Sunday, 16 January 2011

Hindsight...




Had a dreadful week this week, I'll explain the series of events
In summary - don't ever depend on Microsoft XP Files and Settings Transfer Wizard.



The plan was... The laptop had Utimaco Safeguard Enterprise installed at some point by a finance company. But it kept giving a secure sign in screen at boot up and failed installation messages in Windows. Both were a nuisance but a bigger concern for me was that the disk partitions, ie, all of the data, were encrypted by old software. So if there was a computer failure, then it would have been impossible to retrieve any data. 

I tried accessing the partitions with an Ubuntu Live CD but even that wouldn't allow access, so I couldn't make a backup of windows with Ubuntu.

I tried downloading and reinstalling SafeGuard (now owned by Sophos) to disable the encryption but this wouldn't work either. Presumably because the installed version was much older and unrecognised - further cause for concern.

We contacted the support desk at the finance company - they said it was it was difficult to remove and 50/50 whether the data would be still be there. Their suggestion was to backup, format the hard drive and restore the backup.

So I took a backup using the XP Files and Settings Transfer Wizard (FAST) onto an external hard drive and planned to use the recovery partition on the laptop to reinstall the operating system. To be fair to Microsoft, FAST is useful because it restores the user settings, rather than just a file copy. I had used it a hundred times before...
The first problem was that the recovery partition installed Vista instead of XP. (Vista is a more recent version) The disk was also still encrypted. So I used Ubuntu to remove the encrypted partitions and set them back to NTFS. The SafeGuard secure sign in screen still came on on boot up though, rather bizarre. But Ubuntu eventually removed it, presumably it was part of the Master Boot Record (MBR).

At this point I was able to use the recovery partition to again install Vista but this time on an unencrypted partition.

But to my utter dismay, it wouldn't restore the FAST backup because Vista, which is very typical of Microsoft, doesn't support FAST backups from XP. Unbelievable

So I removed Vista and installed XP SP3 – of course XP wouldn't install at first because Vista was there, but Ubuntu came to the rescue by removing Vista from the partition.

After XP was installed, I again tried to restore the FAST backup... and got a similar message that FAST does not support previous versions of the backup... again unbelievable... XP doesn't support previous versions of XP...

So I tried to install XP SP2 and SP1 but these gave me the blue screen of death... I couldn't figure this one out until I noticed in the BIOS setup that there was a choice of IDE or AHCI. XP SP3 supports AHCI (SATA) previous versions of XP don't...

So at this stage, rather than messing around with the BIOS, a techy colleague suggested I installed Microsoft Virtual PC on my Vista PC. This allowed me to install several versions of XP, I tried them all; XP home and professional versions with SP1, SP2 and SP3, none of them would restore the backup. Each install taking an eternity....

I looked for alternative ways of restoring the data and found a dos program called fastconv written by a Microsoft employee and used to restore corrupt FAST backups - This wouldn't accept the backup either - I can't remember all the error messages. Something like invalid store.

On the same website there is a windows program advertised called FastImgWiz - this would open the backup if the SP3 checkbox was ticked. It was basically a GUI interface to fastconv. After checking the SP3 checkbox, I noticed that it created a file called "statu_" in the backup folder. So I renamed "statu_" to "status". Re-ran fastconv.exe and it carried on, creating temporary extract files of the form nnnnnnnn.dat. It failed when it got to transdb.dat... but I still had the temporary files. Fastconv was supposed to rename them all in the relevant folders. I tried several combinations of the parameters, double checking the files were not read-only, but it kept failing at the same point.

After several hours of Googling I discovered that Vista Windows Easy Transfer (WET) CAN restore files from FAST. So again, I reinstalled Vista and followed these steps:
  1. Start Windows Easy Transfer on Vista
  2. Select "Continue a transfer in progress"
  3. Choose where the files were stored by FAST and browse to the folder USMT2.UNC
  4. In the file name input box, delete what Is there and enter IMG00001.DAT
  5. Click okay, then WET will say its an older system or something, keep going and the files will be restored to a folder called OldFiles on Vista.

After an hour or so, this was successful... I had a result.... Until I noticed that most of the files were missing.....

