Instant Recover not working as expected

Discussion in 'FirstDefense-ISR Forum' started by beethoven, Jan 25, 2014.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    using Win 7 -64 bit and just installed Instant Recovery

    Installation was smooth and as a previous user of FdISR the Gui was very familiar :D . I intend to use IR in the same way as Peter with a stripped down secondary snapshot and archives on a separate drive. Main reason is that in 7 64 bit, my drive is already quite big and I don't want to add another 60 gb to every image I do, doubling backup times. Last time with FdISR I created my stripped down snapshot during the build of the pc but this time with a new fully set-up pc I need to go backwards. Being a bit paranoid on messing too much without suitable safety nets (and yes , I do have an image), I wanted to test the new IR first before stripping almost everything from the pc.
    So I created of course my first snapshot (called secondary) and an archive of the prime snapshot. At this stage primary and secondary were exact copies.
    In order to test and to keep it simple, I changed the desktop wallpaper and removed two files and added another txt file, then updated the secondary form primary. At this stage I should have identical primary and secondary with an archive reflecting the original set-up before the desktop changes.
    Then I rebooted to secondary.

    To my surprise while the files had been changed as expected (removed and added), the desktop wallpaper did not work. The new wallpaper appeared very briefly to be replaced by my original slide show desktop background.

    Not believing my own eyes I took a screenshot based on Control Panel - Personalisation and rebooted to primary to confirm. The config is different - took another screenshot from primary desktop personalisation. I then repeated the copy / update primary to secondary. Again the copy action was done and while I was surprised to see the time necessary to do this (in fact I had nothing changed) -these were the details
    Scanned: 57.5 gb, Added 41.6 mb = 336 files, Removed 58 mb - 120 files, replaced 689 mb - I assume these changes are all system changes of log files etc that windows generates ?

    After finishing the copy/paste I once again rebooted into secondary - same result - the desktop config is not identical to primary snapshot.

    Is there any good reason why this should happen? Are changes like these config settings not part of the copying/backup?

    I have had nothing but good experiences with the original FdISR and was looking forward to adding the new version back to my safety net.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Beethoven

    I also am on W7x64 and haven'e seen that type of problem. Only thing I can think of is your security programs might be a problem.

    Also you might take a look at the log file and see if it shows anything.

    Pete
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Thanks Peter,

    I was hoping you might pop-up here as the resident expert on all things FdISR and similar :D

    I checked the log files within IR and filtering by errors shows absolutely nothing, showing all I can see what has changed - mainly log files, indexed files and system files. I noticed frequent File Time mismatch and File Size mismatch but you already explained this in the other thread as to be expected.
    I even found an entry as copied relating to the custom theme, so according to the log it should be identical.

    I am wondering if the issue is related to me not understanding how the wallpaper works. In both snapshots (see attached) under My themes the default is called unsaved theme though the pics shown are different as is the picture shown at the bottom under Desktop Background - in primary it's called Au-wp2 and in secondary Slide Show. Do I need to save the theme with a name in order for this to "stick"?
     

    Attached Files:

  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    I have saved both the theme and after chosing the pic I wanted for wall paper saved thought. I wonder if the slide show running could cause a problem.

    Pete
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I will try to modify this a bit later and do another test and then report back
     
  6. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,564
    This is a problem that FD-ISR had too.
    If a file is replaced with another one with the exact same size and the exact same creation+modification time FD-ISR considers them equal and do not update them.

    Panagiotis
     
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Hi Pandlouk,
    sorry, but I don't quite understand - looking at the log it would appear to me that a replacement is happening:

    Here is one example:

    26/01/2014 09:36:49 Replacing "Users\Thomas\AppData\Roaming\XYplorer\lastini.dat" in "Secondary Snapshot"
    26/01/2014 09:36:49 DoCopyFile: \\?\0:\Users\Thomas\AppData\Roaming\XYplorer\lastini.dat
    26/01/2014 09:36:49 CFX::FileSize: 4776 0 4248 0
    26/01/2014 09:36:49 File Time mismatch
    26/01/2014 09:36:49 File Size mismatch

    are you saying that for all those that have either time mismatch or file size mismatch no replacement is being done?

