How to run chkdsk on Acronis Secure Zone (to check integrity)?
I have 3 hard disks, each with one partition: C: = Windows & apps (NTFS), 1st hard disk; Data (NTFS, 2nd hard disk; Acronis Secure Zone, 3rd hard disk. Everything mechanical wears out. Magnetic retentivity wanes (due to dipole stress). So I'm wondering how to perform diagnostics on the hard disk where the Secure Zone resides, like running "chkdsk /r", to ensure problems don't develop over time that would render my backups worthless.
The Secure Zone is a hidden partition so it doesn't show up in Windows Explorer. As I recall, it uses FAT32 but uses a value for its partition type in the partition table in the MBR that would probably void any normal Windows utilities from diagnosing and repairing the partition on the hard disk. So just how does one go about maintaining the hard disk on which the Secure Zone partition resides?
I use the Secure Zone because its partition is not assigned a drive letter which makes it hidden thus less likely that malware will be wandering around to find files there to delete or corrupt to make me lose my backups. Yes, there is malware that will scan for device types but I don't think that's common yet. While the Secure Zone is a partial security layer against malware, it is a very good safety layer against data loss as users can't just roam into their backups using Windows Explorer or another app to start deleting stuff intentionally or accidentally.
Why would I save my backups on the same physical disk as what I am backing up. If the OS partition on disk 1 becomes unusable because disk 1 dies, I replace that disk and restore from backups on disk 2. If disk 2 dies, I still have my functional OS in the interim before I get disk 2 replaced. It would be stupid to put the Secure Zone on the same physical disk as the partitions that I am backing up UNLESS there was no other option (i.e., I only had 1 disk). Having 2 disks, especially one dedicated for backups, means that is the logical place to store my backups whether they be available within the file system for the OS (and any other program that wanted to find those files) or saved under a hidden partition (for obvious security concerns).
I don't know where you thought the use of the Secure Zone was only for 1-disk hardware setups. You obviously don't need to use the Secure Zone if you have only 1 disk. You could save your backups in the same partition as your OS and exclude the backup folder. You could create another partition on the same disk as the OS partition to keep your backups separate. That the Secure Zone requires its own partition merely means those backups aren't saved in the same partition that is getting backed up. It doesn't mandate 1 disk for its use. That partition for Secure Zone can be on any disk.
I've never considered that the use of Secure Zone was intended or targeted 1-disk setups. It just uses its own partition to save the backups. That partition can be on any disk. If all you have is 1 disk then you risk losing your backups when the OS partition dies because of a disk failure. Moving the Secure Zone partition to a different disk adds more security and safety to your backups. The Secure Zone adds its own software security layer. Putting that partition on a different disk adds a hardware security layer.
The Secure Zone is for security and safety. It requires its own partition. There's no restriction as to WHERE is that partition so I put it on a different disk than where the OS resides. That partition doesn't have to occupy all of disk's available free space. It does in my case only because I dedicated a separate disk to my backups.
Removing the Secure Zone's partition from the 2nd hard disk and putting the backups in the Windows file system means it is easily available to even boob-level malware, like scripts, along with being exposed to the user. I want to secure my backups from both malware and users hence the use of the Acronis Secure Zone. This isn't perfect protection since, as I recall, FAT32 is still used for formatting the ASZ partition so raw utilities could still read files from there, but it is *some* additional protection. I'll take what I can get. However, it dawned on me after reading how other users are posting in newsgroups about hard disk problems and having to run chkdsk to cure the problem (for now but they may have to replace a failing disk) that there is no means to ensure the integrity of the backups. One, there is no means to ensure the sectors can be reliably read. Two, after time and due to a wane in magnetic retentivity over time due to bipolar stress, the data may need to get refreshed by moving it, clearing the old sectors, and rewriting the data back to those sectors (or just leave it in the new sectors). There utilities to do both: chkdsk as a basic tool to ensure sector readability and SpinRite to "refresh" the sectors on a disk. Those may not be usable for a partition that uses a proprietary partition table entry (partition type) in the MBR.
