Category Archives: Backup/Restore

Backup/Restore, Insider stuff, Recent Activity, Security, Troubleshooting, WED Blog

Windows Resiliency Initiative Includes Quick Machine Recovery

November 20, 2024 Ed Tittel Leave a comment

It’s that time of year again, when MS meetings and conferences — Ignite 2024, in this case — heat things up with future promises and new idea campaigns. Yesterday’s Windows Experience Blog from David Weston (MS VP Enterprise & OS Security) is a case in point. Entitled Windows security and resiliency: Protecting your business, it asserts that a new Windows Resiliency Initiative includes Quick Machine Recovery as a key capability. Very interesting!

Explaining Windows Resiliency Initiative Includes Quick Machine Recovery

This new initiative “takes four areas of focus” as its goal — namely (all bullet points quoted verbatim from the afore-linked blog post, except for my [bracketed] commentary):

Strengthen reliability based on learnings from the incident we saw in July. [Crowdstrike kernel mode error took down 8.5M Windows PCs.]

Enabling more apps and users to run without admin privileges.

Stronger controls for what apps and drivers are allowed to run.

Improved identity protection to prevent phishing attacks.

The first and arguably most impactful preceding item is what led MS to its announcement of Quick Machine Recovery. Here’s how Weston explains it:

This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC. This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past. Quick Machine Recovery will be available to the Windows Insider Program community in early 2025.

In other words, this new feature should enable what savvy administrators had to do using OOB access to affected machine via KVMs smart enough to bootstrap machines otherwise unable to boot.

Great Addition: How’s the Execution?

IMO this is something MS should’ve built into Windows long ago. I’m curious to see how (and how well) it works. I’m also curious to see if it will be available for Windows 10 as well as 11. Only time will tell, but I’ll be all over this when it hits Insider Builds early next year. Good stuff — I hope!!

Backup/Restore, Insider stuff, Recent Activity, WED Blog, Windows 11

Macrium X Next Migration Step: P360 Ultra

October 30, 2024 Ed Tittel Leave a comment

As I manage my small fleet of desktops and laptops lately, I’ve been slowly but surely updating Macrium Reflect. I’m transitioning from version 8 to version X (as in Roman Numeral 10). At this point, I’ve allocated 5 of my 8 licenses for X. Today’s effort for my Macrium X next migration step: P360 Ultra switches a temporary 8 preview version out for the “real thing.”

Taking Macrium X Next Migration Step: P360 Ultra

“What is involved in upgrading” one might ask? I just did one. Now, I can say it requires getting the configuration and schedule right. On the P360 Ultra that meant:

switching from a no-longer-attached USB4 NVMe enclosure to an older mSATA NVMe that stays constantly plugged in.
Defining a daily backup task, to see how that works out in this situation.

Total time and effort required: about 8 minutes, most of which went to accessing my Macrium Reflect login to grab a 5th license to take the upgrade/install process to completion.

Here’s where things get interesting: Macium X is a LOT faster than Macrium 8. Even on a 10-year-old Samsung EVO 500GB mSATA SSD, X reported whopping I/O performance of: 25.7 Gb/s read and 2.7 Gb/s write. Total elapsed time for the backup was 2:13. And that backup image occupies about 32.8 GB on the EVO500 (D:) drive, as you can see in the lead-in graphic. It’s at least 2:00 faster than version 8.

This has been my experience on all the PCs I’ve upgraded so far. It’s also been blazing fast on new installs on a trio of Copilot+ PCs (two ARM Snapdragons and one Intel Aura model). That provides a sweet reward for the time and effort involved in moving on up to that new version. Good job, Macrium Reflect developer team!!