    Below are the logs for the wallpaper and screen saver where I noticed the issue:

    26/01/2014 09:36:47 Replacing "Users\Thomas\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini" in "Secondary Snapshot"
    26/01/2014 09:36:47 DoCopyFile: \\?\0:\Users\Thomas\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
    26/01/2014 09:36:47 DCF::Shortname: SLIDES~1.INI
    26/01/2014 09:36:47 CFX::FileSize: 693989 0 82172 0
    26/01/2014 09:36:47 File Time mismatch
    26/01/2014 09:36:47 File Size mismatch
    26/01/2014 09:36:47 Replacing "Users\Thomas\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg" in "Secondary Snapshot"
    26/01/2014 09:36:47 DoCopyFile: \\?\0:\Users\Thomas\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    26/01/2014 09:36:48 DCF::Shortname: TRANSC~1.JPG
    26/01/2014 09:36:48 CFX::FileSize: 14621 0 14621 0
    26/01/2014 09:36:48 File Time mismatch
     
  8. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,564
    No, I say that if two files that do not have a mismatch of time or size even if they are not identical (e.g. different hashes) they will not be replaced/updated.

    As for the image of your desktop it probably has to do with the prefetched/cached image file that does not get updated.

    Panagiotis
     
  9. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    thanks Pandlouk,

    in that case does that mean that in the log file I can each file and how it was handled and the file or size mismatch lines are just additional info as to why a file was replaced?

    If the desktop image issue is only related to this prefetched issue, I don't have a problem with that. Is there any way I can check or test this. Are there are files that are not replaced that I should be aware of?

    I remember in the old days I sometimes got error messages when my firewall stopped FdISR, so I needed to create special rules. At the moment I am using NOD 7 AV and MBAM - do I need to put IR into exclusions and if so, which files?
     
  10. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Indeed, I had the same problem with FD-ISR and still with IR. Whenever I do a recovery and find my desktop changed, I simply put back the one that I want and it stays. Does not happen very often and a very minor thing, just startles you the first time that you see it.

    Acadia
     
  11. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Acadia, you are quite right - I did not expect that and that's why I was concerned. The desktop picture is not relevant as long as I am sure that this is the only item (file/setting/config) that was not "saved", otherwise I am starting to wonder what other surprises may be lurking somewhere.
     
  12. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I have noticed this behaivour in AX64 (not yet in IR though) and I believe even in Macrium Reflect. I am not sure really coz I´ve done so many with both programs so my mind can play tricks on me not remembering which one I used to restore. But I do have some sort of memory of that. Maybe someone can confirm this?
     
  13. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    The desktop is the only thing that I have ever noticed this happening to, and even that not very often, but I never read through those very long logs to check for other things.

    Acadia
     
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,564
    You are welcome :)
    Correct
    To check if it was related with the prefetch just delete all files from "c:\windows\prefetch\" directory before updating the other snapshot.

    Yes, there is a problem with some rootkits, that replace/modify/patch some drivers without changing their size or their date.
    Unless InstantRecovery gives a warning there is no need to create special rules.

    Panagiotis
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Interesting. I always save the template and the image on the desktop. Going back and forth in the same snapshot, but by restoring images I've never seen this problem.

    One I've build my second snapshot and have it the way I want, I never do a copy/update to change it. At that point if a make a few changes to the secondary, I do it in the secondary, and refresh my archive.

    Pete
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Okay ran a little test of of curiosity.

    At start I had my two snapshot Primary and Secondary with Archives of each.

    I booted to my secondary.

    First I checked, had my theme set to a saved theme Pete, with the desktop picture saved. Also the screen saver was set to desired settings wait time where I wanted it.

    Next I refreshed the archive, and then created a new snapshot Copy of Secondary.

    Booted to the new snapshot and indeed it was identical with all the display settings. I then changed the theme saved it, changed the wallpaper picture saved it, and changed the screen save settings.

    Then I did a copy refresh from snapshot Copy of Secondary to Secondary.

    Booted into secondary, and the wallpaper was the same, but the theme wasn't saved and the screen saver was off.

    Booted back to copy of secondary and lo the theme wasn't saved and the screen saver was off.