The Secure Zone affords me more security and safety of my backups. My concern is about their integrity over time.
VanguardLH:
To run chkdsk on an Acronis Secure Zone partition you simply change the Type byte in the partition table from 0xBC (Acronis Secure Zone) to 0x0B (FAT32 LBA). The partition will then be visible in Windows as a standard FAT32 partition and you can do what you want to check it. When done checking, change the Type byte back to 0xBC.
You can change the Type byte with partition management software like Acronis Disk Director, or you can download PTEDIT32 from Symantec for a simple utility that runs in Windows and allows partition table editing. The illustration below shows how to do it with the Symantec Partition Table Editor.
@VanguardLH
Good points. Thank you for sharing.
Hello Vanguard LH,
I agree with the extra security arguments for using a secure zone. I have used a secure zone for many years. Mine is on a second seperate internal hard drive. My current OS is Windows7 and backups are TI 2011.
It is possible to "unhide" the secure zone and run CHKDSK on it, In version2011 the file system used has been changed to NTFS so a different "unhide " process may be needed.
I ensure the integrity of my backup HDD by two methods. A seperate partition on this HDD is used solely for the Windows page file. It follows that Windows would complain if there were any major problems with the HDD. A much more certain method is to actually prove a proportion of the backup images by restoring them on a regular basis. Full backup images are scheduled to happen automatically on a daily basis. At any one time the secure zone contains about ten full main drive images. Once a week my only backup chore is to exchange the current main HDD with the one from a previous week and restore the latest image to this replacement HDD. I have a trayless drive swap bay which makes the whole process child's play.
I have never felt the need to run any other checks on the backup drive for as long as the restores are sucessful. Should there ever be a failed restore actual recovery from this situation is really a non-event, I just replace the swapped HDD with the still current HDD and can carry on working or take time to investigate and solve the problem.
A further advantage of a secure zone is that it uses the FIFO method of managing backup images with no user input being necessary once it is up and running.
@xpilot,
About the FIFO, does it mean that it will delete older backup chains when it runs out of space? Assuming you have only one backup and you are OK with this backup filling out the ASZ, do you set the backup up without any autocleanup at all?
I only use a single schedule for full HDD backups. Because large drives are relatively cheap my secure zone is big enough to store ten full backup images. I do not use any compression nor do I have any need for validations because my backups are proved by running regular restores.
When I last looked my backup images were created at between 6 to 8 GB a minute. Restores, which are obviously run from the recovery CD, run a bit faster.
To answer your question about FIFO It certainly was possible to schedule full and incremental images in much earlier TI Versions and FIFO kicked in without problems. However as I much prefer to have only full Images for speed and security reasons I have not tried using backup chains in V 2011.
OK. I am tempted to switch to your config with full backups. Then, in this case, did you set it up to keep only the 10 most recent versions or do you let the space limitation of your ASZ to force the deletion of you oldest backup automatically?
Thanks!
I just let the secure zone manage the space on its own. So when it fills up the oldest image is automatically deleted. It just happens that there is room for 10 full images at the present time. As long as I have at least seven I am content. There is thus room for expansion in the source drive and when this gets much larger I could introduce some compression or get a bigger backup HDD.
Getting back to my question, I really don't want to get into manually editing the partition table in the MBR to change the partition type just so normal disk test utilities can access that partition. I suspect even something line SpinRite would rely on the partition type to know how to correctly test it. Most of the partition table or MBR editors that I've seen using a GUI or console to do selections and edits. Anyone know of an MBR or partition table editor that uses scripts? Then I could write a batch file that changes the partition type, runs the disk diag utility, and afterward resets the partition type back to the one used for ATI's secure zone.
