Please consider donating: https://www.corelan.be/index.php/donate/


5,779 views

System/Disk Backup in Vista using command line script

Microsoft has implemented a really neat feature in Vista Business, Enterprise and Ultimate, allowing you to perform a full disk or even system backup, while the system is running.

This new backup tool used Block Level backup and uses Volume Shadow Copy to backup open files (however, it is advised to close your applications while running the backup, this will certainly speed up the process a little, and will make sure your backup is more accurate)

  

Before looking at the details of performing a disk or system backup, there are a number of things you need to know

  

1. You can only backup a disk or the entire system (all disks). You cannot backup a folder or a set of files

2. You can only perform a full system backup onto another local disk. You cannot backup to the same disk that you are backing up (for obvious reasons) and you cannot backup to network shares or USB drives.  You can backup to DVD, but be prepared to swap a lot of DVD’s (depending on the amount of data that needs to be backed up). Also, pray that the DVD’s remain intact, they may cause you a lot of problems when you’re restoring…

3. The drive including the system files will be automatically included in the backup job.

  

Nevertheless, these limitations are easily outweighed by the benefits

The result of a backup is a .vhd file (and a number of xml based configuration files).

This vhd file can be

– mounted by a system running in Microsoft Virtual PC, allowing you to access the files on the disk

– mounted by Microsoft Virtual PC, allowing you to run the computer within a virtualized environment. (Microsoft doesn’t really support this, but this is a good way to P2V your system in a Microsoft environment)

– used to recover your system in a Bare Metal restore fashion. Yes, that’s right. You can take other hardware, boot with the Vista DVD, and restore the vhd file onto other hardware, without problems.

  

While file restore (as we know from older versions of Windows Operating Systems) is useful in cases of file loss and data corruption, Windows Complete PC Backup and Restore is most useful for disaster recovery when your PC malfunctions. This feature helps you create complete PC backups, and then in the event of a serious system issue or data loss, Windows Complete PC Backup and Restore can restore your entire PC environment, including the operating system, installed programs, user settings, and data files.

You can restore your PC back to its original state or onto another PC. Windows Complete PC Backup and Restore can be initiated from within Windows Vista or from the Windows Vista installation CD, if the PC is not able to start up normally from the hard disk.

Either way, when restoring the file (whether it is the same hardware or other hardware), you need to take into account that you cannot restore the files onto a disk that is smaller than the original disk. Even though Vista supports "shrinking" a partition, and you may only be using a small piece of the entire disk,  the restore process will not allow you to restore onto a disk that is smaller than the original disk.

  

Let’s assume that we will backup drive C: to local disk identified by drive letter D:

You can use the a nice GUI to handle the backup sequence, but since we all are command line geeks, I have good news for you : wbadmin allows you to script the entire process, and it’s not even that hard

  

C:\>wbadmin -help
wbadmin 1.0 – Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
—- Commands Supported —-
START BACKUP        — Run a backup immediately
STOP JOB        — Stop currently running backup or recovery
GET VERSIONS        — List details backups recoverable from
GET ITEMS       — Lists items backed up for a backup
GET STATUS      — Lists status of currently running job

  

C:\>wbadmin start backup -help
wbadmin 1.0 – Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Usage: WBADMIN START BACKUP
        -backupTarget:{TargetVolume | TargetNetworkShare} -include:VolumesToInclude
        [-noVerify]
        [-quiet]
Runs a backup immediately using the specified options.
-backupTarget   Storage location for this backup. Requires drive letter or UNC
path to shared network folder.
-include        Comma delimited list of volume drive letters, volume mount
                points or GUID based volume names to include in backup. Should
                be used when -backupTarget is specified.
-noVerify       If specified, backups written to removable media such as DVD
                will not be verified. By default, backups written to such media
                will be verified for errors.
-quiet          Runs the command with no user prompts.
Example: WBADMIN START BACKUP -backupTarget:e: -include:e:,d:\mountpoint,\\?\Volume{cc566d14-44a0-11d9-9d93-806e6f6e6963}\

  

In our example, we want to backup drive C: onto drive D:

This would be the syntax of wbadmin :

  

wbadmin start backup -quiet -include:c: -backupTarget:d:

  

wbadmin 1.0 – Backup command-line tool
(C) Copyright 2004 Microsoft Corp.

Retrieving volume information…

This would backup volume Local Disk(C:) to d:.

Backup to D: is starting.

Running shadow copy of volumes requested for backup.
Running shadow copy of volumes requested for backup.
Running shadow copy of volumes requested for backup.
Running backup of volume Local Disk(C:), copied (0%).
Running backup of volume Local Disk(C:), copied (0%).
Running backup of volume Local Disk(C:), copied (1%).
Running backup of volume Local Disk(C:), copied (2%).
Running backup of volume Local Disk(C:), copied (2%).
Running backup of volume Local Disk(C:), copied (3%).
Running backup of volume Local Disk(C:), copied (3%).
Running backup of volume Local Disk(C:), copied (4%).
Running backup of volume Local Disk(C:), copied (4%).
Running backup of volume Local Disk(C:), copied (4%).
Running backup of volume Local Disk(C:), copied (5%).
Running backup of volume Local Disk(C:), copied (5%).
Running backup of volume Local Disk(C:), copied (6%).
Running backup of volume Local Disk(C:), copied (6%).
Running backup of volume Local Disk(C:), copied (7%).
Running backup of volume Local Disk(C:), copied (7%).
Running backup of volume Local Disk(C:), copied (8%).
 

  

This will launch the Volume Shadow Copy service, and then start to perform the backup.

The entire process may take a while, so sit back and enjoy this new feature that may save you a lot of work afterwards.

