Rollback91 and Hot Imaging

Hi there Rollback Frog, welcome to Wilders. It's good to have some fresh meat here, especially frog-legs!

Although I'm an IFW noob, I am a long-time Rollback Rx and Drive Snapshot user. Like other RB users, I'm enthusiastic about being able to reliably hot-image a system partition with RB and all of its snapshots, so I've been following this thread with interest and now (with your participation) even more so!

Again, welcome aboard.

Aaron

 

Thanks, Aaron!

To make things clear... our effort has been mostly in the HOT imaging area. Most any decent imager that offers a RAW or "All sectors" or "sector-by-sector" option in their backup operation, OUTSIDE OF WINDOWS (CD/USB-based DOS/LINUX/PE), will provide the needed off-line backup for RBRX enabled systems.

Some other summary items that may be of general use in your thread. After much testing (haven't done 'em all yet... and may not ), it's clear that any product that uses the Windows VSS (Volume Shadow Service) to do its imaging is doomed on a RBRX protected system. The disk i/o calls made by the VSS wind up going through the Rollback disk pre-driver and, as a result, get distorted as far as the baseline and the MBR-Track0 are concerned.. it's just unavoidable. I messed with Acronis TI, Macrium and DS and found them all to be of the restoration failure type.

"Image For Windows" is unique in its use of PhyLock. Not that PhyLock is that technically unique (it's a good base system locker as is VSS), but as a pre-driver it talks DIRECTLY to "disk.sys," Windows' basic hard disk driver... nothing in between. That's why IFW can be successful at imaging an RBRX system... but only if its pre-driver is called first when talking to the disk sub-system. If RBRX's "Shield" pre-driver is called first, even by IFW, the result is the distorted baseline file system along with a false MBR (for RBRX purposes) and a "tweaked" Track0" (would be disasterous for any system/app that used Track0 for its management).

When I first discovered this it was by accident, when I was led to an unrelated TeraByte Unlimited Forum post that gave me the hint I needed at getting to the bottom of what was going on.

At the moment I have switched to IFW for my HOT imaging requirements and am in what I would call a "production test mode." Although I've proven the above mentioned IFW/RBRX concept in a test environment (Basic XPsp3, 2-partition, single disk system with RBRX protecting the active BOOT partition only), I need to test it further in a multi-disk, multi-partition environment (Win7 also). The feeling at this point is that it will carry through without problem.

My goal is to keep pressure on HDS (RBRX's author) to make sure that the upcoming major release of their imaging product, Drive Cloner, is indeed Rollback aware (none to date have been). It should be able to backup up in "used sector" mode (not ALL SECTOR image), and the used sectors need to include the real baseline image as wel as all snapshot redirected sectors as well... this would be the ultimate, I think.

Thanks again for having me!

 

Right. That's been my modus operandi over the past few years. Quite reliable, but of course, a bit of a nuissance.

That certainly would be ideal, but RB's developers have been very sloooow to respond to user requests. Even with HDS' latest commitment to a true RB-compatible disk-imaging capability they seem to be going down an avenue of marrying two separate products to accomplish the end-result rather than a more desirable integrated 'RB with disk-imaging' product.

Thank you for joining us here at Wilders!

Aaron

 

@TheRollbackFrog,

welcome at the Wilders. You are right the upperfilters; I did the testing in a virtual machine and I installed first RBRx and then IFW.

I checked your guide, nice work. The only thing that you should modify is that the setting "Use Disk Storage" should be disabled otherwise it can overwrite sectors of the hidden snapshots, more info https://www.wilderssecurity.com/showpost.php?p=1832472&postcount=106
https://www.wilderssecurity.com/showpost.php?p=1832764&postcount=110


Panagiotis

 

I am not a user of Rollback.I never did much testing and have no time for testing either, my ways or yours. I just had a interest. The below is tested.

I will divulge now, how I managed to backup all snapshots from within Windows and restore all snapshots without having to backup and restore any MBR seperately.

What I did was patch the protected first track, into the first baseline image, overwriting the standard one. Every snapshot taken there after from this base image will also have the protected MBR in it.

This means when taking a full sector image backup from within windows, you backup the all important protected MBR. /smile

When you come to restore, you will have all your snapshots back fully working! Ensure to restore first track back as well.

This maybe a cheat but it works and only has to be done once.

 

Greetings Panagiotis! I will be happy to make the document change but am leary about the action of that setting, I probably need TU to explain it further. The reason for my bit of doubt is the following... it makes absolutely no sense at all to be modifying the partition that is being imaged in a sector-by-sector mode by writing the PhyLock swap file in that very same image space. In a non-RAW mode (used sectors only, no RBRX) it makes perfect sense to be adding an additional file after the lockdown of a given structure... the file will never be in that image. But think about locking down an entire disk (for a full sector RAW image)... where's the phylock.swp file gonna go?

I guess I think there's more to this option, especially when using the "All sector" option of IFW, than meets the eye.

Your thoughts?

 

A cheat for the bogus MBR... yes, but not a Rollback snapshot solution. Although the RBRX MBR will return, offering the usual sub-CONSOLE if desired, but the image returned from the save will not contain the proper INSTALLATION baseline. The INSTALLATION baseline following the restoration will be the machine state at the time of the backup, not the INSTALLATION baseline.

 

I have a direct question into TU concerning the option above. While scrounging around on the TU website I found the following...

