A message appears about problems with SkyDrive, suggesting a reboot or a reinstall. SkyDrive doesn´t work. This doesn´t affect the cloud backup, of course. It´s a local problem.

The solution I´ve found is to uninstall and reinstall SkyDrive. This has happened three times to me, I think it´s definitively a problem with SD and SkyDrive. I suppose it can be avoided by excluding certain SkyDrive files, but it´s an inconvenience anyway.

I´m using SD 346 x64, DEP only for Windows processes.

Edit 1: the SkyDrive directory, that contains the files to backup, is not in C:.

Edit 2: I checked using Returnil and the same problem occurred. So it´s a problem with SkyDrive, possibly introduced in the last version (2012, 17.0.2003.112), because I used SkyDrive and Returnil for about six months since June 2012 and never encountered this problem.

 

I know that not everyone does this but I always come out of Shadow mode to do any kind of update anti virus defs or whatever, I know that it's inconvenient but it's less likely to cause trouble.

Don't forget there is a poll about 1.2.0.355 here

 

Obviously, it´s not possible to use a system virtualizer permanently. But this case is different. No program is being updated. Some files, that are not in the system partition, are being copied to the cloud backup. This is what I call a "cloud backup update".

And, in the case of a definition update done in virtual mode, this shouldn't cause any problem. Just the update is lost after a reboot.

 

Depends on the level of compression used and on how optimized the used algorithms are. Lets not forget that sandforce SSDs use real time compression too, without any noticeable overheads. Same applies with NTFS compression. If the compression algorithms used are decent then slowdowns should not really not be an issue, especially considering the speed of modern RAM.

 

I had a reply from Tony:

It is a risk to use another disk for buffering.
For example: system volume is in Shadow Mode.
Any changes to system disk lead to an access to the buffer disk.
and access the buffer disk also may lead to an access to system disk, so the system will be dead lock.
To compress the write cache is a feasible, but i don't know whether this can save RAM, because the RAM used as buffer must be page aligned. I have to do more research on it.

 

I see - I don't use SSDs so I didn't know that. My comment was based on the slower backup times I've noticed when the image is compressed (compared to when it is not)

TS

 

I try and and avoid making any changes while in Shadow Mode but I had an interest incident with Spotify. Normally when I leave Shadow Mode Spotify will be have the exact same song running as when I entered Shadow Mode yet when I star a song as a favourite while in Shadow Mode, that changes carries over.

Windows decided to auto update this morning while I was Shadow Mode and that change didn't survive.

 

Dear community,

a question for the professionals.

SD ist running in shadow mode, if i go on "take all data on real hdd"
i got the changes.

but what happen with the data changed after that procedure ?
are they again in shadow mode or will be taken again and again on my real system ?

sorry for bad english, i hope u can follow me.

greets

 

I am not one of the "professionals" but I think what you are saying is
that when you are in Shadow Mode and (for example) writing a notepad file and have saved it and chosen "Commit to real volume" and then (whilst still in Shadow Mode) you want to re-open the notepad file to add something, does that overwrite your original command and will the file be updated to last command when you re-enter ordinary mode? I think that it does...I'll try it now and post again.

 

right thats it

1. make a new txt.file on the shadowed disk
2. klick to "Commit to real volume"
3. make again f.e. an doc file
4. boot the pc without sd mode

what happens ?
the txt file again on the maschine, but what is with the doc file ?

 

Ah I see you mean multiple file changes using commit and maybe re-commit

I know it works with a single notepad change because I just tried it

I was in Shadow Mode

I made a file called Fred.txt and wrote "Hi Fred" and saved it

then commited the file

then I decided to add something I opened the file and and changed it to "Hi Fred see you on Friday" and saved it then re-commited it

When I re-booted into ordinary mode and opened Fred.txt it said "Hi Fred see you on Friday" so it had updated the "commit" during the Shadow session.

I'll try with four files and make changes and get back to you.

best wishes

Patrick

 

@BruzZzler
I understood that you have done two files and only one was saved on real disk...so...no matter if you go back to shadow or normal mode after reboot - in each time you shouldn't have/see unsaved file (here in example *.doc). It perfectly works in my system 3 years (XP SP3).
------------
edit:
I tested such action:
- I switched SD to shadow mode (disk C: )
- I opened new Word document and typed "Text befor saving"
- I saved this file as "SD test.doc" on desktop
- this document was added panel in "Commit now" in SD
- commiting file when it is open or editing is impossible...earlier we have to close that file
- after closing the file we are able to save it on real disk
- then I added some words to opened document - "text after reboot"
- at the end I rebooted the system...after that I saw only such text - "Text befor saving"
- so, any new changes in mentioned document was not saved on real disk...only this changes which I commited manualy.

 

UPDATE to test
I made a new folder in ordinary mode
then I went into shadow mode
in that folder I made four new files fred.txt fred.doc (wordpad) fred.zip and fred.rar
In fred.txt and fred.doc I put "Hi Fred" and saved and nothing in fred.zip or fred.rar

then I commited all four files

I then changed fred.txt and fred.doc to say "Hi Fred" see you on Friday"
and then I committed those two files.

I then dragged and dropped those two files into Fred.rar and Fred.zip

and commited Fred.rar and Fred.zip

Then rebooted into ordinary mode

On re-boot all four files were updated correctly and updated fred.zip and fred.rar contained the two updated files fred.txt and fred.doc

and the files fred.txt and fred.doc were also updated.

I hope that this is helpful in some way and not just confusing

Patrick

 

1. From the Help: "NOTE: If subsequent [after a Commit operation] changes are made to the file, the Commit must be repeated to permanently save those changes."

2. SD lacks a function to commit *all* changes made during a session. Some similar programs like Returnil have it.

 

great community
many thanks to you

so i can only commit files and folders
not all changes i made, f.e. install software, update antivirus etc ?

 

Yes. That´s what I understand.

 

but you can't commit empty folders

 

And that is what I wrote above, but...

is not the truth because can works that feature

 

Yes, I was wrong. The problem is that the presence of the option is not obvious. To be able to click on "Exit Shadow Mode", it is necessary first to click on the empty box adjacent to OS (C: ). Otherwise, the option is grayed out and only "Exit All Shadow Modes" is available to click on.