The unofficial Shadow Defender Support Thread.

The question remains if malware or rootkits can infect hidden partitions. According to a fast search I did, they can.

 

Even more reason to move the reserved partition's contents into the Windows boot partition (which can be protected more effectively).

TS

 

You only need that hidden partition if you use BitLocker (in Ultimate edition only). There is a way to merge it with your Windows partition:

Open an elevated command prompt: Type cmd at the Start menu search box and cmd.exe will come up. Right-click on it and run it as administrator.

Then type: bcdboot c:\windows /s c:

You'll get a message that boot files have been created. Close the command prompt.

Open the Windows Disk Management applet (C:\Windows\System32\diskmgmt.msc), right-click on the C: partition and select “Mark Partition as Active”, confirming when asked. Reboot and when back in Windows run disc management again and delete the hidden partition. Use a third-party partition manager to merge the empty space to C: if you want to. You don't have to do this, it's only 100MB after all; but to many people its annoying to leave unallocated space.

Once all is done put C: back in Shadow Mode.

For future Windows installations: If you want to stop Windows from creating the hidden partition in the first place, make sure you partition your system disk before installing Windows on it. If you try to install Windows on an unpartitioned disk it will always create this hidden partition. If you partition the disk before running Windows setup, then the hidden partition will not be created.

 

i was about to say that....

 

...which I already stated in post 2050.

TS

 

I missed that one Shadow

 

Two comments:

1. On certain Windows 7 computers, the SRP hidden partition contains additional information. If it is deleted, this information is lost. For example, on Dell computers, this partition, called "RECOVERY", contains the image to restore the factory configuration.

2. What about UEFI computers? A brand-new UEFI computer can contain six or seven partitions. All of them, except the system partition C:, may be hidden. Obviously, not all of them can be deleted or changed. It may be even difficult to know what are they for.

 

cool, I have one more question before install this software I would greatly appreciate if anyone could answerer, If I want use shadow defender for one particular user account in Windows can it be done or its activated to all accounts?

 

Shadow mode is not limited to an account, but is active on a partion-by-partition basis.

 

I still use the .325 because it's safe, but looks like it's time to change. Any speed improvent of .370 than .325? Please compare the two versions.

Best regards,

 

The 3 significant enhancements since build 325 are:

1. RAM Cache option - supposedly faster performance, but frankly that's not apparent (to me).
2. Win 8 compatibility
3. SSD compatibility

Build 370 is running very smoothly here, but I would say that if 325 is working for you without issues, 'don't fix what's not broken'.

TS

 

good morning,

i have a question.

in which file writes sd, is this pagefile.sys?
what happens if we except this file from SD mode ?
also what is the effect to exlude the hibernate file ?

i hope u understand me

 

Are you referring to the SD virtualization cache? The buffer?

SD uses RAM for the cache (if this option is enabled by the user). When the RAM cache fills-up the program automatically switches to disk caching.

When no RAM option has been defined or when the RAM buffer is full SD works at sector level and uses each protected disk's free space for its cache; you won't see an actual buffer file.

Why would you exclude the hibernate file? I don't see a point in that.

 

thanks for the answer, no i dont use RAM cache, my system only have 4gb, so its not so good to use RAM for SD for me.

my system takes a long long time to go in hibernate modus, so i thought if i exlude this file it would be a litte quicker to go to hibernation status

 

There are a few hinky things that I've noticed with Shadow Defender's ability to restore a system at restart. For one, when I restart a system that before the restart was in shadow mode after it boots up little things are not as they were before; such as my LooknStop ruleset or product registration. When I restart my system LnS then says I'm using another saved ruleset then I was using before. Also, GOM video encoder is no longer registered like it was prior. I have no exclusions that would explain this.

Weird....

 

It seems to be the same type of problem related to configuration changes that has been reported here before. What version are you using?

 

FEATURE REQUEST:
It would be nice if Shadow Defender would have an option to write/store the temporary shadow file (diskpt0.sys) on a custom drive/partition to protect our SSDs from a lot of write event during software testing through SD. Perhaps is not too difficult to implement this feature since "RAM used as write cache" is already implemented.

 

SD creates a file named diskpt0.sys. It's a hidden system file.

 

Tony has reported a while back that write caching on a different disk may not be feasible for the time being. Get yourelf more RAM. With current RAM prices it's never been cheaper to fill her up with as much RAM as she can take.

 

Yes, but... see post #1808.

 

So the link shown for 370 is I presume now safe to use. I am glad this issue seems to be settled finally as I am now running into malware all over the place on so called safe downloads.

 

Nate,

I am using SD build 370 (I see you are still on build 325). I have tried a few experiments re SD and my firewall settings and I do not find any unexpected results. If I make any firewall setting changes while in Shadow Mode they are gone after restart (as expected). On the other hand, I have not seen any settings which were in place before entering Shadow Mode changed after doing a restart.

TS

 

I've used many versions over the years; .275, .278, .315 .325, .333, .370. They all seemed to have the same issue. I've set it up to cache in ram in .370 but it has had no difference. It's not too big of a deal, but it's enough of a nuisance to make me start looking at replacements.

 

I've had to switch to Returnil because of this problem. I've been in touch with Tony a few times about it, but so far he's not managed to resolve the problem.

 

This problem has been going on for a long time (years), I think I was one of the first people to ever mention it. I haven't really personally noticed any problems of significance in 1.1.0.325. I've mentioned the problem many times on the forums and contacted Tony on numerous occasions. He acknowledges the problem (sort of begrudgingly) (no offence meant) to some degree but because there is no consistant consensus of complaint (people seem to mention it here and there) I don't think it has been addressed formally.
I think the problem with getting to the root of this problem is made more difficult because we are all using different systems with different configurations, different antvirus, with rollbacks, system monitors and different kernel level stuff, maybe one fix can't suit all. I still think this is a kernel level driver conflict or shootout issue. Where one ends up being boss and dictates the way the other will run (or not run). That's my layman's take on it anyway

Patrick