System Image and MBR

[mjf]

I've looked and cannot find an answer.
When restoring a Windows system image:

(1) Does the MBR (first 512 bytes) get saved when the image is made and restored?

(2) Do partitions get replaced in exactly the same position when restored to a new disk?

 

[gregrocker]

Yes the System MBR is copied with the image, which is why if the System drive is another one besides Win7 it will require you to include that drive in image. In that case the placement on the disk(s) is the same.

If only the WIn7 partition amongst others is selected for reimaging, it may provide you with options to place it where you want, otherwise you can do so after reimaging using free Partition Wizard bootable CD which can Resize, Move and Copy partitions wherever you want, although this sometimes requires repairing the MBR with Startup Repair from DVD.

Some users prefer using free Macrium Reflect or Paragon Backup 10 because they offer more reimaging options. The paid choices like Acronis and Norton offer even more but not enough that I'd spend the money.

 

[mjf]

But the MBR is not part of the system reserved active partition (the little 100MB partition when seperate from the OS boot partition). The MBR is fixed in place on the first 512 bytes of the boot device (1st sector of HDD).
It contains the tiny IPL (Initial Program loader) that the Bios uses as well as the partition tables. The active partition location is pulled from the partition table in the MBR and control is passed over to the boot manager in the system reserved active partition which uses the BCD (Boot configuration data) to locate the final boot partition.

At least this is my understanding. So the MBR and correct locations of the system reserved partition (if you have the little separate 100M one) and boot partition all have to be correct for things to work.
Hence my question.

 

[gregrocker]

Yes, that boot sector of the HD is known as the El Torito sector because it's concept was sketched on a napkin over lunch by engineers at a Silicon Valley El Torito restaurant.

You are right that we fall too deeply into shorthand about "rewriting" and "moving" the MBR when we are only updating code to the boot sector. The only thing that might move is the System flag.

But most who come here for help are looking for easy answers and automated solutions, so we try to keep it simple but not stupid.

 

[mjf]

Greg G,
No offence intended - I'm just trying to figure it out.
And you certainly do provide an enormous amount of helpfull advice.

 

[gregrocker]

There are numerous methods on the web to copy the MBR and some imaging programs offer that option while others have it built in. I assume Win7 does because it starts up when reimaged.

I haven't had to deal with copying MBR because what we do here a lot is help fix MBR's to start Win7. The standard methods using bootrec, bootsect commands are all automated in Win7 Startup Repair.

So we just make sure the correct partition is marked Active and then advise to to run Startup Repair up to 3 separate times, which is often how many times it takes to run its many tests and then decide to repair or rewrite the MBR.

 

[Bare Foot Kid]

Hello guys.



I'm not sure this is exactaly what you are talking about but the "System Reserved" partition can be created anywhere and it will work as intended.

I had all this sorted when I was writing this tutorial at the link below but over-all it's too involved a process to include in the tutorial so I left it out.

Dual Boot : Create Partitions Using PWBD

click to enlarge

​

 

[mjf]

I've looked and cannot find an answer.
When restoring a Windows system image:

(1) Does the MBR (first 512 bytes) get saved when the image is made and restored?

(2) Do partitions get replaced in exactly the same position when restored to a new disk?

For any subsequent searches on the topic and the benefit of others. I believe the answers are
(1) Yes
(2) Yes

I just went through the exercise.
New 1TB HDD out of the bag;
Old HDD out new HDD plugged in;
Boot from repair disk and image restored (Windows imaging) and system automatically booted.
MBR (including disk signature) same as when imaged. Partitions in the same place.
All third party applications appear to running as before.
That's it. (Hopefully).

 

[Bare Foot Kid]

Hello again.





Glad it seems you have it sorted and thanks for the info.

 

[Scoop]

Hi all,

From reading this thread (great info as always here ) I think this is answered but I had this post ready before finding this thread so I'll post it to see if I have the right idea about this:

------------------------------------------------------------------------------------------------------------------------

I'm a routine cloner and I also run periodic full-disk images. I've been reading about this subject recently:

1) Will a removal of the partitions completely remove all previous malware/virus objects on a HDD?

I've been affected a couple of times the past couple of years with malware/virus but recovered fast with my cloned HDD that I keep on the shelf. After I was running on my replacement HDD for a while, I deleted the partitions on the infected HDD, reformatted, and re-cloned back to it. The newly-cloned HDD tested ok, booted up, etc. I returned the HDD to the shelf for my next spare. In both instances, a removal of the partitions and a reformat removed the malicious objects.

The question I have is regarding to the MBR and its location on a standard (no customized install options) Windows 7 HDD.

I'm running Windows 7 x64 Home Premium with a standard install with the 2 common partitions, the "System Reserved" partition and the main partition.

The question that I have is, where does the MBR reside on a Windows 7 standard-install HDD? Until recently, I had thought that all boot objects, MBR, Boot Mgr, etc, were located within the 100Mb "System Reservd" partition.

I've since read articles that seem to indicate that the MBR isn't located in any partition. It's located in the first sector of the HDD, "sector 0", whereas the first partition in a standard Windows 7 HDD starts at Sector 2048.

If I have this part right, that means that if the user removes all partitions on the HDD, the original MBR is still present on the HDD, and, if infected with a rootkit in the MBR sector, that also remains on the HDD.

Is that right?

If so, I'm assuming that a complete disk wipe, using "DBAN" or another HDD wipe tool, would remove all traces of any remaining malicious objects residing in the MBR, which would then allow the user to reformat and use the HDD for a cloned spare, restoring it into one's backup use.



2) From reading this thread and a couple others at this forum, my understanding is that cloning and full-disk imaging (where any "include the MBR", etc box is ticked during the imaging setup process) will include the MBR.

That would seem so, since I've test-recovered several full-disk images with Macruim (free) and Acronis 2011 and they've all booted into Windows without problems.