Author: Mike Boesen
Last updated: 11 October 2005
1. Introduction
2. Causes of problems and their prevention
2.1 Viruses, trojans, worms and spyware
2.2 Hard drive physical faults
2.3 Hard drive file structures
2.4 Missing or corrupt system files
2.5 Unintentional deletion of important files
3.1 Backing up the registry
3.2 Backing up Email stuff
3.3 Backing up selected files from the master drive
3.4 Backing up the whole master drive as a compressed image
3.5 Backing up a compressed image of a partition or partitions from the master drive
3.6 Backing up the whole master drive as a Clone on another drive
3.7 Backing up a partition from the master drive as a Clone on another drive
4. Where to backup
5. Recovery
5.1 Recovery of deleted files
5.2 Recovery when the PC is functioning slowly or erratically
5.3 Recovery when you can't boot into Windows normal mode
5.4 Recovery when you can't boot into Windows safe mode
5.5 Recovery when you can't boot into normal mode or safe mode and UBCD4WIN and Recovery Console are of no use
6. Closing comments and recommendations
Appendix 1 - Running Microsoft SFC
(System File Checker)
Appendix 3 - Notes on Table 1 (Backup
device options)
Appendix 4 - Using the Windows Recovery
Console
Appendix 5 - Running the utility
CHKDSK
Appendix 6 - Reinstating the master
drive from a compressed image or a clone on a backup
drive
Appendix 7 - The Ultimate Boot CD for Windows (UBCD4WIN)
This article is based on my experience with PCs that have Windows operating systems. If you have a different type of operating system, some of the principles will apply, but the software referred to in the article will not be applicable.
I have tried to cover a lot of aspects relating to backup and recovery strategies. There are bound to be some errors and omissions. Part of the reason for that is that the operating system I am most familiar with is Windows XP. My recollection of the details of older operating systems is imperfect and I am not using these older systems on any PC. Please notify me of any errors and make suggestions for improvement of the article. I will amend the contents in the light of any feedback that I receive. As I make corrections I will post an up to date version on this web page.
Sooner or later most PC users will experience problems in accessing data or applications on their PC or booting their PC. These problems can range from minor ones (e.g. the unintentional deletion of important files) to major ones (e.g. the PC will not boot at all). Therefore it is prudent to have a robust and failsafe backup strategy in place so you can recover from a problem situation easily and with minimal or no loss of information. This takes some amount of forethought and it is best to do that thinking now rather than wait until you are experiencing problems.
Many of the lesser problems could be solved easily by restoring files or a healthy registry from a backup (that is, IF it exists). Major problems can be overcome by reinstating an image or clone of the master drive (again, IF such backups exist). However, without backups some types of severe problems may require the user to reinstall the operating system and applications. In that event there would be loss of documents, pictures, emails and other important files. Reinstalling operating systems and applications takes time, but the loss of important information can sometimes be disastrous.
The risk of experiencing problems varies considerably between users. The risk of problems is low if all these conditions apply:
However, there will be many users for whom the risk of problems will be moderate to high. I am one such user. I keep my registry clean by using a number of registry cleaners. I have good software that provides protection against malware. I use a software firewall. However, I know that sooner or later I am going to put my PC in a state that means that either the registry is klutzed and/or the hard drive will not boot normally. Fortunately I implement a backup strategy that will guarantee that I can recover easily in the event of trouble. In spite of all the fiddling that I do with software I have never yet got to the stage of having to do the dreaded "Format C:" thing. If I had to do that it would take me at least a week to reinstall all the applications that I have installed.
The type of backup strategy that is appropriate for you will depend on your particular circumstances: your risk exposure, what hardware you have or are able to afford, what software you have for PC maintenance, what operating system is installed and so on. While there is no single backup strategy that is ideal for all PC users, the following suggestions may be useful to you when you are developing and implementing a backup strategy that meets your particular circumstances.
Before looking at possible elements of a backup strategy, let's look at some common problems and how they might be prevented from being problems in the first place.
To reduce the likelihood of having a need for recovery from a problem condition you must have adequate protection against viruses, trojans, worms and spyware (collectively referred to in this article as "malware"). The importance of having such protection cannot be overstated. Such protection is also important if you are to implement an effective backup and recovery plan. For example, restoring your PC using a backup that contains applications that were infected with malware before the backup was made is not a good outcome.
To prevent infection by malware you need appropriate anti-malware software, a hardware or software firewall, and to implement any security updates when they become available for your operating system, Email application, web browser application and other applications that are targeted by malware (e.g. word-processing).
2.1.1 Anti-virus, anti-trojans, anti-worm software
There are many applications that provide protection against viruses, trojans and worms. Some are freeware and others costware. Of the freeware applications Avast 4 Home is excellent and widely used. It provides protection against viruses, trojans and worms. It is also available in the "Pro" version - this is not freeware, but provides additional protection against malicious scripts and has a more complex set of configuration options. Another good widely used freeware product is AVG - it also provides protection against viruses, trojans and worms. Other freeware applications are available. There are some freeware applications designed for prevention of only certain types of malware. For example, Emisoft's a-squared is designed for detection of trojans only. However, a single application that provides protection against viruses, trojans and worms would be more practical for most users and probably does as good a job as having separate applications.
There are many good costware applications that provide protection against all three of these problems including those marketed by Trend Micro, ESET (Nod32), Zone Labs, Kaspersky and McAfee. Norton Anti-virus is also quite widely used and well-regarded by many, but I prefer not to use it.
Whatever the application you use, it should be one that loads automatically when you boot your PC and resides in memory so that all applications are scanned just prior to them running. It should also be one that automatically scans incoming Emails and their attachments and internet downloads. Ideally it should also scan outgoing Emails and attachments so that in the event that you do have a nasty on your PC, you do not pass it on to other folk.
Whatever application you use, it is essential that its database of "signatures" or "definitions" that enable it to detect virus, trojans and worms is updated regularly - ideally every day - and that you install updates of the application itself when they become available. Good quality applications can be configured for automatic updating.
For people who have Windows XP, 2000 or Server 2003, Microsoft releases regularly an updated version of its Malicious Software Removal Tool. You can also run the tool from this Web page or download it to your computer. This tool detects certain viruses.
