Startup BSOD has me dead in the water!

[Froggie]

Quote:

Originally Posted by 35mm

Froggie, restoring the first track of my most recent image did not resolve the problem, so perhaps it is corrupted/damaged. To make sure I understand the portion snipped above from your advice, can I restore just the first track from an older image, overwriting the first track of my most current restored image? And if doing that precludes the BSOD problem, will my most recent Rollback snapshots be available, corrupted, or what?

Morning! To my knowledge, IFW WILL NOT allow you to restore just the MBR/Track 0 (like Acronis TI does). BUT... with a li'l patience and time, it can be done. Since you have a recent backup containing your important snapshots/database (and possibly a corrupted MBR/Track 0), and you have an older backup that probably contains an unaffected MBR/Track 0 and some old data, I would do the following...

Restore the older backup and insure you're using the "Restore First Track (AUTO)" option... this will get that MBR/Track 0 back in place. Then do a complete restore of your most recent backup and DON'T use the "Restore First Track" option. This should restore just the data and leave to previous MBR/Track 0 info alone. At this point you should have you "older" MBR/Track 0 and the most recent data. If the system still BSODs at this point, it's time to try another hard disk.

Good luck!

[Froggie]

Quote:

Originally Posted by 35mm

Froggie,

{Do you think malware caused this problem?

I have personally come across MalWare that can wreck Rollback RX by wrecking the MBR structure of the system... but this has always been repairable by restoring a good MBR via a backup mechanism. If your system is BOOTing correctly (Rollback CONSOLE) following a successful image, then you have a good MBR in your backup. There is no virus, to my knowledge, that can wreck a good MBR immediately after restoration, since the restored MBR code is the first piece of computer code executed during the startup process.

There are known BiOS virii but I've never come across one during my travels "in the wild" (the reason I adopetd Rollback to begin with)

[35mm]

Quote:

Originally Posted by Froggie

Restore the older backup and insure you're using the "Restore First Track (AUTO)" option... this will get that MBR/Track 0 back in place. Then do a complete restore of your most recent backup and DON'T use the "Restore First Track" option. This should restore just the data and leave to previous MBR/Track 0 info alone. At this point you should have you "older" MBR/Track 0 and the most recent data. If the system still BSODs at this point, it's time to try another hard disk.

Froggie, I restored my older image including its first track (just as you prescribed). My system booted (no BSOD!), Rollback's sub-console appeared, and other than being 10-days old, everything (including snapshots) was functional. I then restored my 3-day old image (but not its first track) and guess what, I again got the dreaded BSOD!!!

It seems to me that my hdd is not damaged - what's your take now?

35mm

[Froggie]

Quote:

Originally Posted by 35mm

Froggie, I restored my older image including its first track (just as you prescribed). My system booted (no BSOD!), Rollback's sub-console appeared, and other than being 10-days old, everything (including snapshots) was functional. I then restored my 3-day old image (but not its first track) and guess what, I again got the dreaded BSOD!!!

It seems to me that my hdd is not damaged - what's your take now?

Morning! Indeed your HDD appears just fine, but apparently your latest image appears to be corrupted. I would ask first, do you VALIDATE or "VALIDATE Byte for BYTE" your images when you create them? One or both of these functions are pretty important (VALIDATE uses a block checksum where Byte-for-Byte does as described and usually takes much longer). But please remember, if your running system is corrupted when the image is made... since the imaging tool is just a sector copier/compressor (it doesn't validate system structures of any kind), there's an excellent chance that the image will VALIDATE just fine (indeed the corrupted data in the image will be the same as the corrupted data on the system). The only way to get an additional "feel good" about this situation is to schedule a system RESTART as soon as possible after the backup. And even that won't give you the best possible "feel good" as there may be some sort of timer tied to a piece of malware in the BOOT stream that won't go off 'til later. If there is, the system will fail to RESTART properly "later" AND a restored recent backup image may (probably) have the same timed malware saved in it. This is pretty far reaching, though... just a possibility.