I was thinking that maybe I would have to abandon the use of the secure zone so the backups aren't secure anymore. The image backup files would be in a known partition type in the file system recognized by the operating system. I would be saving files to the 2nd hard disk in an NTFS partition and could then run chkdsk or other disk diagnostic tools against that partition. Yet those files would easily be seen by users and malware. Users could accidentially delete or corrupt the files and malware could easily delete the files. So then I started thinking of using a TrueCrypt container wherein the image backup files would get stored. I'd have to schedule a command that has TrueCrypt load the container (which creates a new drive letter) and follow with a scheduled run of the image backup into the TrueCrypt drive. If the TrueCrypt monitor is loaded, it has an option to automatically close the container if it hasn't been accessed in the time specified by the user. Of course, if I had a means of calling the ATI task from a command line then I could run commands that load the TrueCrypt container, runs the image backup, and then closes the TrueCrypt container to avoid the window of opportunity after the backup completed before the TrueCrypt monitor got around to closing the container after a period of inactivity.
With the secure zone, I could configure it to require a password to access its contents. When defining a task, you have to specify the password to allow that task to access the secure zone. So not only are the image backups unseen by normal file system commands (by the user and most malware), it is also protected with a password to grant access. Can backup jobs that do not use the secure zone also be password protected? If so, is this effective protection to secure the contents of the backup file against tampering? Some schemes merely place a header on the container to require the password but the contents can be drilled out using hex editors or stripping off a header or corrupting it where the password is stored. If non-SecureZone backups (i.e., in the normal file system) can be password protected, are the contents hashed up using that password?
Alas, going to saving image backups in the normal file system (i.e., not in the secure zone) and possibly of securing them inside a TrueCrypt container or just using password protected backups ends up losing the automatic management of backup files within the partition. The Secure Zone would automatically delete older backups to make room for new backups. I didn't have to remember to do any management to ensure the disk didn't get consumed with backups. The OS and apps don't like when there is almost no free space in their partition. Although I'd still be saving the backups on the 2nd hard disk with its own partition used only for backups, I can see that eventually that partition would get consumed and backups would begin to fail. I like automatic space management over me having to do it manually and probably only after I happened to notice errors in the backups.
I like the Secure Zone for its protection (hidden partition & password protect) and its automatic space management. I would like to keep using it; however, a decent means of maintaining a healthy partition through the periodic use of disk diagnostic utilities seems a must if this were truly a *secure* backup location. Having users edit the partition table is more dangerous than them editing the registry (since they could restore from a registry screwup with a system restore or image restore). I shouldn't have to do heart surgery to treat a scrape.
Hi VanguardLH,
It would useful to know which Version of TI home that you are using because there have been some radical changes recently particularly to the Secure Zone file system. This is now NTFS in the 2011 Version.
Apart from running a HDD utility on your backup drive there are other preferable methods that can be used to give a high level of confidence in the integrity of your stored backups over time. The traditional method would be to run a True Image Validation on the content of you secure zone at a time and frequency of your choice.
There has been a long standing oddity with secure zone validations in that at run would validate all the stored images it not being possible to make a selection. However a complete bill of health for your secure zone in a single pass may be just what you need.
Another check you could make would be to "mount" images one at a time and examine these drives individually. Mounting is required because secure zone images are not seen by Explorer by design.
My approach is somewhat different in that I regard backup images as a convenient step to making an actual restoration to an earlier time should this become necessary. I never run validations, actual restorations are the only real proof that the backup images are good. Using a rotation of two or more main hard drives ensures that restorations are fireproof.
Forgot to include the following specs in my opening post, which are:
Acronis True Image Home 11
Windows XP Pro SP-3
This version of Acronis has, so far, done pretty much what I wanted. Because of the verification errors when the tasks are scheduled (something this isn't rare as seen here in other complaints), I now have the tasks send me an e-mail. While the task's verification may fail, a following manual verification has always passed. Just makes more work for me to get the alerts and have to do manual verifies because they're flaky when part of a scheduled backup task.
In the meantime, I have lowered the disk bandwidth threshold to reduce how much traffic ATI shoves over the data bus for the backup. From what I've read, it seems part of the problem is I/O choking (to much traffic). I also reduced compression from High to Normal figuring there would be less CPU demand with less compression. Backup priority has to remain at Low since I may be using the computer at the time the backup is running and I need a responsive host. It would be preferrable if priority were adaptive in using Normal when the host was idle but switch to Low when other processes needed more CPU cycles or there was user input (keyboard or mouse) but that isn't an option in this version of ATI (don't know if any version has this). Something like Process Lasso might let me configure the task at Normal priority but Process Lasso would alter it when CPU usage got over 80% for more than a few seconds. Until a few more backups have been performed, I won't know if lowering the disk I/O maximum and lowering compression will help eliminate the verification errors.