2.1.2 Anti-spyware software
Certain types of spyware can make undesirable changes to settings within your registry, system settings, operating system, Email application and internet browser. There are many applications which can provide protection against spyware. Microsoft Antispyware, Spybot Search and Destroy, Spyware Blaster and Ad-Aware are examples of widely used freeware products.
While it is not free, Sunbelt's Counterspy gets consistently high ratings in reviews. It is an even better-performing product than Microsoft Antispyware because it uses all the Microsoft Antispyware definitions (at least till 2007) plus Sunbelt's own definitions. Other non-free products include those of Trend Micro, Symantec , McAfee and Zone Labs.
Whatever anti-spyware application you use it is essential that it prevents both benign and malicious applications from making changes to your system without your consent. The anti-spyware product should of a type that is is loaded automatically at boot time and is memory resident. Such anti-spyware then operates all the time so that you will be notified when any application tries to make questionable changes to your PC. You can then allow or prevent the change being made.
2.1.3 Firewalls
"Firewalls" operate all the time that you are on the internet so as to isolate your your PC or network from uninvited intrusions from internet hackers. There are a number of good free software firewalls, including Microsoft's XP Firewall and Zone Lab's Zone Alarm free version.
There are also many costware software firewall products including Zone Lab's Zone Alarm Pro, McAfee's Personal Firewall Plus, AVG's Anti-virus plus firewall and Symantec's Personal Firewall.
Another type of firewall is one implemented in hardware. These are integral components of most (if not all) ADSL routers or router/modem devices that are used to connect to the internet. I don't have a hardware firewall as I believe that my software firewall (Zone Alarm Pro Version 5) gives me quite adequate protection. The Whirlpool article on ADSL modems and routers gives comprehensive information about hardware firewalls in such devices.
2.1.4 Regular security updates for your operating system, Email client and web browser
From time to time the makers of your operating system, Email application (e.g. Outlook Express) or web browser (e.g. Internet Explorer) may issue security updates. These are intended to enhance the ability of the applications to resist attacks by internet hackers. They should be installed after they become available, although some PC users prefer to wait for a while to make sure that an update does not have any unintended negative outcomes (and so requiring a rollback or update of the update).
On my stand-alone PC system I use Zone Alarm Pro as a software firewall, Avast Pro for protection against viruses, trojans worms and malicious scripts, and Sunbelt Software's Counterspy for protection against spyware (with an occasional double-check for spyware using Spybot Search and Destroy). This set of applications seems to provide adequate protection against malware. With a broadband connection, updates for Avast and Counterspy are installed automatically without me needing to do anything. The updates are sent to me just about every day and sometimes twice a day.
If you don't want to have the bother of managing a number of different anti-malware applications there are also a number of "security suites" available. These products claim to provide protection against all types of malware. Examples are suites sold by Zone Labs, Trend Micro, Symantec and McAfee. If you are prepared to pay the cost involved, you may find that installing one of those suites is the easiest way to get comprehensive protection. I prefer the approach of selecting the "best of class" for each type of ant-malware product.
While the best anti-malware applications can be configured to run all the time as memory resident applications, I have found that it is also worthwhile running a full ad-hoc scan for malware prior to making a backup of a complete hard drive or a clone of it. For some applications (e.g. Avast) the most comprehensive checking can be achieved through a "boot-time" scan. For Avast that can be done through scheduling a boot-time scan, with the option of "Archive checking" ticked. Archive checking ensures that all archives such as those created with XP's System Restore are also checked.
If you have any doubts about the extent to which your current protection against malware is adequate, there are some web sites that offer an on-line check of your system. For instance, Symantec offers a free on-line "security check " as does Trend Micro. It is worthwhile using on-line checking by such reputable developers from time to time because the malware signatures and definitions they apply are fully up to date. However, it is possible that some of the lesser known products will detect potential "problems" on your system that are insignificant (e.g. some types of "cookies") in order to promote the virtues of their costware products..
Some problems with hard drives that lead to loss of data or inability to boot are caused by physical faults. No backup strategy will be completely effective if either the hard drive from which you are backing up stuff or the hard drive (or other device) to which you are writing the backups is physically defective. Such defects are infrequent, but can be within the device's mechanical components, on its circuit board, or in the connecting plugs, sockets and data cables. The faults may be intermittent and some can be associated with very cold weather and very hot weather, or overheating of a hard drive due to inadequate ventilation.
Most modern drives have SMART ( "Self-Monitoring Analysis And Reporting Technology") implemented in the drive's firmware. SMART monitors the temperature and other health attributes of your hard drives. If your drive/s have SMART you can implement a small freeware application such as HDD Health so that it runs all the time in the background. HDD Health can be configured so that it will notify you if it detects problems or based on past performance of the drive, predicts that there will be problems in the future.
Inside your PC, connecting plugs, sockets and data cables for hard drives and optical drives can sometimes be a source of problems. However, if such gear was problem-free when first installed, it is unlikely that problems will develop later, so it is probably a good idea to leave things alone. The probability of problems developing is increased the more that such gear is unconnected and reconnected. If you have reason to believe that there are problems with such gear and you are confident about opening up your PC, at least check that the cables connecting the motherboard to your hard drive/s, floppy drive and CD or DVD drives are correctly seated, power cables are fully inserted, and there is no erratic behaviour of a device when the power plug connected to it is gently wiggled. On some occasions in the past when I had been swapping a hard drive in and out a lot, I experienced particular problems with the cylindrical sleeves inside the power plugs that are inserted into the hard drive power socket (the plugs with four wires: two black, one red and one yellow). The problem was that a couple of the sleeves had become expanded through rough handling and were making poor contact. This was quickly fixed through judicious levering of the sleeves with a jeweller's screwdriver to close them up a tad so that they gripped the prongs in the socket better.
If you have a backup drive connected by a USB or Firewire cable make sure that the cable is in good condition and inserted correctly. If the device is connected via USB cable and it is capable of "High Speed" USB 2.0 data transmission (sometimes referred to as "Enhanced" USB 2) make sure to use a USB socket on your PC and a USB cable which meets the specifications for USB 2.0 High Speed data transfer. Not all sockets and cables are capable of doing that (see details in my article here).
If you are backing up to a device on a wired or wireless network, make sure that the cabling and wireless system are fully functional.
Some problems with hard drives are caused by faults in partition tables, file and folder structures, indexes and security descriptors. So if you backup your hard drive or selected parts having such faults, you risk carrying over the faults to your backup.
