Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
WS "A" - Complete C: Drive Restore using WS "A" (and not using the Restore CD) REMOTELY RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    WS "A" - Win XP SP2. Successfully backed up by WHS V1 dialy for months. WS "A"'s C: drive is functional. Can boot, can run apps, etc. I have remote access to WS "A" via third-party RADMIN. WS "A" got hit by Trojans which were quarantined by industrial-strength malware scanner (VIPRE) but WS "A" isn't running quite right; every now and then it will BSOD. 

    My recovery tactic:

    1. Run F.A.S.T declaring that WS "A" is the old computer
    2. Do WHS restore of C: using the daily backup just prior to the first Trojan detection
    3. Run F.A.S.T declaring that WS "A" is the new computer

    I'd like to do all of this via the remote connection, which obviously precludes using the Recovery CD. I know I can do steps 1. and 3. remotely. It's step 2. I'm unsure about.

    While connected to WS "A" remotely, I can log into the WHS Console and select Backup and point to the backup archive I want, and indicate that I want to do a restore. What I get at WS "A" is a drive (Z:) showing me all folders and files of the C: drive as they existed at the time of the backup. This is how things are supposed to work, and this allows for individual restoration of folders/files via Copy/Paste. This I understand.

    My uncertainty is attempting to Copy/Paste the entire content of Z: to C:. Something tells me this won't fly. 

    Who would care to comment, and tell me NO, don't try it... My intuition needs to be confirmed from an outside source.

    Thanks

    Friday, October 22, 2010 7:45 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    What do you mean with F.A.S.T???

    Your strategy will definitely not work for obvious reasons (you can not delete/replace files which are in use by OS or any other program). The only thing you could initiate remotely is revert machine to restore point, however not sure if you regain remote access after this process has finished (machine may be stuck at message from system restore)

    If you have another partition or drive with sufficient space you could initiate a restore of the C drive to that partition by running C:\Program Files\Windows Home Server\ClientRestoreWizard.exe, after restore edit boot.ini to have the system boot from the restored partition.

     

    Friday, October 22, 2010 9:10 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    The idea with F.A.S.T. is to capture user data and settings at "current time" and then, after the WHS restore (which puts user data and settings back to the time of the backup), to run F.A.S.T again to update user data and settings to "current time".

    As to step 2., I didn't think that would work. Thanks for the confirmation.

    FYI, after posting my original question to the forum, I remotely initiated a restore point revert to an earlier point in time, and was able to re-establish the remote connection.

     

    Friday, October 22, 2010 10:58 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can't use single file restore to restore a running operating system, no, for the obvious reason: Windows locks certain files while it's running, and you can't write to those files.

    You need physical access to WS A. With that you can use the Home Computer Restore CD or, if you have network driver issues, you can physically shift the system disk to another workstation that's also a client of your server and run C:\Program Files\Windows Home Server\clientrestorewizard.exe to restore WS A's system partition.

    You shouldn't, in any case, trust anything that happens while a compromised OS is running. That would include a restore using single file copy to some other partition, a restore using the client restore wizard hosted in the corrupt OS, or any sort of system/settings backup taken post-breach.

    One final note: some malware writes itself into the boot sector. You may want to wipe the drive entirely.

    I'm not on the WHS team, I just post a lot. :)
    Friday, October 22, 2010 12:21 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks for your feedback, much appreciated.
    Friday, October 22, 2010 1:05 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    What do you mean with F.A.S.T???

    Your strategy will definitely not work for obvious reasons (you can not delete/replace files which are in use by OS or any other program). The only thing you could initiate remotely is revert machine to restore point, however not sure if you regain remote access after this process has finished (machine may be stuck at message from system restore)

    If you have another partition or drive with sufficient space you could initiate a restore of the C drive to that partition by running C:\Program Files\Windows Home Server\ClientRestoreWizard.exe, after restore edit boot.ini to have the system boot from the restored partition.

     

    Friday, October 22, 2010 9:10 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    The idea with F.A.S.T. is to capture user data and settings at "current time" and then, after the WHS restore (which puts user data and settings back to the time of the backup), to run F.A.S.T again to update user data and settings to "current time".

    As to step 2., I didn't think that would work. Thanks for the confirmation.

    FYI, after posting my original question to the forum, I remotely initiated a restore point revert to an earlier point in time, and was able to re-establish the remote connection.

     

    Friday, October 22, 2010 10:58 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You can't use single file restore to restore a running operating system, no, for the obvious reason: Windows locks certain files while it's running, and you can't write to those files.

    You need physical access to WS A. With that you can use the Home Computer Restore CD or, if you have network driver issues, you can physically shift the system disk to another workstation that's also a client of your server and run C:\Program Files\Windows Home Server\clientrestorewizard.exe to restore WS A's system partition.

    You shouldn't, in any case, trust anything that happens while a compromised OS is running. That would include a restore using single file copy to some other partition, a restore using the client restore wizard hosted in the corrupt OS, or any sort of system/settings backup taken post-breach.

    One final note: some malware writes itself into the boot sector. You may want to wipe the drive entirely.

    I'm not on the WHS team, I just post a lot. :)
    Friday, October 22, 2010 12:21 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks for your feedback, much appreciated.
    Friday, October 22, 2010 1:05 PM