Taking that statement at face value, when the ENTIRE (Option="Backup Unused Sectors") partition (or disk) is locked, it appears that only a RAM cache will be used for PhyLock.swp.

Hopefully I'll get a complete answer from TU...

 

Check here http://www.terabyteunlimited.com/kb/article.php?id=285 about PHYLOCK.SWP
PHYLOCK.SWP is not created after the lock but is created before the lock takes place, so it does make sense.
The problem is that the phylock driver creates it and since it "talks" directly to "disk.sys" bypasses the RBRX protection and it will overwrite the sectors of a hidden snapshot.
If you disable it, PHYLock will use only the ram cache.

Panagiotis

 

But it can be written and in fact it does. Just start an imaging process and you'll see that phylock.swap is created in the c:\ directory.

Panagiotis

 

Thanks for the pointer, Panagiotis... that really suprises me. Now I'm back to CAUTION mode

I will update the document...

 

I have tested this. I can restore back to the installation baseline and everything is at it was. All exact data at the time the baseline was taken is back.

Incidentally, when RBRX is installed, just before it asks you to restart. The protected MBR is in a unprotected state. You can view it within Windows. This allows RB to enter debug mode.

 

I'm confused about the posts above. I have both Rollback and IFW. Just purchased IFW yesterday. If I make a image do I need to uninstall Rollback first. Then reinstall after the image has been taken?
Thanks
zach

 

Hi Zach! There are some quirks with IFW as far as HOT imaging of an RBRX protected partition/disk. Imaging from the RECOVERY MEDIA will not be a problem if you use the "Backup Unused sectors" option on the Backup options page. This will return you a fully functional Rollback protected volume.

If you'd like to HOT image a Rollback protected partition (say scheduled under Windows), it's best you give a read to the following thread over at the Rollback RX forum...

http://horizondatasys-forum.com/rollback-rx/2491-rollback-rx-image-windows-perfect-together.html

Either of the above methods work well without removing Rollback RX. Good luck!

 

RollBackFrog Thanks for the info. I'm not sure if I want to go that route. If something goes wrong I'll be up the creek. I'll play it safe and uninstall rollback before doing an image.

 

zach,

If you don't want to use the 'raw hot-image' method being discussed and would be content with just backing up your most current operational state, you should consider simply making a standard hot-image (without having to uninstall-reinstall RB). It's a lot less work than uninstalling RB, then creating disk-image, then reinstalling RB everytime you want to backup.

Restoring a standard disk-image backup (made with RB installed and running) will recover your current snapshot. Yes, you will have to reinstall RB after restoring this image, but you won't have to uninstall-reinstall RB in order to make backups (which should be done frequently) and since, in all likelihood, you are not restoring very often you won't have to reinstall RB very often!!!

Aaron

 

Any ideas on how to hot-image using Drive Snapshot? Do I need to backup the MBR with, say, MBRWizard first?

 

Nate,

Afaik, the only way to hot-image an RB partition using Drive Snaphot is to make a standard (normal) backup, as I suggested to zach (post 166). As long as you are content with only backing-up your current RB snapshot that method works just fine.

Imho, there's no need to make a separate backup of your MBR because upon restoring the image you will have to reinstall RB anyway and in the event that you encounter an MBR problem you can just run FIXMBR (before reinstalling RB). That said, I should really defer to Panagiotis' opinion on your MBR question.

Aaron

 

Maybe I'll try what you suggest Aaron. It is a pain to uninstall then reinstall Rollback. Thanks

 

Aaron I think I read where I need to have rollback installed first then install IFW is this correct?

 

Is impossible.
-If drive snapshot offered the option to include the pagefile and the hibernation file in the image maybe it could be done in two steps (a normal snapshot from outside windows and a raw snapshot from RBRX enviroment; during the restore you would restore first the raw and then the normal+mbr).

Panagiotis

 

I'm not very IFW-literate, so it's best to pass this on to Panagiotis or TheRollbackFrog.

Aaron

 

Panagiotis,

Afaik, DS does not include those files in its image-backup, nor is there any option to do so.

Using DS to run a standard image-backup from within Windows works perfectly for me, but (of course) Nate will have to be content with just capturing his current RB snapshot...

Aaron

 

Hopefully someone can shed some light on this.

 

Zach in the pm you wrote that you installed IFW after RBRx and then took a normal image (probably with the default settings of IFW). This means that you used PHYLock; IFW in your case captured the baseline shield with the RBRx mbr without the RBRx subsystem and PHYLOCK.SWAP overwritten your current snapshot. After the restore, RBRx found the subsystem (it was not overwritten) and tried to load the current snapshot but since a part of it was deleted during the backup it caused the BSOD. You are victim of the combination of the following
https://www.wilderssecurity.com/showpost.php?p=1805063&postcount=18
https://www.wilderssecurity.com/showpost.php?p=1832472&postcount=106

With IFW and RBRX combinations:
- if IFW is installed after RBRx (PHYLock driver is loaded before shield driver), you can take a full raw backup, not the current snapshot.
- if IFW is installed before RBRx (PHYLock driver is loaded after shield driver), you can take a normal backup of the current snapshot.
- if IFW is configured to use VSS instead of PHYLock (as displayed at the image below) you can take a normal backup of the current snapshot; it does not matter if you install IFW before or after RBRx. Just use this setting and don't worry about the order of the drivers.

Panagiotis