How Information Survived Image Restore?

I made an entire disk Macrium Image earlier today. Aftrewards I decided to download FreeBSD and put it on a USB flash drive to try it out. I had never used FreeBSD before but have created bootable USB's for Linux many times.

While making the flash drive my computer blue screened. I pulled the flash drive and did a hard shut down. When I rebooted Windows said it had recovered from an improper shut down or something to that effect but then proceeded to operate normally.

I attached the same USB again and immediately got a blue screen. This time I did the hard shutdown and rebooted with the Macrium Windows PE Recovery disc. I restored the image made earlier which was stored on an external drive that was not attached to the computer during any of this (except during the image creation of course). When I rebooted after the successful image restore, I was greeted with the message about the improper shutdown again.

How is it possible that the information about the improper shutdown was retained after restoring the image created before it happened?

* edited to correct typo

 

Was the image you used made LIVE under a running Windows System or from a Recovery Media?

 

Made from a running Windows system earlier today. A hot image I believe it's called?

 

If you did a restore using the Recovery Media DEFAULTs, it used Rapid Delta Restore. If the System inconsistency FLAG is left in a non-FileStructure area, it may not get changed during the restore. If you unticked the RDR restore option prior to the restoration, that forces Reflect to restore every bit/block of DATA in the image... that surely would have overwritten any inconsistency flag. This is just a guess, though...

 

I use Macrium Free and I don't believe Rapid Delta Restore is even available in the free version.

 

Did you restore the whole disk, or only the OS partition? If the information about the improper shudown appears before Windows loads (I think it does), it may be saved in other area of the disk, not in the OS partition.

 

I restored the whole disk.

 

Well... ya got me

 

Well, thanks for trying to help. This has kinda dented my faith in imaging.

 

Firebytes, Windows uses a typical "dirty bit" semiphore to determine the status of a drive. It's a multibyte semiphone and appears at different places on every volume. The interesting thing is that the bit is set dirty once the System is BOOTed up and remains that way until the System is shut down properly at which point its "cleaned" for checking at the next BOOT. If that's the case, the bit should be dirty when VSS locks the system for an imaging operation... I'm guessing. You would think that following an image restore, the bit would be dirty and Windows would detect an improper shutdown.

I have no idea what it does along the way. The semiphore is definitely located within the partition space being imaged.

Here's a nice li'l DISCUSSION on the Windows dirty bit...

 

That's why I'm confused as to how it survived the complete disk restore, especially since the image even restores the MBR and Ring 0 to my understanding.

 

According to this, the "dirty bit" would be present in every hot image, and the improper shutdown screen would appear always after such an image is restored. This is not the case.

 

I'm sure there's more (in the Windows OS) to the processing of that FLAG then just a yes or no...