I can't verify all the backups in one Validate job as there are too many of them extending back to mid-October (and there's still more freespace left on the backup disk so the list will get even longer before the old backups get expired and deleted from the Secure Zone). I'm hoping the e-mail alerts will work to let me know when a particular backup job failed its validation step and then I'll just run Validate on that one backup.
When I started this thread, it had dawned on me after getting nuisanced a couple times with manual validates that there wasn't a good means of verifying the hard disk itself was okay. If it was a truly secure backup location then it's not just about security or safety but also reliability of the storage medium. While some suggestions might work, they're on the fringe of how much work that I'd bother into into implementing them. I may just give up on using the Secure Zone and go to saving the backups with password protection on them (hopefully that actually is good privacy protection). Since the partition (on the 2nd hard disk) would solely be for use by ATI for backups, I might not even have to clean out the old backups. I'd just wait until one day with ATI puked with some "insufficient space" error and then do some cleanup. Of course, all the backup files would be standing outside exposed to the cold (user or malware deletions) rather than warm inside under the Secure Zone blanket.
I once used TIH V11.0. I only kept it on my XP machine for 36 hours before restoring back to the tried and trusted TIH V10.0. I am therefore not very competent to talk about V11.0 in any great detail. I am surprised that V11.0 allows for verification of individual backups in a secure zone. All previous versions only allowed post verification of the full contents of the zone.
From a speed point of view the whole backup process can be expedited by not using any compression at all. From what you say you probably have more than enough space for your backup images.
If I used verifications and had failures notified ,whether they were real or not ,I would make sure they were eliminated entirely. Maybe by updating or even upgrading.
I believe that backup priorities are adaptive in the sense that where the computer is not being used for other work the image process runs at full tilt whatever the TI setting. It is only when resources are required for other purposes are they given up according to the priority settings. I have never changed the priority settings on my computer from the defaults because my scheduled backups are set to run when I am away from the machine having my lunch. On the rare occasion when I am still using the computer when the backup has started normal computer operations continue with little impact and the imaging slows down a bit.
When setting up my backup and restore system I decided that the main hard drive was my priority as it contained everything that I need to continue my computing experience. To cater for all sorts of disaster that could occur I set a week as the minimum retrograde time. In reality I can go back 10 days.
I wonder if by revisiting your backup strategy you might gainfully reduce the number of your backupimages and improve efficiency.
Note this is not intended as a critisism, merely a suggestion.
I am surprised that V11.0 allows for verification of individual backups in a secure zone. All previous versions only allowed post verification of the full contents of the zone.
File -> Validate Backup Archive, and selecting the Acronis Secure Zone, shows me a tree list of image backups there. They are all checked (selected) by default; however, I can deselect all but the one that I want to test. It is a nuisancesome and tediousome task since Acronis did not provide a means of deselecting all the backups so I could easily just pick one or two of them. Instead I have to go deselecting each one at a time until the only left selected is the one that I want to validate.
From a speed point of view the whole backup process can be expedited by not using any compression at all. From what you say you probably have more than enough space for your backup images.
That would reduce how many backups that can be saved. Currently my backups go back about 3 months but remember that is based on the current consumption of my C: drive. As more files are put on my C: drive then the larger the size of the backup file. Should C: get close to filling up, I'd only be able to keep about 2 full backups or 1 full backup and several differentials. When I need a data file restored, it could be from a ways back. If I'm infected, the effects may not be exhibited or discovered for quite awhile so I may need to step back through several backups.
I believe that backup priorities are adaptive in the sense that where the computer is not being used for other work the image process runs at full tilt whatever the TI setting. It is only when resources are required for other purposes are they given up according to the priority settings.
