Ok now problem has JUMPED to different snapshots

I now have my other snapshot exhibiting the same problem as the one that i installed the hp software into. That means that this HP software has now trashed through both powershadow AND FDISR. IMPOSSIBLE I thought! What in the heck is going on here? Someone like Peter should check this to see if what I'm experiencing is unique to just me. My system was totally virgin and newly rebuilt and ran perfect before installing this hp software. I think I'm screwed. Luckily I have some offline snaps to fall back on on an external usb hard drive. THink I'll have to secure erase my hard drive. I might try to find a free partition manager and see what it says about any hidden partition. Stupid hp....Funny thing is that hp says in order to get rid of their hidden partition you must install the software then run it and select remove hidden partion. Was hoping to avoid that. You'd think a Darik's nuke boot disc would be enough. Guess not. And NO I don't have data anchoring on and never did.

 

Well I am surprised this happened and all I wanted to do was look at the gui of the software. I never even executed the software to make a backup. All that is required is to install the software and it automatically created a hidden partition during install. I installed then uninstall the product before rebooting even once and still I'm having this problem. Thats one for the record books. This software I don't think is trying to auto update. It's trying to assign a new drive letter to a hidden recovery partition. Well there you have it. Best to run an anti executable and ssm or similar in addition to powershadow and FDISR since those have now been taken down. I had to have my security software off to install the product in the firt place so all I had was powershadow running inside an FDISR snapshot thinking if something went wrong I could just copy update over it. No such luck now. Darik nuke boot disc and partition magic here I come.

 

I would think this is some kind of ultimate test for even an imaging program. In about 3 hours I'll tell you if an image works or not. I'm betting that only the hp disk partition removal utility is the only thing that will get rid of it. People have complained over on hp related forums that even a restored image leaves the partition intact so they are forced to use only the proprietary uninstall utility provided by hp. Interesting don't you think? Another thing that can survive an image restore.

 

You are very wise to have planned ahead with that. It's just way too risky anymore to not have images/snapshots/archives to turn back to again because when you least expect it something CAN go haywire.

I was messing (researching) with a virus last night w/ no PS or SSM and fired it up completely in a snapshot and what did it do? Upon reboot a quick flash of a bluescreen and then immediately reset the computer back to BIOS screen over and over again repeatedly. Could not even access ANY snapshots and almost went to my backup Archives on another internal disc but decided as a last resort to try Paragon's CD Recovery and it saved the day. The virus fudged the MBR but the Recovery CD set things right again. Couldn't even get to safe mode. Next time i examine that junk will be on my test computer. WHEW! I highly sympathize with your HP situation, doesn't look good at all.

 

Yes time to break out the external archives. Interestingly I have some old FDISR DVD archives I copied over the bad hp snapshot and even with that accomplished without errors from a copy/update I still get the dreaded popup messages that state that new hardware was found and system settings have been changed and that I need to reboot. This appears as the first thing that happens when I boot up no matter what snapshot I use, and where it's from and even if I copy over it with known good archives. So that confirms it. HP %$@# it up for everyone. Glad I found out that something can breach powershadow. I'll never use it again to test software alone. I'll have to see if VMware can contain it. Anyone want to test it in a VM to see if it an also breach vmware?

 

@Horus.

Not quite sure why you are surprised at what has happened. You are saying that HP partitioned your C drive into "a resized C drive" and an HP "Hidden partition" Then you wonder why FDR cant operate properly.

Surely the point is that FDR just cant see or recognise the drive that it works on...namely "C" When your snapshots or archives last saw that drive, it was a lot bigger, and now when it comes to copy/update it looks to be a different drive altogether and is probably totally confused.

HP is known for taking control of peoples systems with their installation software, but that is very bad.

It is asking a lot of FDR to recognise an unknown C drive though.

 

Well this isn't malware but a very well known and used program from HP. However the real surprise is it leaked out of a powershadow mode. So partitioning is the achiles heel of these types of software then I guess. I don't remember FDISr stating in it's manual not to partion the hard drive or else FdISR won't work. There should be a list of known issues with using FDISR that can break it if attempting to copy update from another partition. Removing a hidden partition is one thing that will fail.

 

My actual image backup software is ATI and I'm trialing ShadowProtect.
When I restore an image of ShadowProtect, I also get messages of new hardware in both FDISR-snapshots, but those messages disappear when I keep on using ShadowProtect.
Also my ATI-schedules didn't work anymore due to testing ShadowProtect, because ATI didn't recognize the source anymore.

 

Problem still persists after a fresh secure wipe of the drive, creation of a partion, formatting and reinstall of windows then installing an FDISR archive. I still get these new popups and such stating windows has found new hardware and system settings have changed and I need to reboot.

 

I obtained powerquest partition table editor and I ran it in native xp without going into dos and the GUI shows only 1 partition. Supposedly this application can detect another hidden partition while in xp on the fly. I see only 1 partition. Since you have a legit true hidden partition on your ibm thinkpad why don't you download powerquest partition table editor and run it and see if it can detect yours while running inside xppro? http://mirror.href.com/thestarman/tool/FreeTools.html#PARTINFO No it doesn't need a reboot once you install it.

 

The GHOST programs called GDISK.EXE and GDISK32.EXE can see/delete HPA

http://www.forensicexams.org/content/view/678/

Mike

P.S. GDISK is intended to be a replacement for FDISK.

 

I can't answer that question due to lack of knowledge, but I'm not surprised that this happened and in a normal situation, I wouldn't use two image backup softwares at the same time, because of possible conflicts.

My actual problem is that I ordered ShadowProtect on 2007.06.08 and Storecraft doesn't want me to give a serial number until I have paid, which I did with my visa card.
Any other company gave me a serial number on the SAME day, I bought it with my visa card, except StorageCraft. I guess they don't trust visa.

 

I think I know an answer. Newer HP machines place the MBR on the HP recovery partition. I had to delete the recovery partition in order to get some of my proggies to work properly. Not a very good idea unless you have a good backup system

SourMilk out

 

Well if new hp's have the MBR inside the hidden partition that sounds like trouble. I'll have to ask if that's what happens when you install this software. Perhaps it SHIFTS the mbr inside the hidden partition during install. I'll have to ask them if that's the case. Either way i'd like to know if during an image creation with imaging software, you'd have to image this hidden area for your computer to work right.

 

It's now official that ver 2.6 of powershadow does NOT protect the MBR as per powershadow website admin.

Told you I broke it.