VHD Sandboxing - boom or bust?

I have been learning about what is called "Native Boot" and VHDs. For those of you who may not know, a VHD is a virtual hard drive that windows 7 can use natively. Pretty simple. You create the virtual drive, which is just a file. You mount it and activate it. It become another drive letter, much like a mapped drive.

A VHD can hold an OS. You can use them in different virtual machine softwares. You can use them as image backups and restore from them. You can extract the contents. And, you can boot into them.

I am messing with the ability to make my OS on drive c: into a VHD, and then boot that VHD from the boot menu. It seems to be difficult to do.

To use native booting, what many are doing is to create a virtual drive, then install the OS onto that drive, then boot into it. That seems to work from all I have read, or at least there are lots of success stories.

I don't really want to do that, although I know that I could. Instead, I am seeking to take my already installed and configured OS, make a VHD of it, then boot into that. In this manner, I could have a "sandbox" environment to test in or whatever, and it does not effect my normal OS drive.

Does anyone have any info to share on this topic? I think it would be a marvelous way to go about things - make a VHD of your drive, fix it so it can be booted, then use it and throw it away after you are done.

Sul.

 

Would using something like Paragon Virtualization Manager maybe help?

 

A backup and restore tool would do.

1. Make a full backup (including hidden+system files) of C:
2. Create a VHD file with suitable size (single partition+NTFS).
3. Attach the VHD.
4. Restore from backup to 'VHD drive'.
5. Make bootable (bootsect.exe).
6. Add entry for VHD in the BCD.
7. Reboot - select VHD entry.

I have not tested this but a VHD when mounted behaves like a real disk.

 

I don't know. I will check that out. Ideally getting it to work should involve as few 3rd party tools as possible, but that may not be possible. Thanks for the idea.

Sul.

 

It doesn't quite work like that for me. First, you cannot attach the VHD in the same drive you made the image from - there is an ID collision. This I can understand and have no issues with, although it would be nice to find a fix for it other than using Sysprep.

I already have an entry in my BCD, and have messed with what few options there are for it. Thus far nothing has worked.

Regarding bootsect, that is a good idea, but I am unsure really what I would be doing. I had expected that since the VHD is made from a complete installation, and since a native boot from VHD runs on bare metal, that it would work easily as all drivers etc are existing. I know in a VM you can have issues with VM drivers vs. bare metal drivers. I guess I don't know what to do from this point regarding the boot sequence, but it surely seems this is where the problem lies.

I had thought to just replace the HAL, but I have not messed with hals in win7 at all yet, and in fact don't even know if it works the same as it did in 2k/XP or not.

If I could figure out the trick to make this boot, the process is really simple. You use a systernals tool called Disk2VHD to make your VHD, then a couple commands to add the BCD entry, and then the missing piece - bootsect or HAL or whatever the answer may be. That is a pretty easy process IMO.

Thanks for the input.

Sul.

 

To use window's 7 VHD booting you need Win 7 ultimate or enterprise. I was very disappointed Win7 Professional did not offer this feature.. There are ways around this, but they are pretty complicated.

I've VHD booted before, and its pretty simple to do with the right instructions. I'm pretty sure you can use an image tool to clone your drive and then apply it on to a VHD. Here is what I would do:

Make a bare metal image of your drive. I use ghost 11.5 (from Ghost solution suite), but there are plenty of others that do the same thing.

Once you have the backup, you can create a VHD. In windows 7, open an elevated command prompt. Run DISKPART and type the following

create vdisk file=C:\win7.vhd maximum=60000 type=expandable

**NOTE: if you need more than 60GB, increase the "maximum=" entry.
** If your disk is more than 3/8 full, I would not recommend copying your
** entire HD over. Now, lets continue with the diskpart commands:

attach vdisk
create partition primary
format fs=ntfs quick
assign letter v

Now you have a VHD, mounted and assigned Driver letter V. Restore your image to letter V now.

You can use the built in Windows tool "bcdboot" to boot to your VHD, but I prefer to use EasyBCD which has a nice GUI that lets me customize the boot options much faster.

Once you've finished this, you can just reboot and then boot to your VHD. The only difficulty I see now is keeping your VHD synchronized. I guess you can perform incremental backups of your original OS, and then apply them?