If you are having problems with your hard drive, it's worth running the Windows utility CHKDSK. This utility checks the integrity of a hard drive's file system and if the /R option is used, it will attempt to fix any errors. See Appendix 5 for more about this.
Another type of problem that would be carried over to a backup drive if it were to exist on the master drive is corrupt system files. Therefore, if you are having any problems with your PC, then before making a backup of a whole drive or making a clone of it there is value in checking the integrity of your system files first.
In Windows 98, XP and 2000 and this can be done using the Microsoft's System File Checker (SFC) utility. Details about how to run SFC are provided in Appendix 1. I'm not aware of an equivalent utility for Windows Me or 95.
In some cases the corrupt or missing files are the NTLDR and/or NTDETECT.COM files, preventing the PC from booting. Fixing this problem is discussed later.
Another type of problem is loss of files of data through inadvertent deletion. If you are aware of this in time then such files may possibly be recovered through the recycle bin. If the bin has been emptied, there is a real possibility of irreparable loss. However, in some circumstances, even files that have been deleted and that are no longer in the recycle bin can be recovered. Fixing this problem is discussed later.
Having given consideration to the things that could limit the effectiveness of backing up, the next issue is what things you might backup. Depending on your particular circumstances, you may want to backup one or more of these things:
In my view making frequent backups of the registry is the most important element in any backup strategy. The desirable frequency will vary from user to user.
3.1.1 Windows 95 registry backups
When Windows 95 boots normally, it backs up the registry files USER.DAT and SYSTEM.DAT automatically. If the registry becomes corrupt, these files might be used to reinstate the registry to the last good boot condition. The files could be copied manually to a backup folder somewhere. This is not a straightforward matter. This article and this article provides details.
3.1.2 Windows 98 and Me automatic backups
For Windows 98 and Me, when you boot your computer successfully, the Windows application SCANREG creates a backup of system files and registry configuration information (including user account information, protocol bindings, software program settings, and user preferences), keeping five back versions. To save such files to a backup folder you could do that manually. SCANREG can be used to restore any of the backed up versions. Details about how to restore back versions are provided here and here.
3.1.3 Windows 2000 registry backups
Windows 2000 includes functionality for creating and restoring registry backups. This can be accessed through Start/Programs/Accessories/System Tools/Backup tab - check the "System state" option. Details are given here.
3.1.4 Backups of the registry using Windows System Restore and similar applications
Windows System Restore is a free utility within XP and Me. It can be used to create "Restore Points" which contain a snapshot of the registry and copies of certain dynamic system files.
There are other costware applications that can be used to create similar types of restore points. An example is Symantec's (used to be Roxio's) GoBack. This can be used for Windows 98, Me, 2000 and XP systems.
If System Restore or a similar application is available for your operating system it can be used to restore the registry (plus some of the system files) to an earlier condition. However, it's interesting to note what Lars Hederer, author of the ERUNT application says about the System Restore functionality in respect of the XP operating system:
"In Windows NT and 2000, the registry is never backed up automatically, and in XP it is backed up only as part of the bloated and resource hogging System Restore program which cannot even be used for a "restore" should a corrupted registry prevent Windows from booting. It has also become impossible to copy the necessary files, now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM in the SYSTEM32\CONFIG folder, to another location because they are all in use by the OS. And though the registry in an NT-based Windows is less likely to become corrupted than in other versions, it can still happen, and for these cases NT is simply missing an option for easy registry backup and restore as there is in Windows 9x/Me, to get the system up and running again in no time."
The effectiveness of using System Restore to reinstate a registry depends on the existence of a restore point that is recent enough and appropriate to your needs. System Restore reinstates more than just the registry and that may not be what you want to have happen. I have found that on occasions, System Restore has not been able to restore the points that I attempted to reinstate. This is possibly due to my inappropriate use of this application. However, I feel that I cannot rely on System Restore as a guaranteed way of reinstating an earlier version of the registry and so I have disabled it (and in so doing, incidentally reclaimed a significant amount of hard drive space).
My view is that for just backing up the registry these freeware applications are a better choice than System Restore or similar applications:
3.1.5 Using ERU or ERUNT to backup and restore registries
For Windows 95, 98 and Me operating systems, a better approach than manually saving registry backups is to use the Windows utility named ERU (Emergency Recovery Utility). This freeware utility backs up the relevant files into a folder and on a drive that you specify. You can then use the associated utility ERD to reinstate backups to your hard drive. This article provides a good description of the functioning of ERU and ERD.
For Windows NT, 2000 and XP an excellent freeware application that can be used to create backups of the registry automatically or on an ad-hoc basis is ERUNT (Emergency Recovery Utility NT). This invaluable utility is the creation of Lars Hederer. This article of mine provides details about how to install and use ERUNT and to how to recover backed up registries using the associated utility ERDNT. The installation of ERUNT also installs ERDNT, copies of which are included automatically in the backup folders that ERUNT creates. For making backups of the registry I would use ERU in preference to System Restore on an XP system.
I run XP Pro on my PC. I have configured ERUNT so that it makes a registry backup each day at the time of the first boot. This requires absolutely no action on my part - it all happens automatically during the boot process. My article explains how to set this up. In addition, prior to installing any application that has any chance of making changes to my PC that I might regret later, I make an ad-hoc backup of my registry manually using ERUNT. Making such ad-hoc backups is a matter of making a few mouse clicks and typing in the name of the backup folder to be created; that all takes about 20 seconds.
Backups of registries created using ERU and ERUNT are normally written to the master hard drive in a folder located under the C:\WINDOWS\ folder, but they could be written to another device if you prefer. However, there are important benefits in putting the backups under the C:\WINDOWS\ folder because those folders would be accessible if you ever need to use the Windows Recovery Console (this is all explained below).
If you ever need to reinstate a registry saved with ERUNT, there are four ways of doing that. The ways are listed in Appendix 2.
Some users like to backup their Email address book and emails to make sure that they are not lost in the event of a problem with their PC. If you are using Outlook Express as your Email application, there is a very easy way to do all that and to reinstate saved backups. This is done using the freeware application Outlook Express Freebie Backup. This application works with all versions of Windows (I think). The backups are sent to a folder of your choice.
Of course the application can be used later to restore any backup that it created.
I do not have experience and knowledge relating to backing up stuff created by other Email applications.