Backup/Restore, Cool Tools, Insider stuff, Recent Activity, WED Blog

Macrium Reflect X Rocks

October 14, 2024 Ed Tittel Leave a comment

I’ve known about this for a couple of months, but until last week I was under embargo, as they say in trade press lingo. Macrium Reflect X (version 10, so it’s a Roman numeral) went public on October 8, so now I can talk. Reflect X not only backs up ARM PCs — the lead-in graphic comes from my Lenovo ThinkPad T14s Gen 6 Copilot+ PC — it does so swiftly and surely. As you can see it created a 47.24GB full disk image backup in under two minutes (1:51). But there’s more…

Why Say: Macrium Reflect X Rocks

It’s not just way speedy (it would be two to four minutes faster than version 8 for the same setup on a Wintel PC), it’s also got other things going in its favor as well. ARM support is a big deal (it’s one of a very few tools that offers scalable backup for ARM CPUs). But Macrium Reflect X also offers:

Resumable imaging: Even after interruptions, image backup can pick up where it left off, with no data or time losses.
Open-source file formats: Reflect has published specifications for its .mrimgx and .mrbakx file formats so other programs can use them.
Enhanced filtering: Relect X can ignore files (e.g. contents of the Temp directory, caches, and other transient items that don’t need backing up) to reduce backup size and speed image capture time.
Improved compression and backup optimization techniques (see this video for a backup that goes from over 8 minutes for version 8 to under 2 minutes for version X).

Reflect X Does Come at a Cost

With this latest release, Paramount Software (the company behind Macrium Reflect) has changed its licensing approach. It’s moved over from perpetual licenses plus annual maintenance fees to a pure annual subscription model. Because I had 8 licenses (4 from a 4-pack perpetual license, 4 more from a version 8 subscription purchased last year) my upgrade costs to get into Version X were right around US$200 (approximately US$25 per license per year).

I think that’s a reasonable price, but understand that new buyers won’t get as good a deal. That said, the company runs occasional specials wherein they drop list prices anywhere from 25 to 50%. Best to keep an eye out for such, if you’re planning on getting into the latest Macrium Reflect X version. IMO, it’s completely worth it, and very much the best backup/restore/repair option available for Windows PCs. You can check out a free trial for 30 days.

Backup/Restore, Device drivers, Insider stuff, Recent Activity, USB devices, WED Blog

Considering USB4 External Media

September 11, 2024 Ed Tittel Leave a comment

It’s a classic trade-off in more ways than one: cost versus speed. I’m prepping for an AskWoody story about external media on Windows PCs. For me, the big trade-off when considering USB4 external media is higher prices for higher performance. “How much higher?” you ask: that’s what I’m in the process of figuring out right now.

Whole Device Chain Counts When Considering USB4 External Media

Every step in the device chain counts when going for the speediest external Windows media. The starting point from the PC end is the USB port itself. Ideally, it should be USB4 or Thunderbolt 3/4, and support 40 Gbps throughput. Next comes the cable: it should be labeled USB4, Thunderbolt 3 or 4, or 40 Gbps. Next comes the storage device. For me, that mostly means an enclosure housing an NVMe SSD. That enclosure should be USB4 or Thunderbolt 3/4, and the NVMe should be Gen 3 (PCIe x3) or higher.

At every step you pay more to attain the current pinnacle of performance. (I’ve not yet seen any 80 Gbps devices, but they’re coming. Copilot tells me Intel’s 14th Gen HX-series mobile CPUs “are starting to support this technology. “) A quick search at Amazon tells me you can’t buy USB5 cables, docks, and so forth yet. My best guess: we’re looking well into 2025 before it goes mainstream.

Right now, the jump from USB 3.2 Gen 2 (10 Gbps) to USB4 (and TB 3/4 equivalents) is getting cheaper, but still costs. You’ll pay US$46 for the cheapest USB4 M.2 enclosures right now (more like US$75 and up for other options). That’s double the cost — or more — of USB 3.2 Gen 1 devices (UASP: see below). Cables cost US$2 to $10 more for faster varieties, which isn’t too punitive. You can’t take advantage of anything faster than Gen 3 NVMes. Thus, you can buy 1 TB for US$55-80, and 2 TB for US$93-130 or so.

The “big spring” comes from the cost of either buying (for laptops and so forth) or installing (for desktops with open PCIe slots, and ASUS is the only vendor I can find who makes one for US$126) to gain a USB4 40 Gbps port to plug into. My testing so far shows this DOES make a difference, and often offers better performance than older and rarer Thunderbolt 3 or 4 capable USB-C ports.