 

Ok, now on to a topic that is a little more advanced.. snapshotting your VHD. Unfrotunately, VHD snapshots are space consuming. They are at a block level, so even useless changes like temp files and defragmenting will cause them to balloon. So, in order to prevent this from becoming a problem, here is what you do first:

Inside your VHD
1) Turn off disk defragmenter.
2) Move the pagefile to a different disk. The VHD will be disk C, and your original windows install will be disk D:. I recommend moving the Pagefile to disk D.
3) turn off the hibernation file (powercfg -h off)
4) Make a D:\temp and a D:\temp\yourusername\ folder. Go into system properties -> advanced -> environment variables ... Change the userprofile's temp folder (temp and tmp) to D:\temp\yourusername and the system's temp folders to D:\temp.
5) Turn off System Restore
6) Turn off the recycle bin
7) Optionally, move the cache/temp folders of any browser to D:\

Ok, after all that, we are ready to add snapshotting. Here is what you do, inside of your original windows 7.

1) Go back into Diskpart from an elevated command prompt:
create vdisk file=C:\temp7.vhd parent=C:\win7.vhd
exit diskpart

2) Now, make a copy of temp7.vhd, and name it temp7.vhd.empty. Now, in your root of C:\ you should have win7.vhd, temp7.vhd, and temp7.vhd.empty

3) For a quick rollback, make a batch file called discard.bat (or whatever name you want). This will erase the changes made. Mine looks like this:

copy /y temp7.vhd.empty temp7.vhd
REM - we overwrite the active VHD with the empty copy of the original.

4) You may want to commit the changes at some point, and here is the procedure:

Enter Diskpart and type:
select vdisk file=c:\temp7.vhd
merge vdisk depth=1

This will commit the changes. I believe you can script this, but I always do it manually. IF YOU COMMIT THE CHANGES, you should then run the discard.bat in step 3.

5) Now, in order to use the snapshot properly, you must stop the system from booting to Win7.vhd. Instead, you need to tell the system to boot from the snapshot. Open up EasyBCD and delete the previous entry you made for C:\win7.vhd. Make a new entry for C:\temp7.vhd . Boot to that and you are set.

Theoretically, you can make quite a few snapshots. I only use one, but you can easily make a new VHD (temp7B.vhd) and set the parent as C:\temp7.vhd. If you wanted another snapshot, you could make another new VHD (temp7C.vhd) and set the parent as temp7b.vhd. You can go on and on chaining them together..

 

Very nice. I had not thought about creating a vdisk, then restoring an image of my OS drive to the vdisk. That sounds like a great way to make the VHD, much faster than using Disk2VHD. My images now using Macrium take about 5 minutes to create and 3 to restore. I will be interested to see how quick it is.

As for the rest, thanks for that info. I will dig into it and see what develops. I understand most of it already, so it should not be too confusing.

Sul.

 

How does the snapshot features or synchronizing features fit into a sandbox type situation? I mean, what I want to do is create (as quickly and easily as possible) a VHD that is essentially a duplicate of my installed OS. I will try the imaging restoration to vdisk for that.

Then, assuming the VHD is now native booting on bare metal, I can see perhaps changing the cache and temp and %profile% directories. But aside from that, what I am wanting to play with is the ability to do whatever I please within the VHD, and not having to worry about breaking my real OS. If the VHD gets borked, simple restore my image to the vdisk again and start over.

Supposing then that I get this accomplished, how much of what has been mentioned would apply? I can assume that turning something like system restore off would be beneficial, but what is to be considered important (for whatever reason) and what is considered perhaps just "for best performance" type thing?

As well, what about the different vdisk types? Fixed sounds like the best bet from what I have read, but having not done much at all with this, perhaps the dynamic is better? And what about the tools I have seen that will resize a VHD? I have an 80gb SSD drive now as my primary, and I will make a copy of this to VHD, but I will house the VHD on another drive that is 300+ gb free. But I see no reason to create a fixed VHD size of 80gb if I only want to test/experiment. So I was thinking to resize the VHD to maybe like 30gb, which should be ample room for what I plan to use it for.

I use vmWare a lot, but sometimes I want to test things on the real machine instead of the VM. As well, once in a blue moon I attend LAN parties, and this would be ideal for making a VHD, then playing games etc, then booting into my real OS when I get home and deleting the VHD. This brings home no unwanted transients (not that I ever have that problem, just a scenario). It could also be used if I took my laptop on a trip and needed to connect to other networks. So many usages I could see for it, maybe a bit specialized, but still sounds interesting.

