The unofficial Shadow Defender Support Thread.

I think the problem that TheMozart faces is that the system partition he is referring to isn't visible within SD so it can't be put into Shadow Mode. I agree that any part of the disk could in principle be written to by malware but how likely that is in this case, I really don't know.

 

This is a Windows recovery partition that contains your boot files. It does the same job as a Win7 recovery CD, and it's best for it to be left alone. In the Ultimate and Enterprise editions of Win7 it also contains Microsoft's BitLocker encryption software that comes bundled with those versions of Win7. When you put C: on shadow mode that partition is being protected as well.

 

No, I definitely wasn't suggesting that you try to remove it. You would corrupt your partition table which would probably result in critical data loss if you did.

 

Have you tested this to confirm it or is it an assumption? I plan to Windows 7 at some point in the near future and it would be helpful to know the answer.

 

I don't use this bitlocker partition (I pre-formated my disk before installing Windows), so no, I haven't tested it. But lets not forget that this partition is not a 'regular' partition. It's an essential part of Windows since it contains the Win7 boot manager and boot files. I am pretty confident that SD can see the hidden partition and protect it as part of Windows. In fact I'd bet my house on it.

Seriously, I can't imagine Tony leaving such a huge backdoor open for malware to exploit. It would be naive to think otherwise, considering the effectiveness of SD against malware that exploit the boot sector, like TDSS rootkits...

 

This partition is useless and only for Windows Anytime Upgrade. The greed of Microsoft.

Microsoft gives you BitLocker only with Ultimate/Enterprise Editions. Basically, if you have either of these two Ultimate/Enterprise Editions and want to use BitLocker and encrypt your "system drive partition", then you have a small partition, which contains the bootmgr and is not encrypted, thus allowing you to boot from it and then decrypt the "system drive partition".

One should get rid of it for following reasons:

1. It is useless and not required.
2. Each MBR allows four partitions and it takes one of the partitions.
3. And, more importantly each hard disk allows for four primary partitions, and it takes up one of the primary partitions.
4. Which forces one into logical partitions and more MBRs.

I have gotten rid of this on more than 20 computers with no ill effect.

Best regards,

KOR!

 

Dear TheMozart,

Here is a screen shot of my daughter's hard disk again":

 

See how is her hard disk. She has WIN7 x64 on her laptop

1. Four Primary Partitions, that is the maximum allowed.
2. No Logical Partitions.
3. One MBR and not two MBR.
4. Her "System Drive Partition" is very small for making quick and efficient imaging.
5. Her "SIMs Partition" is again very small and separate with "GameData" in it.
6. Her "DataDisk Partition" is again very small and separate from the "System Drive Partition"
7. The "Master Partition" is the biggest for her Music and Videos.

Now compare this with your partitions, you have both Primary and Logical Partitions. And, your "System Drive Partition" is very, very big and 91% free.

Best regards,

KOR!

P.S. TrueCrypt is not a Real Partition, but a Virtual Partition.

 

Hi KOR, I agree with almost everything of what you said. As I mentioned earlier I don't use it myself, however one can enter the Windows recovery environment with that partition without having to use a recovery disc. This is good especially for novice users who normally would not create a Windows recovery disc. It simplifies recovery via phone tech support when the end user at the other side of the line has very limited Windows knowledge. this is the reason I recommend for people to leave it alone - unless of course they're experienced users.

 

This is the first I heard this, can you substantiate the above?

I have done more than 20 computers, never seen the WINRE, Recovery Environment to disappear.

The size of this partition is about 100-200mb, this is the most. There is no way on earth that it can contain the massive amount of WINRE, Recovery Environment.

Are you sure?

 

The above partition only contains the bootmgr, which you will be moving to the "System Partition C" properly and the you will delete this partition. If it is not properly done than one cannot boot.

Then, it is easy. Just put your WIN7 Disk and do "Start Up Repair" twice, and then one will be above to properly boot from "System Partition C".

No Rocket Science involved!

 

That sounds great, but how do you know that SD places the SYSTEM Partition into Shadow Mode when I select C:? Testing or Documentation? Or are you guessing?

 

I want to get rid off it, but I'm worried that my W7 won't boot and then I need to reinstall W7 from scratch and start all over again.

Is there a way to remove SYSTEM with 100% reliability?

 

I only have a W7 HP Install DVD. Where do I get the WIN7 Disk that can do REPAIR?