For Me, Backup Is the Killer App

I’m always messing with PCs, so I need to back up frequently in case I shoot myself in the foot and have to replace a mangled installation. It happens to me at least 1-2 times a week in my testing and research, so this is no joke. I find the cost of USB4 external storage worthwhile because it drops the time to make a complete image backup into the 2-4 minute range. It takes anywhere from 7-24 minutes to back up to UASP-capable external storage. This equates to USB 3.2 Gen 2 10 Gbps capability. It shows up with max read/write speeds in Cystaldiskmark in a range from 1000-1100 MBps.

If you look at the lead-in graphic, which comes from NirSoft’s USBdeview, you can see it references the UASPStore.sys driver and service. I’ve actually found this to be a clearer way to recognize when a USB 3.x port can provide somewhat higher speeds. If your USB 3.x ports are older (and slower) they’ll usually show a USBstor.sys driver instead (and max speeds in CrystalDiskMark in the 400-500 MBps range).

You pays your money, and you takes your chances. That’s how things go with external USB-attached Windows storage — and much else in life!

Backup/Restore, Insider stuff, Recent Activity, WED Blog

Restored P16 Needs PowerShell Catch-up

September 10, 2024 Ed Tittel Leave a comment

Here’s something I’d never noticed before. If you’ve read yesterday’s blog post, you already know I ended up restoring the ThinkPad P16 yesterday after ascertaining Windows 11 backup fails to deposit a list of removed applications following “Reset this PC.” What I didn’t know then, but I know now, is that the restored P16 needs PowerShell catch-up to finish the job. Let me explain…

Why Say: Restored P16 Needs PowerShell Catch-up?

Imagine my surprise when running PowerShell on the restored P16 this morning, to see version 5.1 come up as the default. Then, imagine my further surprise to observe:

No version 7.4.5 present on the install
Windows Terminal NOT selected as default terminal app
No OhMyPosh present to gussy up the WinTerm UI
No other PS customizations present: e.g. WinFetch (as shown in the lead-in graphic to give PS something to display)

All this is, of course, easily fixed. And it took me less than 5 minutes to take care of all this stuff. But I learned a valuable lesson, one that I’ll take to heart going forward. It is: even an incredibly fast and convenient image restore using Macrium Reflect doesn’t completely restore absolutely everything. When invoked as a cure-all or a way to recover from a (failed) experiment, there’s still some clean-up needed.

Plus çe Change

I have to observe in this context that the same is true for an in-place repair install (aka IPRI). Once it’s done, one must re-set File Explorer Options and a few other odds’n’ends that the Windows Installer resets during its OS replacement operations. The more things change, the more they stay the same!

Here in Windows-World, it’s always something. Today, it’s understanding that an image restore may not completely put PowerShell back where it came from. I wonder: what will it be tomorrow?

Backup/Restore, Insider stuff, Recent Activity, USB devices, WED Glog, Windows 11

Windows 11 Backup Request

September 9, 2024 Ed Tittel Leave a comment

I have a modest request to make of Microsoft, where Windows 11 is concerned. Its new-to-11 Windows Backup facility uses Reset this PC as the basis for a new Windows image. It then rejiggers the Start Menu to show you which apps and applications need to be reinstalled. Hence my Windows 11 backup request. I see no file on the desktop or in the User’s folder hierarchy somewhere that lists “missing” stuff.

What About My Windows 11 Backup Request?

According to the Answers.Microsoft.com something like this may be available in a file named removedapps.html. Or perhaps “Removed apps.html” (with an internal space). If so, one could parse this data in PowerShell. Then, WinGet could reinstall most such things. (WinGet says it knows about 6,575 packages as I write this blog via (Winget search –source winget “”).count .)

I’ve just made a Macrium Reflect image backup of a test PC, and I’m now going to restore that PC using Windows Backup. I’ll see if an html file shows up in the desktop (or somewhere else: e.g. windows.old) afterward. Let’s see…

Further Ruminations on Removed Apps

Turns out that when you go into this process, Reset this PC shows you the list of apps that need to be reinstalled. It also states “This list of apps will be saved to the desktop after reset.” That should do it.

List shows first 11 of 26 items, but does NOT allow text copy.

Just for safety’s sake, I screen-grabbed all items since this window doesn’t support text grab of the list contents. Good thing I did: when the machine booted, I could not find a file anywhere on the system that matched the string search “remo*app*.html” anywhere. Just for grins I also searched on *.html to look for all files dated today (September 9). Nothing relevant to removed apps there, either.