One approach to backing up is to make copies of only selected folders of files or individual files that are the outputs from applications (e.g. word processing documents, spreadsheets, databases, pictures, music files, tax returns (!) and so on), but not the actual applications themselves, and not the PC's registry and other system files.
Their rationale is that if a hard drive becomes corrupt or unusable, the operating system and/or applications can be reinstalled, and then the files that comprise the products of the applications can then be reinstated from the backup. In some circumstances this can be a relatively quick and easy operation and can be an effective approach for people who use few PC applications.
However, there are disadvantages with this approach:
Copies of folders of files and individual files could be made if and when the user remembers using Windows Explorer or a substitute (and much better) freeware explorer such as Xplorer2 or PowerDesk. However, an easier method is to automate the backing up process using an application such as SyncBack (freeware), or EZback-it-up (freeware) or Second Copy (costware). SyncBack, for example has very comprehensive functionality but can be used in either "Expert" or "Easy" mode. The way it works is this:
It is very easy to make backups by "running" the profile or profiles. This is a matter of a few mouse clicks. Even simpler, you can set up a schedule for each profile so that it runs every N minutes, or runs at boot time, or once a day or once a week or at a particular time or whatever. This overcomes the problem of forgetting to make backups.
While this type of application may meet many requirements, it has some limitations and drawbacks:
There are backup approaches that overcome all the limitations and drawbacks relating to backing up only selected files or folders.
It is possible, for instance, to back up the whole master drive as a compressed "image". The image is in a format that means that the complete master drive can be recreated later from that image. The image can consist of a single large file or can be generated as a set of somewhat smaller files. I'll assume it will be saved as a single file. This file (or set of files) can be copied to another device just like any other file/s. It occupies somewhat less space that the files from which it was generated. For example, 90 Gb of files on my master drive take up only 70 Gb as a compressed image (using the Normal compression rate within Acronis True Image).
If there is space on the master drive for the image file it could be written to the master drive. However, that would mean that the image may not be accessible in the event that the master drive becomes corrupt or damaged. So it makes sense to write the image of the master drive directly to another internal or external drive or to a networked drive, or to move or copy it to another drive after creating it. If that is done you will need to have such a second drive.
Of course you also need an application that will create the backup image and (if and when required), to restore the image as a bootable drive.
If you have neither a backup drive nor an appropriate backup application, those requirements can be implemented for less than $250 (AUS). For instance, Acronis True Image costs about $80 and a big, fast, good quality hard drive (e.g. 160 Gb Maxtor "Diamond Max 10") would cost less than $110. However, unless you have a backup drive on a network, it is also desirable (but not essential) that the backup drive be detachable from the PC. If the backup drive is in a removable caddy (see below), the caddy would cost about $25. Or if the drive is in a good quality, powered and ventilated external enclosure the cost would be between $60 (USB enclosure) and $100 (Firewire enclosure).
There are a number of applications that can be used to create backup images and to reinstate the images when required. Examples are Acronis True Image and Symantec Ghost (which incorporates what used to be called Powerquest's Drive Image). Both these applications allow you to view the contents of a saved image as if it were another drive. This would be useful in the event that you have deleted some files from you master drive or they have become corrupt after the compressed image was created. The application that was used to create the compressed image can be used to access all the files in the image in an Explorer type user interface, and you can then copy any of them back to the master drive. Note that at the time of writing this article, Acronis had just released Version 9 of True Image. While the latest build of Version 8 appears to be a very stable product, I have had reports that the initial release of Version 9 may have a few bugs to be sorted out.
Creating an image of the master drive is very easy - run the application, identify what drive is to be imaged, indicate what folder on what device (hard drive, CD or DVD) the image is to be written to, select a compression ratio then hit Go. Go and have tea or a walk or join the couch potatoes for a while. True Image also allows you to choose between making a whole new image or making incremental changes to an existing image (that is, adding information that updates what was saved as a prior image).
Creating an image can usually be done in the Windows environment. It is important to close any applications that could affect the creation of the image (e.g. incoming Emails, scheduled malware scans). To ensure that does not occur I run the freeware application EndItAll2 prior to starting the creation of an image. I leave my software firewall (Zone Alarm) running because I have a permanent broadband connection.
When you first start making backup images, it is sound practice to "verify" the integrity of a few images created. This is particularly important if your backup device is in an external enclosure. I suggest that you undertake a verify operation on the first two or so images that you create so that you have complete confidence that the images created will be recoverable if/when you need to use them in the future. Applications like True Image and Drive Image include verification functionality. In addition, after creating an image, you should check to see if its contents can be accessed through the backup application's "Explore Image" functionality. This check should involve copying some of the files in the image back onto you hard drive just to make sure that the contents of the image are accessible.
Depending on the space you have for storing backup images, the frequency and magnitude of changes that you make to your applications, and the extent to which you are paranoid, there could be value in keeping more than one image. For example, you might create one image, then an additional new image say three weeks later. Then after a further three weeks delete the first image and create a new one, so that only two images are ever kept - the rolling image approach. The advantage of having two rolling images is that if the most recent image does not contain exactly what you want to recover, or if it has corruption in it of some sort, having an image made prior to that could be of some benefit. However most users would only ever keep a single image, with the prior image either being deleted or else updated using the incremental Imaging approach (if the imaging application supports that approach).
If the image is created onto CDs or DVDs, the incremental backup method is particularly useful, because the existing CDs or DVDs are maintained and only the incremental stuff is written to an additional CD or DVD.
If your master drive were ever to becomes unbootable and less radical fixes fail to correct the problem, then a saved image can be used to recreate the whole master drive with all of its contents exactly as they were at the time the image was created. Backup applications such as True Image and Drive Image/Ghost also have functionality for creating a bootable CD "rescue" of "emergency" boot CD. Using the CD you can then boot your PC into the backup application's interface and reinstate the image onto your master drive or onto another drive.
Imaging a drive can be quite fast. Using Acronis True Image on my 2.8 GHz Pentium 4 PC with two Maxtor "Diamond Max 10" drives connected to the ATA/IDE bus (ATA-100) , I can create a full backup comprising 90 Gb of files in about 35 minutes. Creating the same backup on the same drive in an external USB 2.0 High Speed enclosure takes twice as long.
