Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Burp 2.2.18 on Windows, Registry defective after Recovery #895

Open
Dpunkt opened this issue Dec 2, 2021 · 2 comments
Open

Burp 2.2.18 on Windows, Registry defective after Recovery #895

Dpunkt opened this issue Dec 2, 2021 · 2 comments

Comments

@Dpunkt
Copy link

Dpunkt commented Dec 2, 2021

Hello,

I was forced to run a restore of a failed system disk.
I used a Windows PE installation of Burp 2.2.18 to restore the system and manually repaired the EFI partition to make the system bootable again.

Unfortunately the System did not boot successfully. Error messages indicated a defective system registry. After replacing it with files from windows own "regback" folder it worked again.

I tried to open the restored registry files with windows regedit, but it failed to open.
It seems that the Backup/Restore of the (opened/busy) registry file failed.

In previous test recoverys (older burp version, almost a year ago) the recovery suceeded.

Is there any way to debug this issue? (e.g. VSS backup or recovery failed)
Are there conditions which prevent the VSS from working correctly (e.g. config settings)?

Also I read in the docs that the windows repair function was used after recovery. Is this required to bring VSS Data to a usable state or is this just done to make the system bootable (which was my assumption)

I also observed a crash of burp during recovery (after complaining that it could not set utime at many files), so I restarted recovery again.

I had restored many files and folders in the past and full linux systems but never required to restore a windows system partition yet...
@grke
Copy link
Owner

grke commented Dec 6, 2021

Hello,

The windows repair function, as I understand it, is to bring the partition to a bootable state.

I don't think that the utime messages on a PE recovery are a problem. I may
have got rid of them on a newer burp version than 2.2.18, but I'm not 100% sure.

There are no burp config settings that will do anything that will prevent the
VSS stuff working correctly, unless you turn off reading the VSS data, but that will mean that the result will be even more broken than what you are seeing.

In my experience, the windows full restore has always been quite hit-and-miss
and also depends upon windows versions.

There's not much that I know that you can do to debug it, which appears to be
the nature of windows in general.

Maybe your problem is that there was a crash and then you tried restoring over the top of the half-restored disk?
Maybe that would make Windows inconsistent?

@Dpunkt
Copy link
Author

Dpunkt commented Dec 7, 2021

To test the crash-theory, I test-restored only the registry folder on a "normal" windows to a different folder. Restore completed successfully, but the file is still broken and can not be opened by regedit.

@raineth raineth mentioned this issue Apr 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grke @Dpunkt