Not what I have experienced. If I configure the backup task to run at Normal priority, responsiveness of my host is severely impacted during the backup. I have to set priority to Low so I have reasonable use of my computer during the backup. If I am not at the computer then priority is irrelevant as a Low priority task will get run as fast as a Normal or High priority task (excluding the case where some other process runs that has a higher priority).
I wonder if by revisiting your backup strategy you might gainfully reduce the number of your backupimages and improve efficiency.
I prefer a larger selection of backup choices that also extend further back than do you. That's my strategy - to have backups extending far enough back that I have a greater chance of recovering not only a recently deleted file but an old file, too, along with being to step back through several backups to eliminate a pest for which I nor anyone else knows how to eliminate. I'm not looking to mirror my OS disk for a single backup (besides mirroring means the mirrored copy gets just as infected as the source disk). I don't want just one or two image backups. I used to have a smaller hard disk for saving the image backups and that got me to only 4 full backups along with all the incrementals between them. In a couple of cases, that was not far back enough to eliminate a major problem. To me, it isn't just about recovering to a workable image. It's about recovering to a desirable image.
It was mentioned that I could change the Acronis Secure Zone (ASZ) to a FAT32 recognized partition by editing the partition table. As Wharton said, I would change the partition type from BC to 0B. The partition already has a partition type of 0B and is listed as FAT32 by both Windows Disk Management (diskmgmt.msc) and Easeus Partition Manager. Unlike my other partitions on the other hard disks (1 primary partition encompassing the entire hard disk), the ASZ partition is a logical partition. That means there is an extended partition under which the logical drives are defined.
Although the ASZ is shown as a FAT32 partition, I cannot use the Disk Management applet (diskmgmt.msc) to assign a drive letter to it. I've also used the Easeus Partition Manager which shows:
| Drive letter | Volume label | Partition Type Number | Primary/Logical | File System | Size |
|---|---|---|---|---|---|
| * | (unallocated) | 00 | logical | (unknown) | 8MB |
| * | Acronis SZ | 0B | logical | FAT32 | 466GB |
I grabbed the partition editor that Wharton mentioned (it's actually Powerquest's PTEDIT renamed to Symantec after Symantec acquired Powerquest). Got it from ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/PTEDIT32.zip. Below is what it showed.
Well, this is confusing as hell. One partition manager says the partition type is 0B (FAT32). Another says it is 05 (which doesn't match the BC that Wharton showed for the ASZ partition). According to http://en.wikipedia.org/wiki/Partition_type, 05 is for the extended partition. So what PTEDIT is showing me is the extended partition under which the ASZ exists as a logical partition. Okay, that makes sense since the 2nd entry in PTEDIT encompasses the entire hard disk (except cylinder 0 where is the MBR for that disk) but it also means that I cannot use it to edit the partition type for the ASZ logical partition (and which already is a FAT32 partition).
I was thinking of seeing if I could clone the logical partition for ASZ to somewhere else but nowhere else has the room. Currently the ASZ partition is filled with 274GB of backup files. That's bigger than my other two hard disks, especially since they already contain files for the OS, apps, and data. The space consumed by the backup files in ASZ exceed the combined free space on both my other 2 hard disks. So I need a means of exposing the backup files to Windows but it doesn't look like changing the partition type is going to work. The logical drive is already a OB (FAT32) partition. The extended partition (under which the ASZ logical partition is defined) is of partition type 05 (extended partition).
I've only created the ASZ partition using the options withing Acronis True Image Home 11 so I don't know why it created an extended partition and then a logical partition underneath. At this point, I'm not sure what to do. It's not like I can just take a logical partition and make it a primary partition. Deleting the logical partition (to then delete the extended partition and create a primary partition) would mean losing the content of that logical partition. The only way that I can think of now to get the backups out of the ASZ is to do a restore of its files into the free space available on my other 2 hard disks. That means I have files, not images, for the recovered content from the ASZ partition. It also probably means that I'll have to discard the oldest image backups since there isn't enough free space on the other disks to hold all those files.