The frequency with which an image is created depends on the user's needs and the frequency and magnitude of changes made to applications and data on their master drive. In view of the fact that creating a full image or an increment to an existing image only takes a short time, it is not an onerous task to do that. However, it is also possible to add uncompressed copies of selected folders and files onto the backup drive on which was written the compressed image of the whole master drive. These added folders and files would not be written into the image; they would simply be additional folders and files that are visible to any explorer application. That could be done daily or more frequently if required using an application such as Syncback. This is the process described above. This would mean that in the event of a problem with the master drive, the backup drive would contain an up to date version of just about everything of importance to the user, either in the image file or in the additional uncompressed files. This could be done on a set schedule (Syncback has scheduling functionality), or less regularly. You could, for instance, ensure that your whole My Documents folder was kept up to date on the backup drive. However, if you decide to keep copies of selected folders or files using an application such as Syncback, keep in mind that malware acquired since the clone was made might then be transferred in files that are written to the backup drive.
Most users have only one partition on their master drive. If that is your situation, skip this section.
It is possible to make a compressed image of a selected partition of the master hard drive rather than the whole drive. This is done in the same way as creating a backup of the whole drive. The contents of such images can be viewed in the same way as can the contents of whole drives.
Again, make sure to do enough verifications of any images made to give you confidence that images are being created OK.
In the event of there being a major problem with the master drive, having a compressed image of your whole master drive enables you to recreate it. For instance:
Those processes are a tad involved. There is a simpler way to achieve an outcome of a bootable drive that contains the full contents that were on the backed-up drive at the time it was backed up. This approach involves creating a "clone" of the whole master drive on a second drive, rather than making a compressed image of it. This cloning can be done through applications such as True Image, Drive Image/ Ghost, Drive2Drive (for Windows 95, 98 or Me only) or CasperXP (for XP and 2000; also includes Drive2Drive). Drive Image/Ghost uses the term "copy" rather than a "clone".
A clone is what the name suggests: after cloning, the backup drive's contents will be exactly the same as the contents on the master drive, including its boot system. Therefore your PC could be booted using the backup (clone) drive. The clone drive will have ALL the functionality of the master drive from which it was cloned (at the time of the cloning).
The master drive and the cloned drive do not need to have identical capacities. However, the backup drive needs to be at least large enough to contain all the contents of the master drive. It can also be a larger drive than the master drive. Being a clone, the space taken up by files will be the same as on the source drive - that is, there is no compression
The benefit of the cloning approach is that if the master drive becomes unbootable and simpler fixes have not been successful, the backup drive can be used to boot the PC and it can be used immediately in place of the old master drive. There is no need to unpack anything. You will need to ensure that the backup drive is seen by the PC as the primary drive that will be used to boot the PC. This may require some fiddling with jumpers on the hard drive to ensure that either "cable select" is selected (and the right drive is connected to the right cable connector) or the "master" and "slave" jumpers are set appropriately. In some PCs (e.g. ones that have a mix of parallel ATA drives and serial ATA drives), the PC's BIOS configuration may need to be set so that the backup drive is given boot precedence over any other drive in the PC. However such changes are reasonably easy to implement.
After booting into Windows, what used to be the backup drive will then be the new master drive. Once that you are CERTAIN that your new master drive is functioning perfectly, you could then run whatever diagnostic applications you might have on the drive that used to be your master drive to see if it can be fixed without the need for reformatting. If appropriate, and as a final resort, you could repartition and/or reformat that old drive. If the old drive is healthy in a mechanical sense and you wanted to use it again as the master drive, you could clone the backup drive back onto it, change the cables and/or jumpers and/or BIOS settings, and reboot using the old master drive.
As with compressed images, a limitation of the approach of cloning the whole master drive is that its contents will become out of date. However, it is possible to use an application such as Syncback to keep the contents of selected files and folders on the master drive up to date also on the backup drive. You could, for instance, ensure that your whole My Documents folder was kept up to date on the backup drive. This is similar to the process described above except that the backed up files will overwrite the equivalent files that are on the backup drive. This backing up could be done on a set schedule (Syncback has scheduling functionality), or less regularly.
However, if you decide to update selected folders or files using an application such as Syncback, keep in mind that malware acquired since the clone was made might then be transferred in files that are updated onto the cloned backup drive. Because I have a large capacity backup drive, I avoid that type of possible (albeit remote) problem by adding a full compressed image to it about every week, keeping two rolling images. That way if I ever need to, I could revert to either the original non-updated clone, or to either of two more recent images. However, this approach is really not required for most PC users.
Having created a clone of your master drive for the first time, it is worth doing a "fire drill" to make sure that the backup application works OK on your PC. So see if you can actually boot using it. Run a few applications so that you have confidence that the cloned drive has all the functionality of the parent it was cloned from. This is something that could be done the first time you create a clone - if that works OK, I would not worry about repeating it every time a clone was created.
Most users have only one partition on their master drive. If that is your situation, skip this section.
A variant of the cloning approach is to clone a partition or partitions from the master drive onto a backup drive, rather than cloning the WHOLE drive.
This approach might be useful in this type of situation:
The approach may also be useful in the event that the user has a backup drive that is not large enough to hold a clone of all the contents of the master drive.
There may be variants to this approach that suit some user's particular circumstances. However, while this approach may save time in creating the compressed images, it is not one that appeals to me because of its complexity, and because I would have to do a major reorganisation of my single-partition master drive into a multi-partition master drive.
However, if this approach or a variant appeals to you, some
of the backup applications mentioned above will facilitate
it: Drive Image/Ghost and Casper are examples of such
applications. True Image V8 does not have that
functionality.
So much for what to backup. Let's now have a look at where to put the backup/s.
Backup devices onto which backups could be written shown in Table 1, together with an assessment of their advantages and disadvantages. Explanatory notes about content with a number in parenthesis (e.g. (1) ) after it are in Appendix 3.