    Then the light bulb went off. Running Appguard in Lockdown as I do prevents some of those changes from sticking. So I turned off Appguard, created a new theme Test, and set the screen saver with some obviously different settings. Turned Appguard back on and did another copy/update from Copy of Secondary to Secondary.

    Then booted to Secondary, and this time everything was the same as it was in Copy of Secondary. Excellent.

    Booted back to Copy of Secondary, and turned off Appguard and restored the Archive of secondary to the secondary snapshot.

    Booted back to secondary, and it was restored as it should. Even the theme test was gone.

    Conclusion, when I did the first "failed" copy/update, the desktop setup wasn't really as I thought it was, because the changes hadn't really stuck to due Appguard. IR did indeed work as advertised.

    Beware of the effects of security software.

    Pete
     
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Interesting Peter BUT (and I will now need to re-read your post to make sure I understand what you're saying) I do not even have Appguard installed in my secondary/recovery snapshot. If I understand the composer correctly (and maybe I need to re-read his posts), doing a normal recovery from an Archive using the Secondary, gives the desktop problem.

    IN MY CASE: Again, my recovery/secondary snapshot does not even have AppGuard installed but I still end up with this problem on rare occasion when recovering my Primary using an Archive. Extremely minor, just change it back to whatever desktop I want. My icons, folders, shortcuts, and gadgets are always intact, only the desktop theme itself has changed.

    Like I said, I need to re-read this stuff but in my case there is no Appguard in my Secondary and again, this is such a minor thing that in the real sense does not affect anything important. But as I said to the composer, the very first time that you see it you say, "What?!"

    Acadia
     
    Last edited: Jan 26, 2014
  18. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    AAAAAAHHHHHH, ok. I see that I read thru Beethoven's initial post too quickly, assuming that his problem was the same as mine, BUT I do believe that they are very related. His secondary changed. In my case the Primary because of a recovery. Same problem: desktops had changed, all other things were as they were supposed to be.

    My guess, and if I am wrong then pandlouk PLEASE correct me, exact same issue that he described but we three (the Composer, Peter, and myself) were approaching it from three different directions.

    Acadia
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Okay, I may have put to much emphasis on Appguard. Point was I set what I thought were my them settings, but they hadn't really set.

    Try this. Set up your desktop them, your wallpaper,and your screen saver if any. Then save it all as a new theme.

    Then exit Personalize, even maybe reboot, and the check Personalize again and see if your settings are correct. If so then test IR and see what happens.

    Pete
     
  20. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Ok, for anyone wanting to test this. Change any of your default Sounds. Just change them to anything, does not matter. See if eventually they go back to the default. Again, this is nothing important. Any bad software program install, or bad Windows updates install, always seem to work COMPLETELY in recovery. It is the unimportant stuff, for me desktop themes and sounds that seem to keep reverting back (but not every time).

    Acadia
     
  21. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,564
    Guys maybe this should be reported to raxco.
    Now, that I think of it, it could be related with the NTFS junction points and I do not remember how FD-ISR/InstantRecovery treats them.

    Panagiotis
     
  22. controler

    controler Guest

    R U guys going to use both A64 and TR or delete one or the other?

    If you are going to use both, why?

    Thanks.
     
  23. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,564
    No, on my critical machine I'll use InstantRecovery and IFW.
    I love AX64 but the hot restores, even if I never encountered a major problem, frighten me a bit. For getting full confidence, I would have to perform (several times) an md5 or SHA1 hash to compare the files of the snapshot and the system right after a hot restore and I am too lazy these last months to do it.

    On my test/play machine I have FD-ISR and AX64 installed together; there FD-ISR works as a multiboot manager and AX64 for backup/recovery.

    Panagiotis
     
  24. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I have NEVER used AX64 and IR (or FD) together. I am sticking with Raxco because of their history and reputation. I still have AX64 on my wife's machine but I don't mess with her pc like I do mine.

    Acadia
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Okay I did the "sound" test. Beat on it a bit. IR did everything the way it should.

    Pete

    PS I am running AX64 with IR, but primarily as an imaging program. I also am wary of the hot restore as I've seen some funny things.

    Pete
     
Thread Status:
Not open for further replies.