When in Doubt, Restore the Macrium Image

I eventually got back to where I started by disabling secure boot, booting into the Macrium Rescue media, then restoring the backup I made just before starting down this path. Note: my PC wouldn’t boot from Macrium Rescue media unless I undid secure boot. Hey MS! Please fix this apps list issue: it makes Windows 11 Backup much less attractive or workable the way things currently stand.

The eventual part came from having to figure out I needed to turn off Device Guard before Secure Boot could itself be turned off. Then I had to steer around BitLocker stuff (a key is necessary before you can read an encrypted drive like the P16’s: I didn’t care because I was going to rewrite the whole shebang anyway). Then I had to wait for the backup to complete, go back and turn Secure Boot and Device Guard back on, enter the recovery key, and resume. Sheesh! A lot of time and effort to find out if Windows 11 Backup writes an app list to the desktop (or elsewhere). Too bad it does not…as far as I can tell.

Backup/Restore, Insider stuff, Security, WED Blog

CVE-2024-6768 Exposes Scary Windows Vulnerability

August 14, 2024 Ed Tittel Leave a comment

In reading through my usual Windows news and info sources this morning I came across a scary notification at MS Power User. The named item is from the national vulnerability database. CVE-2024-6738 — which makes it item 6,738 for 2024 — comes with scary implications. It’s been reported in some form since last February. It attacks by altering meta-data for Windows base log files (BLFs) and can cause doom loops like those recently experienced from a Crowdstrike update last month. Thus, CVE-2024-6768 exposes scary Windows vulnerability that is hard to fend off and tricky to repair.

BLF Alteration in CVE-2024-6768 Exposes Scary Windows Vulnerability

A base log file (BLF) sits at the heart of the Windows Common Log File System (aka CLFS). As MS Learn’s “Creating a Log File” article begins, it says:

Before you can use CLFS, you must create a log file using the CreateLogFile function. A log file is made up of a base log file that contains metadata, and a number of containers that hold the actual data. On any local file system, containers can be in one or more separate files; on NTFS, containers can be in one or more streams within a file.

The BLF contains key information that describes the associated containers for log data. If the BLF is wrong, the log won’t make sense and cannot be read. This doesn’t sound like a big deal, but it is. Let me explain further…

Several Interesting Copilot Responses…

When asked to describe BLF files, Copilot notes how they’re used:

Usage: These files are crucial for maintaining system stability and integrity. They help manage user-level registry information and other system-level data. For example, the Windows component that writes user-level registry information to the NTUSER.DAT file uses CLFS logging, which involves BLF files ¹.

Indeed it seems that CVE-2024-6768 wreaks havoc by breaking the base log handler with a bogus “size of data field” value. This kind of error triggers a BugCheck error, and in turn provokes a BSOD.

Further investigation shows that any time a registry change occurs BLF files get updated. They are also essential to system boot-up, application installation and update, as well as system update. To get more details ask Copilot: “When do Windows base log files get written, and when do they get read?” You’ll see what I mean right away.

What Does the Future Hold?

The Fortra release note for this vulnerability shows its history, while a companion research note shows more details. So far, MS has yet to respond. Other than research work, I see no evidence of successful exploits in the wild. That said, this kind of attack is nearly impossible to fix without knowing the exact details of the registry values changed to mung some (or more) specific .BLF file(s).

IMO, this means the only real protection is a recent image backup that will replace the altered Windows image with a known, good working copy. Stuff like this is why I keep such things handy, and make one at least daily. This could get interesting…stay tuned!

Backup/Restore, Insider stuff, Recent Activity, WED Blog

Macrium Reflect Update Ructions

May 20, 2024 Ed Tittel 2 Comments

I’m feeling a bit out of sorts this morning. I’ve just finished updating the mostly excellent Macrium Reflect backup/restore software on my production PC. Because I use Reflect on numerous PCs here at Chez Tittel, I sometimes get bollixed keeping track of what’s what. Reflect got an update on May 14 (release notes). I’ve been catching up here since returning from vakay last Monday. Along the way, I’ve encountered what I have to call Macrium Reflect update ructions. Let me explain…

What’s Causing Macrium Reflect Update Ructions?