Sul.

 

Sorry if I misunderstood. The second post, with the snapshot information is basically a way to make the VHD easily restorable in case something goes wrong. If you plan to just re-image your original OS if something goes wrong, then those steps were unnecessary. If you don't want or need a recovery option for screwing up the VHD, you can just skip the second post.

Basically, the snapshotting would allow you to use the VHD as your primary OS, with the ability to rollback to a known good snapshot. Its has the benefits of a VM (like an OS within Hyper-V), except it can see all of your hardware. The original OS would only be needed to restore the snapshot, make new snapshots or commit changes... and technically you don't even need the original OS for that. You could just use a WinPE VHD for that, and ditch the original OS if you wanted to.

Its not so much a performance thing, rather than a space thing. The VHD snapshots record every single change to the disk, at a block level. All the things I listed equate to a lot of writes to the disk, and will quickly balloon the size of the snapshot VHD. The same exact thing happens in VM's when you take a snapshot. Ideally, you want to keep the snapshots small, so moving all the things I listed off the VHD will greatly reduce the size. Defragmenting is probably the worst offender..

Well, fixed VHD's have the best performance, but I almost never use them. They take a long time to set up, and immediately seize all of the disk space even though you aren't using it. Expandable VHD's aren't noticeably worse in performance for me, so I tend to stick with them.

That would work fine.. It should be noted though that its not a 100% security barrier. The other volumes are easily accessible when booting from the VHD, so if malware was smart enough, it could technically infect your other volumes... I don't think I've ever heard of any malware doing this, so the situation is obscure enough to keep you safe.

I currently use my VHD boot (with snapshotting) to USB boot to infected machines for data recovery and virus removal. Some times I have to install software, copy over their files, etc. When I'm done, I revert the snapshot to its original state, and I don't have to worry about anything I did during the time I was working.

I currently use Shadow Defender (software that erases all changes you make during a session), but I've been seriously considering using the same snapshotting technique described in this thread for my main OS. If I can boot to a VHD, and make a few snapshots here and there, it would be a lot more convenient than shadow defender.

 

Hmm. Strange results.

I created the vdisk as noted in the above thread. No problem. Made sure it was a little bit larger than my image (74gb).

I then used macrium to restore my image to that drive letter (the VHD). This made the VHD swell to roughly 10gb (the size of my OS I imaged without swap file etc).

I used EasyBCD to create the VHD entry rather than doing it manually. I examined the BCD and found it to be formatted like it should be according to other instructions.

I rebooted, chose the VHD entry, and am now at desktop, and see that the VHD has now expaned to its full size (81gb). However, the environment is still my normal system drive, not the image. My image is missing some tools that I have been working with lately.

So, any ideas as to what might have gone wrong?

Perhaps a little more info is needed though. I use a modified grldr, which has a few entries in it for starting up a Win7PE from .iso on a partition. It also has the option to load a menu.lst that is on the root of c. When I installed this OS, I placed grldr on the root, and then ran bootinst /nt60 on it. I got rid of the boot partition that the OS makes so my boot directory resides on my c drive.

When I restored the image, I chose to also restore the MBR, which is what I usually do. So, I don't know what exaclty is happening, but it seems like I am pointing to the first physical disc even though BCD is set with the VHD entry.

Sul.

 

Even stranger still. I rebooted a couple more times into the VHD and the normal drive. When choosing my normal install, it is fast like normal (SSD). When choosing the VHD, I can hear the SATA drive it resides on doing a lot of activity (expanding?), and things are noticably slower. All startup items take a few seconds longer to finish loading (gadgets etc). When I browse the box, I can hear the SATA drive working, yet my environment is most definately not that of the image, but of what I have been using on my c drive.

I am confused then why the SATA activity and slower boot times. It is definately not normal to hear that, but it is definately only happening when I boot with the VHD option. Strange.

Sul.

 

How many drives do you see mounted in "my computer"? You should have double the number of partitions...

I've never personally done what you are doing, so hypothetically, this could have problems attached with it. I've put VHD's on different systems, but I've never put an image of the system into a VHD and booted on that same system.

I'm guessing what could be happening is that the original OS volume is being loaded during the boot process at some point... but I can't think of why that would happen.