Looks like I really got screwed using the Acronis Secure Zone.
VanguardLH:
If the ASZ is in a logical partition then the PTEDIT display is correct. It shows the extended partition container in the partition table. To see the logical partition inside the container you should click on the container and then click the button "Go To EPBR". This jumps to the "partition table" at the beginning of the extended partition. This table should list the logical partition and its type.
Some Disk Management software can change a partition from logical to primary, if that's what you want to do. Acronis Disk Director can do this. You should check to see if Easus can do likewise.
Does the ASZ show up in Windows Disk Management console? If it does, can you assign a drive letter to it?
@ Vanguard,
Thank you for sharing your adventures! I tried to use the ASZ on my side as well, and I stopped rapidly and backtracked. I realized I lost the flexibility of a regular folder to copy some archives easily, move them around etc. Also, I am worried to see that the ASZ is linked to the installation of ATI.
While you convinced me of the security aspects, the lact of flexibility just outweigh the benefits for me. I ended up using another USB disk I had avialable to copy some archives off line for safekeeping in case the "exposed" archives get compromised.
I gave up on the secure zone and went back to using a pre-defined backup location with quotas. From what I've read, most of the problem with the quotas stems from not providing enough working space for the consolidation of old backups to make more room after finishing a new backup (which exceed the quotas to trigger their actions). I spent a few hours trying to research on how to extract the tib backup files from the secure zone and tried some but they didn't work. I loaded the images as volumes so I could wander around using Windows Explorer to grab any old data files that I wanted. Then I got rid of the secure zone and created 1 primary partition that encompassed the entire hard disk used to store my backups.
One of the features of the secure zone was that it wasn't assigned a drive letter which made it harder for users to accidentally delete or corrupt files in the secure zone and, to some degree, hid the backups from malware. I came up with an alternate scheme that also does not leave a drive letter assigned to the partition (for the backup location). When the backup tasks executes whether ran manually or scheduled, you can define pre- and post-processing commands. So I'm thinking the diskpart.exe command can be used to assign a drive letter before the backup (so the backup location can be found), do the backup, and then release the drive letter. This will keep that partition hidden. See my other thread started at:
Part of the reason (what initiated all this investigation) was the ever so popular "archive is corrupted" error when verification option was enabled for a task. So I started ignoring that and would run a manual verification. That would show that the archive was okay (the verification job completed okay); however, even that started to fail lately. Well, I had no way to run any OS-level disk diags on the secure zone and started wondering how I might ensure the disk was okay.
I've read the articles and posts saying that it might be a hardware problem. I ran memtest86 for 6 passes over 6 hours. I ran Windows Memory Diagnostics for 5 passes. No errors in either of them. I ran Western Digital's drive diagnostics and no errors.
Since I ran into all the difficulties in trying to get image backup files out of the secure zone, eventually I just mounted the images and grabbed the old files and then got rid of the secure zone. I then ran "chkdsk /r" to make sure both the file system was okay (which would've been brand new, anyway, since I just repartitioned and formatted) and check the sectors on the disk were reliably readable. No errors. I then defined a backup location so quotas would ensure the backups didn't consume the whole partition and end up causing errors. Well, they I ran some image backups that stored into the backup location and got the "archive is corrupted" errors again. So the hardware is okay but the software (True Image) has problems. I've been through Avast, Avira, and Comodo (firewall+AV) and get archive corruption errors from True Image. No, I'm not running without security software which means it will be running at the time the scheduled backups occur. I'm just guessing that TI has problems with security software that interrogates its processes and file accesses. Could be some other software conflict but the only program manifesting problems is True Image.
So, at this point, I'll be removing True Image (which is an old and probably unsupported version) and trying out some free backup alternatives. Macrium Reflect is one choice, is faster than Paragon, but only does full image backups. Paragon's Backup & Recovery 2011 is slower but does differential backups so I'm starting with that. So I'll see how that goes for reliable and verifiable backups in my host. I've thrown in the towel for True Image for now. Might be back, might not, depends on what happens when using other backup software.