Power Shadow

Discussion in 'sandboxing & virtualization' started by Chuck57, Jan 15, 2007.

Thread Status:
Not open for further replies.
  1. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I know what you mean by being puzzled. It's amazing that this happened. I didn't do anything prior to installing the software like load new drives or new hardware or even new software. I went into full shadow mode from the bootup prompt and things loaded normally into full shadowmode and then I went online and downloaded the software with comodo and avast av running. Then I disconnnected from the internet, turned off comodo and then avast av then proceeded with an install of the new software with powershadow still in full shadow mode. The hp install went fine and smooth. It wanted me to reboot to finish the install. I of course DID NOT reboot. Instead I just opened the newly installed software just to look at the gui. No errors just an HP menu popped up stating 5 different things to choose from about creating a full backup or just files , etc...normal stuff. I didn't choose anything just clicked off the program then even uninstalled it from the add/removed menu in microsoft which went fine without errors. Then i just normally turned off powershadow and proceeded to reboot. I booted back into powershadow mode from the boot menu and I get a popup stating that microsoft has installed new hardware and needs to reboot then another message that system changes have been made and asks if I want to reboot now. Scarey stuff.
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    I wonder how version 2.8.2 would fare?

    Does anyone know if PS writes to unallocated disk space like the Microsoft Shared Computer Toolkit?

    edit: spelling
     
  3. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    I've never uninstalled anything while in powershadow, so don't know if other programs would reappear or not if I rebooted back into powershadow. Gone, as in uninstalled, should mean gone.

    Have you rebooted out of powershadow to see if it's still there? I'm thinking it'll be gone outside shadow mode, and that might get rid of it IN shadow mode.
     
  4. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69

    Any alteration in shadow mode will be invalid after reboot or shup down, so the softwares uninstalled in shadow mode surely remain in your system .
     
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    Aaaahhh, so by Horus37 rebooting into shadow mode after uninstalling, the software would remain. Rebooting OUT of shadow mode ought to get rid of it, which means PS is working as it should.
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, folks; In theory, rebooting from shadow mode, whether to normal or back to shadow mode again, should remove all changes(of course including any prog installation), at least that is what DeepFreeze is designed to function. Perhaps PS works differently?
     
  7. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328

    I don't think so because I've now booted out of full shadow mode to see what happens. Same thing happens, I get a prompt saying that new hardware is installed and system settings have changed and i need to reboot. That should have been gone from even a reboot into normal unshadowed mode. I'm hoping that someone with a VM will test this out. I am convinced now that my system got breached through powershadow. I was also running FDISR and had 2 snapshots to booot into. I booted into another snapshot and got the same message and also it was unshadowed. Then I proceeded to try to copy over the snapshot with a known good snapshot and even that has failed. Same exact problem occurs during normal bootup. New hardware found blah blah.... system settings have changed.....need reboot. We just need others now to confirm this.

    Someone with a VM needs to download HP backup and recovery manager and intall it in a VM and see if they can get rid of it. Powershadow couldn't. FdISR couldn't.
     
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    I'd never heard of the product before, and think I'll stay clear of it, although I'd like to find a good free disk imaging software to make a snapshot, just in case. So this HP stuff even beat FDISR. From what I read, that software goes on all their machines now, rather than providing a restore disk.
     
  9. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    VM, as I suppose, may handle the problem. ( Virtual PC )
    Anyhow, Powershadow is not a real VM software, totally different.

    Although that HP stuff might not be a malware, this kind of software is quite a big threat to PS users. :rolleyes:
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Can you see if a new partition has actually been created?

    Could the HP backup have started to make a new partition sorta at the end of the drive making a shadowed partition smaller and creating the new partition in the real system?

    Something like saving a file from shadow to another unshadowed partition.

    If this is the case then it seems to have happened without user input.
     
  11. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I'm going to use a hex editor and a partition manager and see if I can't unhide this thing. Otherwise I have backup offline snapshots I can fall back to if I want to Darik nuke boot cd this thing and start over. I'm thinking someone with a VM should do this install and see if it can get rid of the hidden partition after a reboot. Recovery for me takes about one hour without any disc imaging program. I just do a fresh install of windows, install FDISR then copy an offline snapshot stored on a USB hard drive back onto the main drive and use that. Takes a bit longer but it works as I've done it before. No biggie.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Lets stop the discussion of the PowerShadow breach here and continue it the thread about it. No point in having the same discussion in two threads.

    Pete
     
  13. KevinN206

    KevinN206 Registered Member

    Joined:
    Jun 6, 2007
    Posts:
    13
    I am unable to register the chinese versio 2.8.2. I installed the program, restarted and ran the file ShadowSetting.exe in the system32 directory. A dialog popped up in chinese (can't read chinese) so I clicked okay. But when I install the english files, it said the program is still unregistered. Did the company discontinue the free registration for v2.8.2?

    EDIT:

    It seems they've stopped the online activation. This is what I get running through a website translator (babel.altavista.com): "2.8.2 edition on-line activations stopped, activated the user may continue the free use, the activation user has not been possible free to test 30 day. "

    A bit too late for my laptop. I'll install the 2.6 then and see what happens.
     
    Last edited: Jun 15, 2007
  14. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Did you try entering a name and email address in version 2.8.2? That is all that is required. It doesn't even have to be a legitimate address. To be honest with you, I'm not even sure if it is sent out.

    edit:
    It's still worth trying to see if they work.
     