Target backup device
|
Advantages
|
Disadvantages
|
---|---|---|
Master hard drive (e.g. put the backed up stuff from
Drive C onto Drive C)
|
Easy Very fast No additional hardware required |
Files may be inaccessible if the master drive crashes or becomes unbootable. Backup is not totally isolated from possibility of infection by malware (1) |
Thumb Drive (aka Flash Drive, Pen Drive) |
Easy Very fast Files not lost if master drive crashes or becomes unbootable Drive can be unplugged easily so that it is then completely isolated from possibility of infection by malware |
Additional cost if drive does not already exist Small capacity Ties up an expensive device (in terms of $ per Mb) which is much more applicable for other purposes. |
Network drive |
Easy Reasonably fast if not wireless Files not lost if master drive crashes or becomes unbootable |
Backup is not completely isolated from possibility of infection by malware (1) Wireless network may be slow |
Other internal drive in stand-alone PC |
Easy Very fast Files not lost if master drive crashes or becomes unbootable. |
Backup not completely isolated from possibility of infection by malware (1) Additional cost if drive does not already exist (2) |
Drive in removeable caddy (aka "mobile rack") (9) |
Easy Very fast Files not lost if master drive crashes or becomes unbootable Drive containing backup can be removed easily so that it is then completely isolated from possibility of infection by malware Drive can be stored in a safe location or off-site If the backup is a clone of the master drive or an active primary bootable partition from the master drive, the PC can be booted directly from the drive in the caddy. (10) |
|
Drive in an external enclosure that has a Firewire interface to the PC |
Easy Reasonably fast (6) Files not lost if master drive crashes or becomes unbootable Drive containing backup can be disconnected easily so that it is then completely isolated from possibility of infection by malware Drive can be stored in a safe location or off-site If the backup is a clone of the master drive or a bootable partition from the master drive, and the PC's BIOS supports booting from a Firewire device (very few seem to be able to do that), it may be possible to boot the PC directly from the drive in the enclosure. (11) |
Cost of hardware If there is a fan in the enclosure, it could be a tad noisy (7) Most PCs are unable to boot from a backup drive in a Firewire enclosure. If the enclosure has both Firewire and USB interfaces it is possible that this disadvantage can be avoided if the PC can be booted using the drive connected as a USB device.(11), (12) |
Drive in an external enclosure that has a USB interface to the PC |
Easy Reasonably fast (6) if operating at USB 2.0 "High speed" rate Files not lost if master drive crashes or becomes unbootable Drive containing backup can be disconnected easily so that it is then completely isolated from possibility of infection by malware Drive can be stored in a safe location or off-site If the backup is a clone of the master drive or a bootable partition from the master drive, and the PC's BIOS supports booting from a USB device, it may be possible to boot the PC directly from the drive in the USB enclosure. (11) |
Cost of hardware If there is a fan in the enclosure, it could be a tad noisy (7) Slow if the drive is only working at the USB versions 1 or 1.1 rate (8) Slow if USB 2.0 sockets or cables not to USB 2.0 standard (8) Not all PCs are able to boot from a backup drive in a USB enclosure (12) |
CD, DVD
|
Fairly easy Files not lost if master drive crashes or becomes unbootable CDs/DVDs can be stored so that they are isolated from possibility of infection by malware Can be stored in a safe location or off-site |
Slow. Slow. Slow. |
The notes in Appendix 3 explain some aspects of the table.
In the best-case scenario, recovery of a corrupt or deleted data file is simply a matter of copying an earlier version of the file back onto the master drive. Hopefully, all that is involved is extraction of that file from wherever and in whatever form it was backed up. It may also be possible to recover the file from your Recycle bin.
If the Recycle bin has been emptied, then it may still be possible to recover the file by using an application such as PC Inspector File Recovery This is a freeware application which can be used to identify any files that are still recoverable even after they were deleted and erased from the recovery bin. The operation of the File Recovery application relies on the fact that when a file is deleted it remains on the hard drive and a flag is set indicating it has been deleted. When other files are saved to the hard drive, they may or may not over-write the space that had been occupied by the deleted file. Whether or not such a deleted file can be recovered depends on the extent to which the space it occupied has been over-written by files saved subsequent to its deletion.
A less welcome scenario is where you are still able to boot into Windows normal mode, but your PC is functioning slowly or erratically or closing slowly or doing other undesirable things. One or more of these steps might be tried in an attempt to recover from this situation, probably in the order shown:
An even less welcome scenario is where your PC will not boot at all into normal Windows mode, or none of the fixes listed above have worked. In that case:
The worst scenario is being unable to boot in either Windows normal mode or in Windows Safe Mode, or the fixes tried in Safe Mode have not worked. In that case you could try these fixes:
In some circumstances use of the utilities available the
through the UBCD4WIN CD or the
Windows Recovery Console environments will not lead to a
successful outcome. Some users may feel that the
processes involved in using those utilities are too
complex. If the user has created a compressed image or
a clone of the master drive onto another drive, then the
problem of not being able to boot the master drive in normal
Windows mode or Safe mode can be remedied in a relatively
straightforward way. This involves reinstating the
image or clone from the backup drive back onto the master
drive. A brief overview of how this might be done is
given in Appendix 6.
The approach that meets my needs and for which I have the right hardware and software is this:
That way, if required, I could recover any or all of the master drive's contents knowing that at worst, I will have lost a week's information. If required, I could also boot using the backup drive as the boot drive. This approach required a little expenditure for a backup drive and backup software. However it is just sooo easy to implement. Moreover, I don't have to remember what I have and have not backed up and I don't have to remember to modify any backup schedule when I add applications to my PC - I simply backup the whole master drive.
If I had been unable to implement the caddy approach (e.g. if I did not have a spare bay in my PC into which the caddy's cradle (rack) has to be installed) I would have implemented the same strategy with the backup drive being in an external USB 2 High Speed enclosure containing a fan.
In addition:
My approach may be unsuitable in terms of your needs and circumstances. However, whatever your situation, give consideration to these recommendations :
The final suggestion about making backups: as they say about voting "do it early and often".
Mike Boesen
9 October 2005
The Windows SFC (System File Checker) will run on Windows 98, XP Home, XP Pro.
To run SFC on a Windows 98 system:
If SFC determines that a Windows 98 system file needs to be replaced you will be asked to insert your Windows 98 installation CD. If you are running Windows 98 SP1, use the SP1 installation CD.
Instructions for running SFC on an XP system are provided in this article. If SFC determines that an XP system file needs to be replaced, it will ask you to insert the XP installation CD. If you have updated your XP system to an SP2 level but do not have an installation CD that incorporates the SP2 version of XP (i.e. you have separate SP1 and SP2 CDs), you will need your original XP CD plus the SP2 update CD. Some people have had problems with SFC not being able to find the SP2 CD. The article suggests workarounds for such problems.