If you installed IFW after Rollback (or made the REGISTRY mod described in the group's "RBRX luvs IFW" manual), you will not be able to use the TBmount function of IFW to gain access to the most recent image as that image, if mountable, will only present the original BASELINE that Rollback made. If the above conditions didn't exist (i.e., Rollback installed AFTER IFW and no REGISTRY mod) you just may be able to mount that bad image and scrape out any files created in the last 10-days that are important to you. Since you describe a successful RESTORE of the 10-day old image, including its snapshots, it sounds like those mods have been made and the recent files won't be available via TBmount.

At that point you'll just have to start all over from 10-days ago (not too bad, though). I'd keep an eye on any further backups by using at least the VALIDATE function when the image is created... the disk block checksum feature used in validation is usually more than adequate to determine the legitimacy of the backup image.

Based on your input... no other thoughts at this time.

[35mm]

Froggie, good afternoon to you! I've just been checking the 'Validate' box as I found that 'Validate Byte for Byte' adds way too much time to an already long Raw backup!

Yesterday, I tried using a WinPE Boot Disk to recover Outlook's pst-file and some other data-files from my 3-day old C-partition, but then I realized that the PE disk only sees that image's baseline snapshot which is 10-days old (it's the most recent snapshot on that image that's 3-days old), so nothing was to be gained there. So I resigned myself to using my 10-day old image which boots perfectly (along with Rollback's sub-console) and chalking-up the more recent lost files as unrecoverable.

While I definitely appreciate your advice, in the end none of the suggestions I received here circumvented the BSOD when I booted up from my recovered 3-day old image. At this point I would just like to know what happened to corrupt that image, but I guess I'll never know.

Thanks again,
35mm

[Owl]

It's like insurance - you never know how good it is until you have to use it.

[35mm]

Quote:

Originally Posted by Owl

It's like insurance - you never know how good it is until you have to use it.

Owl, if you are referring to my most recent backup image (which also resulted in a Startup BSOD) I suspect that whatever messed up my system did so just before I created that image. So IFW did its job by backing up and verifying whatever was on the sectors at that time.

35mm

[VoipDude]

I use Acronis True Image Home to make a COLD image of my drive with Rollback RX installed on it. I do not need to do a "sector by sector" or "all unused sector" image. I just do a normal image which takes only 7 minutes, and all of my Rollback RX snapshots are preserved. When I restore from the Acronis image, I just check to also restore the MBR, and the image is restored with all of the snapshots intact. All of the snapshots are perfectly restored, and I can switch back & forth between them as normal. This is the easiest method I have found, and Acronis True Image has never let me down.

[nexstar]

Quote:

Originally Posted by VoipDude

I use Acronis True Image Home to make a COLD image of my drive with Rollback RX installed on it. I do not need to do a "sector by sector" or "all unused sector" image. I just do a normal image which takes only 7 minutes, and all of my Rollback RX snapshots are preserved. When I restore from the Acronis image, I just check to also restore the MBR, and the image is restored with all of the snapshots intact. All of the snapshots are perfectly restored, and I can switch back & forth between them as normal. This is the easiest method I have found, and Acronis True Image has never let me down.

Hi VoipDude and welcome to the forum .

The thing is, what you have described here is not just cold imaging, it is the RollBack equivalent of cold fusion . I don't want to be a party-pooper but, the snapshot data is located in the 'unused' sectors on the drive and so would need an all sectors backup by most imaging apps to ensure they were preserved correctly.

I'd really like you to be right about this but we have huge threads on this site based on the premise of this just not being possible. Could it be that the restores you have done have been straight after making the image? If that were the case then the unused sectors would still be intact unless you actually wiped the disk before the restore. This would give the impression that everything was restored correctly.

To test it out, you would need to make the image, wipe the disk and then restore the image. If that restores with working snapshots then I will be first in the queue for my copy of ATI! You may want to be prepared for the possibility that you just get the baseline scenario though and so it would be prudent to make an all sector backup first, just in case.

Graham

[pvsurfer]

@VoipDude, no way is that possible - what are you smoking dude?

@35mm, I'm sorry to read of your misfortune. Based on your description of the events I'd bet that your MBR and other areas were infected with a nasty rootkit during the PC session preceding your 3 day old backup. RBRx has no mechanism to prevent infections - it can only restore a prior (and hopefully clean) snapshot (if the system will boot)!!! Btw, I am curious as to whether or not you use a real-time AV and if so, which one?

pv