 

http://answers.microsoft.com/en-us/...if-so-at/5eaeb8ca-c42e-42a2-82e9-210bb0b459b9

http://www.mydigitallife.info/how-t...m-been-created-during-windows-7-installation/

 

And, what does the above link says?

Does it says, as claimed by you that the 100-200mb "System Reversed Partition" is required for the WINRE, Windows Recovery Environment?

 

Yes, I gave you the link and it is very easy, but the looking at the link it seems complicated!

 

Added a second link from Microsoft. I have used it myself. Press F8 on a system that has the 200MB size hidden partition, and the recovery environment option will be available. No point talking about this any longer King.

 

Same one! But hopefully you won't need it!

Also, I have downloaded all flavors WIN7 (Home, Home Premium, Professional, Enterprises, Ultimate ...) and put it on USB.

If you are afraid, make an image first of both "System Reserved Partition" and "C". Like that you can fall back to the image, but you won't need it.

Also, after that make an image of your "C" only.

Best regards,

KOR!

 

See from your link from Microsoft, you can get rid of it without any ill effect, and still get into WINRE, Windows Recovery Environment, by pressing [F8].

 

If the 200MB partition is not there then you won't get the option to repair your computer when you hit F8. This is definite. Microsoft's Andre Da Costa post says so, and I have done it myself. I simply don't understand where you're going with this King.

 

Where are you getting the above information from?

Where is the link for the above information?

Basically, you will be moving the data from 200MB partition to C partition and then deleting the 200mb partition.

You can still hit F8 and get into the option to repair your computer.

I simply don't understand where you're going with this.

Give a link to prove what you are claiming?

 

Ok now I am happy. I got rid off SYSTEM and no longer need worry about it being infected or tampered with during Shadow Mode. So now when I place C: into Shadow Mode, I can know it's EVERTHING, system etc is in Shadow Mode because it's now all on C:

Removing SYSTEM Partition KOR, it won't affect system updates to W7 will it? I can still install future service packs and updates?

 

I think I understand where the confusion lies, in my part as well. I was thinking about TheMozard considering deletion of the hidden partition, and hoped he'd use the bcdboot c:\windows /s c: command first to transfer the boot files; then mark C: as active before rebooting and safely deleting the hidden partition afterwards. In this case I'm under the impression that WinRE won't be copied over, so the user won't be able to access it by using F8. Is this what you did Mozart?

If on the other hand you are installing Windows on a pre-formated drive without using the Windows setup tools to modify the already created partition, then the hidden one will not be created but WinRE will still be available from C: I assume this is what you mean King, and it is of course true.

Good thing you removed it anyway Mozart, like King, I find no good use for it myself. And yes, you can update everything just fine after removing the thing. I know it's only a tiny bit of space taken by it, but since the Vista days it has always bugged me just by being there. Anyway, I think its logical for users who are not comfortable Windows troubleshooting to leave it alone. Had quite a few calls from people who had deleted that hidden partition using bootable third party partition managers, not realizing they had to copy over the boot files and mark C: as active first.

Regarding the test I promised I will definitely do it as soon as I have some downtime - hard the next few weeks, too much work. I have some scheduled downtime for end of June/mid July so I'll most probably try it then and share it with you guys. I think King is correct saying that once I'll unistall RX I'll have problems with SD and my SSDs, given the times he has tested this setup. And I'll defintely check my bro's computer when I see him next, maybe his UEFI is set to RAID after all, and I'm just suffering the early stages of Alzheimer's. Last time I was there I left his machine with SD on and tested it a few times to see if it works. It worked and it rebooted rejecting the changes without problem, and I'm sure it was on AHCI mode. As far as I know he doesn't use it all the time, mostly manually when he is not sure about certain sites.

Regarding the Luck vs Science thing King, what I meant was the fact that your individual hardware and software configuration can make or break a program for you, especially if it is a buggy thing like Comodo Time Machine v2.8. That thing worked perfect for me for two PCs with hard disks - and served me well for a long time - wheras it had terrible incompatibility problems with many different configurations. I was lucky that my individual hardware/software combo could 'handle' it. Of course it is all science, but luck plays a role in that respect. Luck to have chosen the right mix of gear that a buggy software agrees with.

 

Great post, pegr. Since I'm unable to send you a PM I'll just thank you here for your consistently informative and thought provoking posts throughout the site.

(This is in no way meant to denigrate the great contributions made by the other members who have posted in this thread. )