I have used SFC in two ways without any problems at all on my XP Pro system:
In running SFC on my XP Pro system I use a procedure that runs much faster than running SFC and accessing the XP CD or CDs. You may wish to try it:
1. If you have an installation CD for XP with SP2 incorporated, go to step 4.
2. If you have an XP SP1 CD and an SP2 update CD, create a slipstreamed ISO format file using using Autostreamer. The version of Autostreamer that I used was 1.0.33. It combines the stuff from the two CDs into one ISO file. (An ISO file is an image of a CD.)
3. Use you favourite CD/DVD writing application to create a CD from the ISO file. This CD is equivalent to the CD for XP with SP2 incorporated. You can now put your your XP SP1 CD and the SP2 update CD in a safe place - in future simply use the slipstreamed CD whenever you need to use an XP installation CD.
4. The files that SFC accesses on the CD or CDs when it is running its checking process are located in a folder named \i386\ Therefore copy the folder \i386\ from the CD referred to in step 1 or step 3 onto your C: drive as C:\i386\
5. Using your favourite registry editor (e.g. Reg Edit), find these registry entries:
HK_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HK_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
6. Write down the values shown for these entries in case you want to revert back to them later (I did not need to do that). You will probably find that the present values indicate the drive letter of your CD or DVD drive. If you leave the stuff in the C:\i386\ folder (see step 4) on your drive (recommended), there will be no need to revert. This is because after you make the changes in step 7, when XP looks for files that it knows are in a \i386\ folder somewhere, it will now look in the folder C:\i386\ and therefore will not try to find it on a CD.
7. Change the values for BOTH registry entries to to "C:\ " (without the quotes, and DO NOT type in C:\i386\)
8. Save the changes to the registry and reboot
9. After you PC has booted, hit Start, Run, and in the "Open:" panel type "SFC /SCANNOW" (without quotes) and then hit return.
The SFC utility should now run without requesting the insertion of any CD. It will run MUCH faster than it would it it had to access files from an \i386\ folder on a CD. At the end of its run, you will not get any report - the SFC dialog box simply disappears. If any changes are required, SFC will make them without telling you. This lack of feedback is not nice.
There are four options for using ERDNT to reinstate a backed up registry that was created by ERUNT:
These four options are explained in Lars Hederer's README.TXT file that is installed on your PC when you install ERUNT. In my article I also explain the options and describe how to limit the number of automatically created Registry backups to a number of your choice.
The use of ERUNT has saved my bacon on quite a number of occasions. On some of those occasions, I have been unable to get into Windows normally or in Safe mode, and the UBCD4Win CD has been of tremendous value on those occasions.
Backing up stuff from the master drive onto the master drive is not the best strategy because in the event that the master drive is unbootable, you may not be able to get access to the backup image. In addition, the backup could possible be accessible by malware. A better option is to backup to another drive installed in the PC, or on a drive in another PC that is networked. However, backups on such other drives that are permanently running in a PC or on a network might possibly be also accessible by malware. While this may have a very low probability, an alternative approach that guarantees isolation from malware is to backup to a device that can be unattached from the PC after the backup is made. Such devices are thumb drives, drives in USB and Firewire enclosures, drives in removable caddies, and CDs or DVDs.
2. Cost of an additional drive
The cost of hard drives continues to fall. Currently (October 2005) a good quality 160 Gb 7,200 rpm parallel IDE/Ultra ATA 133 drive would be about $110 (AUS).
3. Cost for a drive in a removable caddy
In addition to the cost for a drive to put in a removable caddy, a caddy and the cradle (aka "rack") into which the caddy is inserted would cost about $25 (AUS). The cradle needs to be mounted in a bay of the same type as the bay that holds your CD or DVD drive. This is as easy as installing a CD or DVD drive. These caddy and cradle setups are referred to by different names, such as "mobile rack". The mobile component is the caddy that contains the hard drive. The caddy can be slid in and out of the cradle or rack which is permanently mounted in the PC.
4. Fan in caddy's cradle could be noisy
To ensure that there is a cooling airflow over a drive inside a caddy, the caddy or the cradle (aka "rack")should have at least one fan. This is particularly important for modern, fast (7,200 rpm) drives because they get very warm in enclosed spaces. In some caddy setups, because the fan/s have to be small, it/they may be a tad noisy, especially if the PC is on the desk close to your ear.
Some caddy setups have three small fans - two in the cradle and one in the caddy. I don't like those at all because of the noise. In any case, I think that one fan in the cradle is quite sufficient, providing that:
- The PC case has an adequate hot air exhaust system. Ideally this should be accomplished through a good exhaust case fan as a supplement to the fan in the power supply unit. PCs that have a lot of heat producing components may also require a good intake case fan which sucks air into the PC's innards.
- The structure of the cradle and caddy is such that air is forced to flow from the outside the front of the PC case, into the front of the caddy, across the drive and out the back of the cradle into the PCs case's innards. Some caddy units are not designed properly to ensure that happens. "Laser" brand caddies are very well designed in terms of maximising the effectiveness of airflow.
The cradle fan will be on all the time even if the caddy is not inserted. In my cradles I have added a micro switch so that the cradle fan only comes on when the caddy is fully inserted. Hence, there is no fan noise at all when the caddy is not inserted. This article provides details.
3. Mating of caddy socket and cradle plug
In some caddy arrangements I have seen, the caddy seemed to slip into the cradle with very little insertion force being applied and that was of concern to me. The caddy has a 50-land Centronics style socket that mates with a 50-land Centronics style plug in the cradle. My preference is for the caddy's socket to mate with the cradle's plug only after a bit of pressure plus a nice "thunk" indicating that the mating has been effected and the lands in the plug and socket are in firm contact. Therefore, for the sockets on all my (3) caddies, I raise the profile of the lands (flat bent springy metal strips) very slightly (about 0.3 mm). The high-tech instrument I use to do that is a number 9 darning needle carefully inserted under each land in turn. Takes about 5 minutes for this operation. This article provides details.
6. Speed of Firewire and USB 2 drives
Making backups or clones to a drive in a Firewire or USB enclosure will take considerably more time than it takes for the same drive mounted internally or in a caddy. In my experience, backing up to a drive in an external High Speed rated USB 2.0 enclosure takes about twice as long as a backup made to an internal drive or a drive in a caddy. I understand that Firewire enclosures are a tad faster than High Speed USB 2.0 enclosures, although not by much.