In the meantime I had found a little dos program called Trid which adds a file extension based on the type of file it thinks it is. It does this by checking the binary header against a database of files. So I ran this against the temporary files extracted by fastconv above. It was helpful, at least I had all of the files, but they still had the nnnnnn.ext names and weren't in any folders.

I still needed to get the names and put them into folders somehow. So got Googling again. Mainly concentrating on the status file. I had opened the 2 versions of the status file with a hex editor – the one that didn't work contained “5MSU” plus some extra null characters (hex: “35 4D 53 55 01 00 00 00 02 00 00 00 00 00 00 00”) the one that did work contained “4MSU” and fewer characters (hex : “34 4D 53 55 01 00 00 00 02 00 00 00”)

Looking for these I stumbled across a very long thread, from a lot of angry people about Microsoft and FAST

I tried most of the suggestions but the one that worked for me was
  • install XP SP3 (yet again)
  • create a FAST backup - this is will be temporary
  • Open the new USMT2.UNC backup folder, delete the *.dat files and keep the status file
  • Copy the backup *.dat files from the original USMT2.UNC into the folder
  • then restore using FAST.
  • Finally... this worked....

For the Vista WET backup to work, you need to run it on the new computer first. 
  • So I used my Vista PC to start a WET backup
  • copied the necessary files across to XP
  • ran WET on the XP PC
  • copied the files onto my Vista PC
  • Continued with WET and restored them successfully... 
So I assumed it was safe to, yet again, install Vista on the laptop. After which I restored the WET backup which went smoothly – although it takes an eternity....

It was at this point that my heart sunk.... Everything except the email files had been restored... I had been working on this solidly for 2 1/2 days and through the night to get to this stage, so I was pretty exhausted now and couldn't think any more.

I later went through the FAST files with a hex editor looking for P(null)S(null)T(null) upper and lower case – pst is the extension used by Microsoft for email files. None of the files extracted by fastconv and renamed by trid had a pst extension. I also tried an Ubuntu program called photorec against the FAST files. This extracted all files but no pst. 

So I'm at a loss. Its either : the files are there but not being recognised or FAST didn't back up the email. Thank you Microsoft.

This is the only thing I didn't try from the Bleeping Computer forum. But I doubt if this will make a difference because the WET restore worked.

1. Download Microsoft User State Migration version 2.60
2. Install the program using the defaults.
3. Open a Command prompt: "Start -> Run -> cmd.exe"
4. Navigate to the loadstate directory: "cd \usmt\bin"
5. Run "loadstate" with the store path as the parent directory of your "USMT2.UNC" directory. (For example, if your data is in C:\USMT2.UNC then the store path will be C:\)

If the EXACT same user profile does not exist on the new PC then include the "/lac" switch (local account create) and "/lae" (local account enable).

As an example, if you backed up the data belonging to "Fred B" from the old machine but have not created a user with that name on the new machine, and you have copied the USMT2.UMC directory to the root of the C drive your command will be:

loadstate c:\ /lac /lae

Hindsight is a wonderful thing....
  • There are a lot of angry people on the internet and the general consensus is never use FAST. But it had never caused me a problem before so I didn't have a reason not to use it. I will be sure never to use it again.
  • The encryption software should have been removed by the finance company that installed it or at least provide a method of removing it.
  • Try to keep all of your data away from your computer - anything can happen, dropped on the floor, stolen, virus, cup of tea on the keyboard....
    • use online backup for files, something like Dropbox - it creates a folder on your computer so its simple to use.
    • use web email and calendar, Google apps is great for this. You can still use a client email program but set it up as IMAP rather than POP.
    • use something like Picasa to backup your photos and videos - the client software has a synchronise to web feature.
    • And with free programs like spotify and last.fm, there is really no need to download music.
    • I was planning to install all of the above after the restore....
    • And for belt and braces, get a portable external hard drive, or if your budget allows, an off site network drive  - and use scheduled or synchronised backup software so you don't forget to backup.
  • And my final word of advice is : don't use Microsoft - use Ubuntu or any other version of Linux
I've avoided using derogatory terms like Microshaft, Microshite and Windoze in case they offended anyone. Installed XP 8 times and Vista 4 times.

No comments:

Post a comment