  15. EASTER.2010

    EASTER.2010 Guest

    Apparently, how long Power Shadow Master's usefullness will last is a matter of what other virtual alternatives will prove out to offer more in the way of FULLY preventing Low-Level Disc access even where concerns disc tools because some fairly valid suspicions have been raised recently over this very matter.

    But, even as-is in it's current state it continues to hold it's own in the face of nearly if not all malware/rootkits which i assume most regard as security prevention priority #1, then theres also the trial of new programs which PS can dispatch off with the reboot from shadow-mode and dismiss, and then we have the shared machine aspect if a user foregoes against exercising the perogative of Limited User Accounts for them.

    All in all, it's still an extremely useful program and is held it's own pretty well. The extreme scrutiny PS is being TASKED with proves it's more than worth it's weight in usefullness & protection for everyone from the common surfer all the way to the applications analyst to the malware hunters like myself which it's proven to been a really great benefit so far.

    EASTER
     
  16. KevinN206

    KevinN206 Registered Member

    Joined:
    Jun 6, 2007
    Posts:
    13
    How do we test software that require restarting the computer and will not work unless the computer is restarted? Wouldn't whatever was gets deleted afterward? The help file doesn't mention anything about this other than restarting will remove whatever was changed in shadow mode.
     
  17. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    If you restart with PS in shadow mode, everything changed gets deleted. Installing an application such as an Anti-virus program (while shadowed) that needs a restart to complete installation will fail and be gone when you reboot. There are other options for installs that require a reboot, I think a virtual machine can do this and I know you can set up Microsoft Shared computer toolkit to do this and FDISR can do this too. Others can specify more information than I can.
     
  18. KevinN206

    KevinN206 Registered Member

    Joined:
    Jun 6, 2007
    Posts:
    13
    I just downloaded microsoft shared computer tookit (MSCT). Suppose I want to install Program A that requires a restart for testing, how would I tell MSCT to remain in the "protection" mode even after restarting so that whatever that needs updated can be updated? Program A would then run as normal, but will I still be able to revert to the time before the installation of Program A like it was never installed?
     
  19. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    It basically 'snapshots' your system like FDISR does too and you have to have different 'snapshots' of your old and new setups. I hope you have Windows XP, because I think it's the only version that MSCT works on. It's probably not the best solution for testing either. I just mentioned it because I read a little about it and was considering installing it. http://www.dslreports.com/forum/remark,15352689

    Many users here use virtual machines to test software. Like I said, they can provide better advice than I can. Set-up on all these types of programs can take a little time and learning is necessary. I also am interested in trying a VM, but I'm not sure I'm ready to attempt it. http://wiki.castlecops.com/Different_classes_of_security_software#Virtualisation:-
     
  20. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    I have looked through the thread looking for more information on what is meant by this statement made by Espresso about not defragging when running Powershadow. I even saw where another member had asked basically the same questions I am about to ask but could not find the answer to those questions in the thread...so here are my questions:

    Does this mean not to defrag while in Shadowmode (which I don't know why you would want to do that anyway unless you ran in Shadowmode 24/7) or does it mean not to defrag whenever Powershadow is installed on a system? If it is the latter then what are you to do after leaving Shadowmode and installing new programs or making other "permanent" changes to the system. Eventually making enough changes will require defragmenting the drive. I don't run in Shadowmode all the time so the drive does become more fragmented each day. If a huge temp file will be built up by PS even if the defrag was done while not actually in Shadowmode then is there a way to clear the temp file after defragging and allow PS to start fresh so to speak?

    Thanks
     
  21. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I speak for myself and my current configuration XPproS2 Nlitened fully patched, I have ran my diskkeeper and other dfragmenters while in shadow mode and never had a problem, PS version 2.82.
    Side note: I do not have FDISR or RollbackRX installed on my box. Why would I want to defrag while in shadow mode? I don't know but I know that I can with out messing anything up. I could be a Defragaholic since most of my defrags take but a split second to accomplish. Its habit for me when I log on and when I log off. Side note: my hard drive is about 3 years old and going strong according to the tests and tools my read and write errors are very low no wierd noises coming from the drive.
     
    Last edited: Jul 1, 2007
  22. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    The reason one shouldn't use a defragger under PS is that PS uses a temp file to store all hard drive changes, including sector rearrangement. A large defragging operation could cause this temp file to become significantly large and use up all free space on the drive, forcing you to end your session. This was stated on the PS website. You can probably get away with it, as YankinNCrankin has testified, but it would serve no purpose and isn't worth the risk.
     
  23. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    So what is a person to do? Should I just continue to let my hard drive become more and more fragmented? As I said I don't run in Shadowmode all the time and I do install/remove programs from my system when not in Shadowmode. Maybe this is a reason to switch to Returnil? I have never tried it but it does get good reviews here at WIlders it seems. I believe it is OK to defragment the drive when using that program if I am not mistaken.
     
  24. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~
    Firebytes, it's ok to defrag when NOT running in shadowmode.
     
  25. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    Ahhh, see that's what I have been trying to determine all along. I hope you are right. The way I understood it from the other posts even defragmenting when not in Shadowmode would cause PS to build a large temp file when it was started.

    Thanks Riverrun :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.