A test might be in order. Put a text file on the C:\ drive and see if its there when you boot into the original OS.

Also, inside the original OS, I would try recreating the mbr and bootsector. Your image restore utility may have done something funky.

Mount the vhd as drive letter v (you can use the disk management tool for this. Then:
bootsect /nt60 V: /mbr /force

Also, when you made the VHD did you check the box "force portable entry"? I'm thinking that could cause this problem...

 

I have 3 disks. (5 partitions). I do see the VHD as local disk using d: letter, but only when choosing the VHD as the boot option.

same here.

Yes, I put files on both drives, and they are kept. The VHD drive is there when I choose it as the boot option, but it is not the active partition, my main SSD drive still is.

I will try that bootsect and see. I think once I get the boot issue resolved, I can then mount the VHD in my main OS, and delete the contents, and make a "master" image of this VHD. Then, as I need to native boot, I can mount the VHD, mount my macrium image, copy the contents of the macrium image to the VHD, create the BCD entry, and reboot into the VHD. This VHD is then deleteable because I have a "master' VHD which is empty, and thus does not take up much room. I already have the macrium image which sits at about 4gb, so I would not tie up undue space.

I have been in the habit for some time now of installing all large applications to a data drive so the size of my OS drive is pretty small. This might prove effective with native booting if I get creative.

Thanks for the help. I sure like the prospects of this little experiment.

Sul.

EDIT: No, I did not use "force portable entry" but I did use DetectHal.

 

How effiecent and reliable is this technique for malware testing? Is it as secure as running a full blown VM?

(Just confirm if thats the case) Things that might not be insulated:
- MBR
- BIOS
- Native hardware drivers

 

It is only secure by obscurity. Almost all malware touches the regular file system of the system partition... and that would be on the VHD. Everything else is easily accessible. The MBR, the BIOS, your boot drive, and any other drives are all writable from a native boot VHD..

 

Yeah, I am not so sure I want to test malware in this sandbox so much as mess with applications and configurations/settings. It would be nice to test on real hardware rather than virtualized at times.

How many malicious attacks will focus on other drives than the primary active? How many will know to find your pictures or music or whatever it is you store on other drives? I don't think that is the top priority, so I have never worried about it myself. I would be more concerned about the bios than anything else. but, then again, I don't test malwares/virii much and don't get them either, so I am only cleaning up others computers who do get them. Maybe they lost things I did not know about

I guess this sort of sandbox is meant for (as described) developing in, which is somewhat what I want to use it for.

Sul.

 

yeah, its really nothing to worry about. Its unlikely that any malware will even attempt to write to y our other partitions... The only real vulnerability would be something like TDSS, where it writes to the MBR and has a separate little file system all to itself...

In most cases though, you'd have nothing to worry about...

 

I have still had the itch for native booting..

I finally found a few things out. It seems that there are some easy and hard ways to get native booting of a VHD. It seems there are lots of conflicting reports as to whether you can have a VHD of your live OS.

I have installed win7 to a VHD and native booted into it. Actually its pretty easy. I tried copy/pasting the contents of my latest image when it was mounted to the VHD, but its a no go without more infos.

I tried restoring a macrium image to the mounted VHD both in win7 and in win7PE. No go. I also tried macriums beta ImgToVhd, no go.

I seen mention of changing the disk id of the VHD after using Disk2Vhd, and this is supposed to get around the DiscID collision. That seems a likely solution but not easy to find the answer for. It seems that if you mount/attach a VHD made with Disk2Vhd, that is when the things happen that keep it from booting. If you try this, when you boot from the VHD entry, you end up booting into the C drive with the VHD sort of auto-mounted.

Either way, after getting a native boot to work, and seeing how to make children of it, it is something to pursue IF one can make a working native boot of thier current OS. Unlike vmWare, it is hard to tell it is not the real OS in terms of speed/performance.

I have thought about how it might be easier just to use ShadowDefender, but that offers no reboot capacity. I though about "time machine" and "rollback" type apps, but I don't really favor them myself after using a few of them. But this method, if one can figure out how to manipulate it in a productive way, seems to have a lot of promise.

I will surely post how I get it to work, if I do, back here... for any other techno-geeks

Sul.