Macrium Reflect (which I’ll abbreviate as MR going forward) is good about announcing updates, and warning users to install them. Every now and then, though, one of its updates requires users to reboot the PC after it’s done. I understand perfectly well this means they’ve made changes in code that hooks into the OS. A reboot lets those hooks get detached from old running stuff and re-plumbed into its new replacements. Perfectly sensible.

But what irks me is that their release notes and update notifications say nothing about “reboot required” or “no reboot required.” I don’t like it that I get to the end of an update process and then get informed the PC needs an update before it can take full effect. Sigh.

Why Reboot Timing Matters…

Here’s the thing: If they warned me a reboot would be needed I’d say “OK. I’ll do this later when I’m getting ready to step away from the PC for a while.” But when I’m working full-bore with two or three browsers, Outlook, Word, and Explorer all open in multiple tabs or windows, password managers enabled, and so forth, I don’t want to “Hold everything!” to reboot right away. It takes a good 5 minutes to shut everything down, reboot, then wind everything back up to return to the status quo. But if I don’t reboot, I sometimes notice laggy performance. Damned if you do, damned if you don’t.

Please, MR developers (Paramount Software): provide a “reboot after install” warning as part of the notification and/or release notes info. It’s much more convenient to know what’s coming, and to be able to plan accordingly. ‘Nuff said, I hope!

Backup/Restore, Cool Tools, Recent Activity, WED Blog, Windows 10, Windows 11

Restore Point Pros & Cons

March 18, 2024 Ed Tittel 3 Comments

By default, Windows 10 and 11 both turn on restore points (RPs). These may be used to return an OS environment back to a prior state. The OS typically shoots one RP daily, and takes one as it starts the WU process. In addition, app developers may include taking an RP snapshot early on during their own install processes. All this said, there are plenty of Restore Point pros & cons.

What Are Restore Point Pros & Cons?

These days you reach Restore Points through the System Protection tab in the System Properties window in Control Panel. Interestingly enough, you have to navigate through Settings > System to get there. Once you find what you’re looking for (see lead-in screencaps) you can enable or disable RPs, and also allocate a maximum percentage of the system/boot disk which these system snapshots can occupy.

RP Pros

RP’s positives include the following:

Convenience and ease of use: you can create an RP manually with a few mouse clicks, and it takes little time to complete one. It’s also fairly easy to revert to a Restore Point using either Windows built-in tools or one of my faves (it’s an oldie, but a goodie): System Restore Explorer. It tool 33 seconds to create one on my i7Skylake desktop, and 1:05 to restore same on that PC.
Provides a simple layer of system protection: can easily revert Windows to undo update, app or application, and driver changes. This is faster — but more limited in scope — than even the fastest image backup restore. As a knock-on effect: this can also undo software or library conflicts (after adding an app or application, or a new .NET version, or something else that’s similar).
Some cleanup when removing new software: This might be somewhere between a pro and a con. Restoring an RP does result in removal of executable files and dlls added when installing apps. But shortcuts, preferences, and other files (including home folders — e.g. inside C:\Program Files or C:\Program Files (x86)) remain intact.

RP Cons

By contrast, RP’s negatives include:

No antivirus protection: restoring an RP won’t necessarily eliminate triggers for or stealth executables that cause malware infections. Thus malware can return even after using an RP.
No data file backup: RP copies the contents of the system volume shadow using the Volume Shadow Service (aka VSS). This does not include data files by intention. So RP provides no data restore capability (see the note at the end of this story for a 3rd-party tool that does provide such capability, however).
New user accounts are not protected by RP: if you define a new user account after the point in time at which an RP shapshot is created, those accounts will no longer exist when that RP is restored. That said, the User files for that account will persist. IMO, this is a kind “worst of both worlds” situation. Sigh.

My Net-Net Is: Don’t Rely Solely on RPs

Reading through the previous plusses and minuses, it’s pretty easy to see that RPs can have value in a limited set of circumstances. But they’re no substitute for a recent image backup, and they’re no panacea for solving non-trivial Windows issues or problems.