You can buy an enclosure that has both USB and Firewire interfaces. However, the cost is higher for this dual interface. It MAY be possible for your PC to boot from a drive attached via USB - check the BIOS options. However, I'm not aware of motherboards with a BIOS that facilitates booting using a Firewire-connected drive.
Modern fast drives get quite warm in enclosed spaces. Therefore if the drive is in a USB or Firewire enclosure it is advisable that the enclosure has an exhaust fan. The temperature of a drive in an external enclosure cannot be monitored via SMART, so it might be cooking without you ever knowing. Once you finish a backup operation, you can disconnect the external enclosure and turn it off - all the fan noise then miraculously disappears!
8. Speed problems with USB drives
A drive in an external USB enclosure will operate VERY slowly if any of the following conditions apply:
- the USB enclosure does not have USB 2.0 "high speed" firmware, or
- the USB cables and sockets used to connect with the PC are not to USB 2.0 "high speed" specifications, or
- the PC's BIOS is not configured for USB 2.0 "high speed" operation, or
- there is no "high speed" or "enhanced" USB device driver visible in Device Manager
More details about these matters can be found in this article which I wrote about USB sockets and cables.
The term "hard drive caddy" refers to a hardware device that has two components: (a) a cradle (or "rack") that is installed in one of the PC's CD or DVD drive bays, and (b) a caddy that can be inserted into and extracted from the cradle.
The cradle is connected inside the PC case to power and to either the parallel IDE/ATA (PATA) interface in the same way as a CD drive or DVD drive, or to the serial ATA (SATA) interface. Most caddy arrangements are of the parallel variety.
A hard drive is placed in the caddy. The caddy has a Centronics style socket at its rear that mates with a Centronics style plug at the rear of the cradle. This socket/plug connection provides power and the PATA or SATA interface lines to the hard drive. The PATA version is available with 80-pin Ultra ATA cabling.
10. Booting from a backup drive in a caddyIf the backup drive is in a removable caddy and contains a clone of the whole master drive or has an active primary bootable partition cloned from the master drive, then that drive can be used to boot the PC if it is inserted into the cradle before switching on the PC. However, you will need to ensure that the drive will be recognised as the boot drive.
This may require some fiddling with jumpers on the hard drive to ensure that either "cable select" is selected (and the right drive is connected to the right cable connector) or the "master" and "slave" jumpers are set appropriately.
In some PCs (e.g. ones that have a mix of parallel ATA drives and serial ATA drives), the PC's BIOS configuration may need to be set set so that the drive in the caddy is given boot precedence over any other drive in the PC. Having a mix of parallel and serial ATA drives can be a pain. The speed gains for serial ATA drive is marginal at best and my advice is to stick with parallel ATA drives.
11. Booting from a drive in an external enclosureIf the backup drive is in an external enclosure (USB or Firewire or dual USB/Firewire) and contains a clone of the whole master drive or has an active primary bootable partition cloned from the master drive, it may be possible to boot your PC from that drive in its enclosure instead of booting using the master drive. Note that:
- If the backup drive is in an external Firewire-only enclosure, and the PC's BIOS does not support booting from a Firewire-connected device, the drive would need to be removed from the enclosure and connected to an internal power cable and drive cable in your PC. Most PCs will NOT support booting from a Firewire device.
- If the backup drive is in an external USB-only enclosure, or an external enclosure that has dual USB and Firewire interfaces, and the PC's BIOS can be configured to boot using a USB-connected device, then the PC could be booted from the drive as a USB device without removing it from the enclosure. If the PC's BIOS can NOT be so configured then the drive will need to be removed from the enclosure and connected to an internal power cable and drive cable in your PC. Many PCs will NOT support booting from a USB device.
12. Booting from a drive on the USB interface
The fact that a PC's BIOS indicates that it will boot from a bootable drive in a USB device may not be totally dependable. My ASUS PC's BIOS indicates that it can boot from a USB device. While my USB enclosure functions perfectly as a read/write USB device, I cannot get it to boot as a hard drive - it gets to the Windows splash screen then reboots. The same hard drive can be used to boot the PC when it is in a caddy or if it is connected directly to the ATA (aka IDE) cabling.
This failure as a boot drive when in the enclosure may be a problem with the particular USB chipset that is in my Shintaro enclosure: Genesys Logic GL811E. I have noted complaints about particular makes of USB chipsets on some forums (but not for the GL811E). However, the information about what are good and what are inadequate chipsets is sparse and scrappy, so knowing what USB chipset is used in an enclosure is not helpful. It's a matter of trying after buying. The fallback procedure is to remove the drive from the USB enclosure and connect it to the ATA cabling inside the PC or swap it for your master drive.
When you are in Windows normal mode or safe mode, to run CHKDSK say, for your C drive:
The "/R" option will repair any errors automatically. If you don't want errors repaired but only reported, leave out the "/R" bit.
CHKDSK will undertake a faster but less comprehensive check if you replace "/R" with "/F"
CHKDSK can also be run within the UBCD4WIN environment and in the Windows Recovery Console.
If the backup was saved as a compressed image, then:
If the backup was created as clone of the master drive:
An image or clone that has been reinstated in one of those ways may be a bit out of date. If you had saved up to date copies of say, recent documents or databases or data files onto the backup drive or onto CD or DVD, they could then be reinstated on your refreshed master drive.
The Ultimate Boot CD for Windows (UBCD4WIN) is a bootable CD that can be used to boot your computer into a Windows type environment. It is incorporates functionality of another boot CD - the Bart PE CD. However it has more open source applications available to the user.
Once made, the CD can be used to boot your computer into a Windows type environment. All the functionality of the environment and its utilities are contained on the CD - no functionality is drawn from the operating system or applications that are on the hard drive. While the CD has to be made on a PC that has a Windows XP operating system, once made it appears to be able to boot any Windows PC, irrespective of what operating system is installed on that PC.
This CD is created in much the same way as the Bart PE CD, but with the Bart PE applications ("plugins" - that is, utilities) being replaced by another larger set. There are utilities on the CD that would enable these and other processes to be undertaken:
UBCD4WIN will handle network drives. Unlike the Windows Recovery Console, the UBCD4WIN environment provides full access to all files and folders on all the hard drives in a PC or on a network.
A very complete set of step by step instructions for making
the UBCD4WIN CD are here.