 

I remember experimenting with Paragon Virtualisation Manager after getting a free Pro lisence (decided not to use it because my Desktop PC does not support hardware virtualisation and thrown it away, sorry otherwise I had given to you), maybe this helps

http://kb.paragon-software.com/para...atId=2124&objId=6702&statId=1706859&foLang=en

 

I have a few more tricks to try. I have about 1/2 of what I wanted to do accomplished. If it works out correctly, it should be fairly easy to implement. I really dig the child VHDs and how that works. I doubt I will ever stop using vmWare, but this is a different tool for different purposes, especially since it works on the real hardware and does not seem to take a performance hit like VMs often do.

I will check out the Paragon thing to see what it is about. Thanks for the tip!

Sul.

 

After a lot of fiddling with this, the results are mixed.

It is pretty easy to create a VHD of say 20gb fixed, then apply the instal.wim from the DVD to this VHD. It is trivial to add the VHD to the BCD to boot from. On first boot, the VHD goes through a familiar win7 setup sequence. The end result is that you have a fresh install of win7 on a VHD.

Next it is easy enough to create a child of the parent VHD. Make the parent VHD read only so that the child cannot commit changes to it. If you get tired of using the child, you make another and delete the first one.

I find this to be easy to do. I have as my primary boot drive an Intel 80gb SSD, and I have a WD 750gb and WD 1tb drive for storage, so for me I put the VHD files on my 500gb partition of my 1tb drive. Not worried about space there at the moment.

What I was trying to do, and have been unable to thus far, is to create a VHD based off of my current install on the SSD drive, then boot this cloned VHD up. I have gotten it to work, but it is not quite right. My SSD drive is still listed as the c: drive, and the d: drive is the VHD. However, the d: drive is the boot drive, not the SSD. Further, the path variables are mixed - some point to d: some to c:. For example, %sysdir% points to d: but profile variables point to c:.

It is really different. As was noted up above, to set the VHD to use the normal c: drive for certain things like profile directories and pagefile etc, it has done this somehow. In fact, it seems like I somehow created a child of the real OS, so that the VHD, even though it was not created as a child, is acting as a child to the normal c: drive.

At this point it seems that the problem lies with the disk ID. I note when using diskpart (or was it bcdedit) that there is always a "collision" of disk IDs. I have used diskpart to assign a different disk ID to the VHD, but nothing seems to work.

I tried using Wim2Vhd, after creating a .wim of my c: drive, but that did not work either.

While I would like to get it to work because I would not have to configure the newly created win7 VHD I have made, I can't seem to find the magic touches. I think at this point that I might just go ahead and work up the win7 VHD that boots properly, adding most of my tweaks/settings, installing a few of my basic applications, then freezing that and working with child VHDs. It would be neat to have a copy of that win7 VHD that I could boot to if I ever thought my normal c: drive was compromised, then I could install MBAM or an AV into it and scan my c: drive. Lots of neat possibilities.

Any other tips?

Sul.

 

hrrmm...

Instead of using an image, why not do a straight up file copy?

Mount the vhd you already made, and then make a new blank one. It should have a different GUID. Then just copy the files over. Use bootsect.exe to make it bootable, and give it an mbr.

This would look like a different disc according to Windows.

edit: exclude the Boot directories and bootmgr file.

 

I tried that, but cannot do so when the OS is loaded. I tried copying a mounted macrium image, but did not work. Also tried booting into PE and copying c: drive to mounted vhd (used diskpart to mount it from cmd in the PE), not working either.

Maybe I don't understand how the boot files/bcd are needed on the VHD. I am assuming that the real bcd (on c: drive) is what boots the VHD.

Sul.

 

Try a piece of software called unlocker if you are getting permission errors. Like I said, load a vhd of the image and a new VHD. Format the new VHD. Use unlocker to copy files from one VHD to another. This *should* let you copy the files when Windows is running. Copy it over without the boot files and bootmgr.

mount the vhd to V:
run these commands:
bootsect /nt60 V: /mbr
bcdboot V:\windows /s V:
bcdboot V:\windows /s C:

The first step creates the boot sector & mbr on the VHD
The second step adds BCD files on the VHD
The third step creates the entry that lets you boot to the VHD from the C: drive. (make sure you have removed previous entries in the BCD store of your C drive).

If you boot to the VHD with the normal (imaged) /boot/ files, and you don't remove them, it might load the GUID of the physical drive... so you will boot to vhd, then that would load your real OS... maybe.. I think.. I don't really know since I never tried what you are doing...