I don’t use RPs much myself anymore myself (though I did in the Vista and Windows 7 eras). These days I rely mostly on in-place upgrade repair install for semi-serious to serious troubleshooting, and a clean install (or image restore) for outright system failures and boot problems. It’s also my repair of last resort when nothing else will produce a working Windows instance. Go figure!

Note Added March 19: More Madness

I got a comment from TenForums.com and ElevenForum.com regular “Old Navy Guy” (ONG) this morning reminding me that the NirSoft ShadowCopyView tool does allow users to view and copy certain data files from a VSS snapshot. This *does* allow access to user files and folders and adds to what you can recover from such a snapshot.

I totally forgot about this tool, and am glad to be reminded of same. More important, I’m grateful to have the chance to point this out to you, dear reader — and to make that tool known and possibly useful for you. AFAIK, this capability applies only to files and folders in the Users folder hierarchy, so if you keep stuff on a data drive — as I do — it won’t help much, or at all. But it could still be helpful nevertheless. Cheers!

Note Added March 21: Including Other Drives

Another Homer Simpson moment has come and gone for me. ONG commented again to remind me that ShadowCopyView does data drives, too. I initially wondered how VSS could accommodate drives other than the C: (boot/system) drive where the OS and other key stuff lives. Then it hit me: you must enable RP protection on those drives, too. Here’s an illustrative screencap:

Turn on Protection for the D: drive so it gets VSS snapshots, too.

Maybe there’s more to this protection scheme than I originally gave it credit for. It took 12 seconds to capture an RP for my C: drive and 13-14 seconds for my D: (Data) drive on a Lenovo ThinkPad X380 Yoga. WizTree says C: contains ~80GB of data, while D: contains ~400GB. So it is indeed remarkably fast. And with VolumeShadowCopy providing access to contents, it provides workable file and folder level access to bring back items one-at-a-time or as portions of a target drive’s file hierarchy. Good stuff!

Backup/Restore, Cool Tools, Insider stuff, Recent Activity, WED Blog, Windows 11

Toughbook System Disk Explored

January 22, 2024 Ed Tittel Leave a comment

Examination of the disk layout and structure for the Panasonic Toughbook proved both interesting and informative. I used the free version of DiskGenius. With the Toughbook System Disk explored — it appears as Disk 0 (HD0:) — I observed an interesting and useful disk layout, as you can see for yourself in the lead-in graphic above.

Reporting on Toughbook System Disk Explored

There are five (5) partitions on this disk, as follows:

1. EFI Partition (260 MB)
2. Microsoft Reserved (MSR: 16 MB)
3. WindowsBitLocker Encrypted (NTFS: 450.7 GB)
4. Recovery (WinRE: 990 MB)
5. OEM Recovery (OEMRCV: 25.0 GB)

What makes this disk layout interesting is that Partition 5 is basically a map and a replacement for all partitions. It includes a complete version of Windows 11 (Media.1) . It also uses SWM files (partial WIM files, and something new to me) to offer a variety of install and image files from which to build appropriate replacement images.

This feeds into a BIOS level repair utility from Panasonic that can rebuild the disk from scratch, in much the same way that the WinRE utility typically supports a “Factory reset” capability. This one, however, will work even in the absence of a working Windows image. Indeed, Panasonic also offersRecovery Media to perform the same function without reading anything from Disk 0 (via download, as explained below, or for purchase through the website).

Partitions 1-4 are basically a standard Windows 11 disk layout. Partition adds Panasonic’s own twist to this scheme, and provides an alternate means to reset a Toughbook to factory defaults that include this OEM partition. WinRE will rebuild the disk, but will leave this ultimate partition (5) alone.

Insights from Manuals and More

in a section entitled “About the Partition Structure” the Operating Instructions manual says:

Do not add or delete partitions in Windows 11, as the Windows area and recovery partition must be adjacent to each other in Windows 11.

I also found a link to Panasonic Japan for a Recovery Image Download Service. There I found links to an instruction manual and a recovery disk creation utility. Note: access to a valid model and serial number for a Toughbook PC is required to download and use this tool. Section 3.2 explains the recovery process which drives Panasonic recovery from a BIOS selection “Recovery” that rebuilds all partitions on the system disk.

Good to know!