How does Rollback RX manage Windows Bootup?

Discussion in 'backup, imaging & disk mgmt' started by Flexigav, Sep 26, 2012.

Thread Status:
Not open for further replies.
  1. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    My understanding of the bootup process is that:
    1. Firmware locates the boot program media, ie a HDD.
    2. Firmware invokes the code in the MBR (1st track on the physical medium/HDD). At this point default MBR code can be modified or substituted by a BOOT MANAGER program (or rootkit malware).
    3. The default MBR boot code will invoke the active partition VBR code in a chain loading fashion. I assume custom boot manager programs or rootkit malware would have to run the standard VBR code as well, but might modify it's output as part of their own program agenda before handing control over to the OS boot manager! To do so they must communicate directly with the system BIOS, as no OS is running yet.
    4. VBR code normally invokes the Windows boot Manager program (It knows where to find it, else you will get a missing file error and no OS bootup!). In Win2k-XP this would be the NTLDR file. In Vista & Win 7/8 this would be Winload.exe and Bootmgr files.
    5. Win Boot Manager consults with BCD (Boot.ini in Win 2K-XP) to determine which OS Kernel to invoke
    6. An OS kernel is invoked and the OS boots

    So my assumption is that RollBack RX intercepts and substitutes the process between the VBR and OS Boot manager stages. It probably modifies the MBR code to bypass the default VBR code in the 1st sector of the active partition substituting its' own information from the user selectable snapshot prior to handing the next stage of the boot process over to the OS boot manager (NTLDR-Win 2k/XP, or Bootmgr & Winload.exe-Vista/7/:cool:.

    Any confirmation or correction of this process is most welcome!
     
  2. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    For anyone interested, :eek: Rollback RX modifies the boot process in the MBR to hand over the boot process to its' own small kernel (not in the MBR) that manages the drive sector mapping information under its' control, then hands over the remaining boot process to the OS Kernel (Windows Vista/7/:cool:. As part of the Windows OS boot process, Windows reads disk sector mapping, only Rollback RX has modified the process and Windows is none the wiser! So Rollback RX establishes itself before the Windows Kernel is called in the boot up process.

    see http://www.horizondatasys.com/196928.ihtml
     
Loading...
Thread Status:
Not open for further replies.