  

In the end, when you look at the backup destination drive, you’ll find the following folder layout :

In the root of the drive, you’ll find the "WindowsImageBackup" folder

This folder contains a folder named after the machine that was backed up.

Under that folder, you’ll find a folder starting with "Backup – " followed by the date & time of backup,

a folder called "Catalog" and a file called "MediaID"

The vhd file is stored under the "Backup – " folder. At the end of the backup task, a couple of xml configuration files are being generated and stored under the same folder as well.

  

  

The first time I ran the backup, I encountered problems. Volume Shadow Copy didn’t kick off and the event log started complaining about the ASR writer

The wbadmin tool stopped, and I noticed the following errors :

  

Event viewer (Application Log):

  

Volume Shadow Copy Service warning: ASR writer Error 0x8000ffff. hr = 0x00000000.

Operation:
PrepareForBackup event
PrepareForBackup event

Context:
Execution Context: ASR Writer
Execution Context: Writer
Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
Writer Name: ASR Writer
Writer Instance ID: {22275b8b-bd54-4eef-a2e2-f15db8c58ba0}

  

followed by

  

Backup started at ’21/06/2007 6:20:40′ failed as Volume Shadow copy operation failed for backup volumes with following error code ‘2147754996’. Please rerun backup once issue is resolved.

  

When I turned on ASR logging, there wasn’t anything usefull I could find, except for the fact that Volume Shadow Copy was trying to connect to disk 0, because it assumes drive C: = disk 0

  

When looking at the Disk Management console, I noticed that there was another partition, sitting in front of my C: drive… the EISA partition.

  

And that brings us to the root cause of the problem. Volume Shadow Copy and DIsk Management don’t appear to be perfectly aligned, so you better make sure your drives in Vista are aligned with the drive letters, otherwise you won’t be able to use Volume Shadow Copy (or Windows Backup)

  

Solution : remove the EISA partition

By default, a lot of computers have a so-called utility partition, ofter referred to as "EISA" partition.

This partition is the first partition on the disk, and does not get a drive letter assigned in the OS

Although this partition is not very big, there may be certain reasons to remove this partition.

One of those reasons could be that Windows Backup looks at partitions and disks, but despite the fact that the EISA partition did not get a drive letter, Windows Backup still thinks that C: is actually that EISA partition, which could lead to unwanted behaviour/results when performing a full disk or full system backup.

  

If you want to remove the parition after you’ve installed Vista, then you must take into account that you’re going to remove the first active partition, the partition that holds the Master Boot Record. So in short : if you remove the EISA partition, you’re going to wipe out the MBR and the first active partition.

  

These are the steps required to properly remove the EISA partition

  

1. Get a copy of gparted-live (from http://sourceforge.net/project/showfiles.php?group_id=115843&package_id=173828)

(Main website : http://gparted.sourceforge.net)

2. Burn the ISO to a CD and boot the computer with the CD

3. In the bootprocess, set the keyboard and wait until X boots.  GParted will be launched automatically, indicating the disks and partitions that can be found on the system

4. Select the EISA partition, right click and Delete the partition

5. Shut down Gparted and double-click on the EXIT icon in the upper left corner.  The CD will be ejected automatically

6. Wait until the machine has shut down, remove the GParted CD, and put the Vista installation DVD in the drive

7. Boot from the Vista installation DVD

8. The installation process should detect that the boot files are missing, and will prompt you to repair the Boot Record. Don’t do it (yet).  If you’re not prompted to repair, then that’s ok.

9. At the graphical installation screen "Install Vista Now", you will find a link to "Repair Your Computer"

10. The System Recovery Options dialog box displays a number of options. Choose "Command Prompt"

11. At the command prompt, type "diskpart" and follow these instructions :

  

First, select the disk that contains the partition holding Vista (should be disk 0 in most cases). If you’re not sure, do a "list disk" to show all disks, and select the correct disk using the "select disk" command :

  

Microsoft DiskPart version 6.0.6000
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: LAPTOP1

  

DISKPART> list disk

  Disk ###  Status      Size     Free     Dyn  Gpt
  ——–  ———-  ——-  ——-  —  —
  Disk 0    Online       112 GB   103 MB

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  ————-  —————-  ——-  ——-
  Partition 1    Primary            112 GB    94 MB

DISKPART>

  

As shown above, the "list partition" command shows all partitions on the selected disk

Select the Vista partition using the "select partition 1" command (where ‘1’ refers to the number that indicates the number of the Vista partition)

Next, use the "active" command to set this partition as the active partition.

  

DISKPART> list partition

  Partition ###  Type              Size     Offset
  ————-  —————-  ——-  ——-
* Partition 1    Primary            112 GB    94 MB

DISKPART> active

DiskPart marked the current partition as active.

DISKPART>

  

use "Exit" to leave diskpart. This completes part one of the repair.

If the computer reboots, make sure to boot from DVD again and wait until you’re back at the "Repair Your Computer" option.

Then go to the next step.

If the computer has not rebooted, then go straight to the "Startup Repair" option.

Have Vista Recovery repair the Master Boot Record (which can take a couple of minutes) and reboot again, but this time, don’t boot from the Vista DVD.  Your system should be operational again

  

By the way : diskpart.exe is available for Windows XP as well :

http://www.microsoft.com/downloads/details.aspx?FamilyID=0FD9788A-5D64-4F57-949F-EF62DE7AB1AE&displaylang=en

  

  

Note : Enabling ASR logging :

  • Go into Regedit
  • Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
        Create the key: Asr
  • Under Asr create the key LogFileSetting
  • Under LogFileSetting create the dword EnableLogging with the value 1
  • Under LogFileSetting create the string LogPathName (string) with a value such as d:\Asr.log

  

  

  

  

 

© 2008, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

4 Responses to System/Disk Backup in Vista using command line script

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories