What did Windows 7 leave behind?

[BillW50]

I installed Windows 7 on three machines. And I promised myself I would
use them for a year. Two machines I had dualbooting XP/7. Well after the
year I still didn't like it.

Deleted the W7 partition, fixed XP boot by FIXMBR and FIXBOOT. Deleted
BOOTMGR, BOOTSECTOR, and the BOOT folder. I am thinking that all signs
of Windows 7 should be gone.

I used to make backups, but now I am cloning drives instead. Much, much,
better. Anyway Paragon Drive Copy v11 can copy live which is also very
nice. Although Paragon thinks it is doing me a favor by making the copy
bootable by Windows 7. So some part of Windows 7 is still on my XP
system which is tipping Paragon off that Windows 7 is still there.

Anybody know what it can be?

 

[Big Steel]

It ain't Linux ;-)

You are as sharp as a tac.

 

[Paul]

I installed Windows 7 on three machines. And I promised myself I would
use them for a year. Two machines I had dualbooting XP/7. Well after the
year I still didn't like it.

Deleted the W7 partition, fixed XP boot by FIXMBR and FIXBOOT. Deleted
BOOTMGR, BOOTSECTOR, and the BOOT folder. I am thinking that all signs
of Windows 7 should be gone.

I used to make backups, but now I am cloning drives instead. Much, much,
better. Anyway Paragon Drive Copy v11 can copy live which is also very
nice. Although Paragon thinks it is doing me a favor by making the copy
bootable by Windows 7. So some part of Windows 7 is still on my XP
system which is tipping Paragon off that Windows 7 is still there.

Anybody know what it can be?

You'd need to look at a description of a Vista/Win7 boot sequence, to
understand what hidden areas might be used.

Sector 0 is your MBR. So that will always be busy. Sometimes things are
stored in sectors 2-63, such as part of Grub. Maybe Windows 7 is hiding
something in there ? Normally, no partition starts in there.

By "deleting the w7 partition", are you overwriting the partition with
zeros ? A partition consists of two pieces. There is a small section,
before the proper NTFS section begins, and that is where the partition
boot sectors are located. If a utility can spot a specific flavor of
partition boot sectors, that would be a giveaway. If you zeroed the
partition (not the same thing as just deleting the files), then that
would be one less signature to leave behind.

PBS NTFS
^
+---- Deleting files, only cleans part of this. The Partition
Boot Sectors are untouched.

Zeroing a partition, with "dd", cleans both. As would reformatting with
NTFS again. That probably wipes the PBS. But to be sure, I use "dd",
then reformat as required.

Putting something between partitions doesn't make sense, but perhaps you
could check there.

Up near the very end of the disk, can also be a busy place. Dynamic disk
stores it's data structure up there. And RAID metadata can also be up towards
that end. (Rootkits may store copies of themselves up there too.)

So you have a few places to look.

Zero the disk, install Windows 7, and look for non-zero sectors. This is
an example of zeroing a whole disk.

dd if=/dev/zero of=/dev/hda

To speed the search, after installing Windows 7 (to trick it into showing
its hand), you can zero the boot partition and C: partition, then start
your search looking for non-zero data. These would be examples of zeroing
out particular partitions, and scrubbing the partition boot sectors as well
as the NTFS that fills the majority of the space to the right.

dd if=/dev/zero of=/dev/hda1
dd if=/dev/zero of=/dev/hda2

How do you find non-zero sectors ? I did it once, but don't remember what
I used. It could be, I took samples with dd seek and skip, then used "sum".
"sum" takes simple arithmetic sums. If sectors are all zero, the sum will
be zero too. (This is unlike MD5sum, fciv, or SHA1SUM, which compute a CRC,
and have non-zero output on zeroed data input.) You'd want the simple "sum"
program that just adds bytes together, tossing the overflow.

Using dd with seek and skip parameters, and a length count, allows taking
small enough samples of a disk, to pop them into a hex editor. I think my
hex editor will only handle a file under 2GB, so to examine a disk in the
areas I'm interested in, I take 2GB sized chunks and transfer
them, as a file, to another disk.

You can also write a C program to look for non-zero data. I'd use Linux
for that, because gcc is already "in the box".

Have fun,
Paul

 

[Yousuf Khan]

I installed Windows 7 on three machines. And I promised myself I would
use them for a year. Two machines I had dualbooting XP/7. Well after the
year I still didn't like it.

Deleted the W7 partition, fixed XP boot by FIXMBR and FIXBOOT. Deleted
BOOTMGR, BOOTSECTOR, and the BOOT folder. I am thinking that all signs
of Windows 7 should be gone.

I used to make backups, but now I am cloning drives instead. Much, much,
better. Anyway Paragon Drive Copy v11 can copy live which is also very
nice. Although Paragon thinks it is doing me a favor by making the copy
bootable by Windows 7. So some part of Windows 7 is still on my XP
system which is tipping Paragon off that Windows 7 is still there.

Anybody know what it can be?

Windows XP uses the boot.ini file, while Windows Vista/7 use the BCD
database in the \boot folder for storing configuration information. The
XP and earlier used the NTLDR to boot up, while the Vista and later use
BootMgr.

Windows no longer starts after you install an earlier version of the
Windows operating system in a dual-boot configuration
http://support.microsoft.com/kb/919529

Yousuf Khan

 

[GlowingBlueMist]

I installed Windows 7 on three machines. And I promised myself I would
use them for a year. Two machines I had dualbooting XP/7. Well after the
year I still didn't like it.

Deleted the W7 partition, fixed XP boot by FIXMBR and FIXBOOT. Deleted
BOOTMGR, BOOTSECTOR, and the BOOT folder. I am thinking that all signs
of Windows 7 should be gone.

I used to make backups, but now I am cloning drives instead. Much, much,
better. Anyway Paragon Drive Copy v11 can copy live which is also very
nice. Although Paragon thinks it is doing me a favor by making the copy
bootable by Windows 7. So some part of Windows 7 is still on my XP
system which is tipping Paragon off that Windows 7 is still there.

Anybody know what it can be?

Run a copy of Partition Master or similar program and verify if there is
not a partition left over from the windows install. It usually creates
a small partition to boot from (no drive letter assigned) and then the
regular partition (with drive letter assigned) where the actual Windows
7 files exist.

A drive image copy would include the previously created Windows 7 hidden
partition which is what Paragon most likely is referring to.

 

[BillW50]

In

Run a copy of Partition Master or similar program and verify if there
is not a partition left over from the windows install. It usually
creates a small partition to boot from (no drive letter assigned) and
then the regular partition (with drive letter assigned) where the
actual Windows 7 files exist.

A drive image copy would include the previously created Windows 7
hidden partition which is what Paragon most likely is referring to.

The whole drive is using all of the space as one single partition. No
hidden or unused space anywhere.

 

[BillW50]

In

Windows XP uses the boot.ini file, while Windows Vista/7 use the BCD
database in the \boot folder for storing configuration information.
The XP and earlier used the NTLDR to boot up, while the Vista and
later use BootMgr.

Windows no longer starts after you install an earlier version of the
Windows operating system in a dual-boot configuration
http://support.microsoft.com/kb/919529

Yousuf Khan

Yes I know. If Paragon Drive Copy v11 just cloned the drive, I wouldn't
have this problem. Although it clones and then insures the drive is
bootable. And for some dumb reason, it still thinks Windows 7 is still
there and it makes it bootable by the non-existing Windows 7. Running
FIXMBR and FIXBOOT corrects it. But this is getting old.

 

[Paul]

In

The whole drive is using all of the space as one single partition. No
hidden or unused space anywhere.

Can you post a picture of the partition table contents (PTEDIT32) ?

If we look at this one, the first partition starts at sector 63, leaving
2-62 as storage space for things like the GRUB boot loader. And who knows
what else.

http://www.vistax64.com/attachments...n-partiton-recovery-dell-xps-420-dell-tbl.gif

Now, one claim is, that Windows 7 doesn't to it that way. If you post a
picture of PTEDIT32 output, then we'll know (what potential spaces exist).

Paul

 

[BillW50]

In

Can you post a picture of the partition table contents (PTEDIT32) ?

If we look at this one, the first partition starts at sector 63,
leaving 2-62 as storage space for things like the GRUB boot loader.
And who knows what else.

http://www.vistax64.com/attachments...n-partiton-recovery-dell-xps-420-dell-tbl.gif

Now, one claim is, that Windows 7 doesn't to it that way. If you post
a picture of PTEDIT32 output, then we'll know (what potential spaces
exist).
Paul

I don't see the point, since there are no other partitions. But ok here
it is.

http://img263.imageshack.us/img263/2792/20110329063918.jpg

 

[Paul]

In

I don't see the point, since there are no other partitions. But ok here
it is.

http://img263.imageshack.us/img263/2792/20110329063918.jpg

OK, so the partition starts at sector 2048. That means sectors 2 through 2047
are available for storage. (Sector 1 might be reserved, if some software was
using a scheme to swap out the MBR at boot or something.) 2048*512= 1MB.

So, could they store something in there ? That's where I'd start my search.

dd if=\\?\Device\Harddisk0\Partition0 of=C:\mysearch.dd bs=512 count=2048

and then use a hex editor on the one megabyte C:\mysearch.dd file and see what
is stored in there. If Windows 7 didn't need that area, you could even zero it,
being careful not to hit the MBR. dd has options like "seek" and "skip", to
allow it to copy or carpet bomb any arbitrary contiguous set of sectors. With
the right set of parameters attached, you can zero areas of the disk with

dd if=/dev/zero of=\\?\Device\Harddisk0\Partition0 ...

I'd try this on my Windows 7 laptop (the copy of the first bits), but there
is no guarantee my laptop has exactly the same setup. I don't have a standalone
installer CD, as Windows was preinstalled on the laptop.

Have fun,
Paul

 

[BillW50]

In

OK, so the partition starts at sector 2048. That means sectors 2
through 2047 are available for storage. (Sector 1 might be reserved,
if some software was using a scheme to swap out the MBR at boot or
something.) 2048*512= 1MB.
So, could they store something in there ? That's where I'd start my
search.
dd if=\\?\Device\Harddisk0\Partition0 of=C:\mysearch.dd bs=512
count=2048
and then use a hex editor on the one megabyte C:\mysearch.dd file and
see what is stored in there. If Windows 7 didn't need that area, you
could even zero it, being careful not to hit the MBR. dd has options
like "seek" and "skip", to allow it to copy or carpet bomb any
arbitrary contiguous set of sectors. With the right set of parameters
attached, you can zero areas of the disk with
dd if=/dev/zero of=\\?\Device\Harddisk0\Partition0 ...

I'd try this on my Windows 7 laptop (the copy of the first bits), but
there is no guarantee my laptop has exactly the same setup. I don't
have a
standalone installer CD, as Windows was preinstalled on the laptop.

Have fun,
Paul

Might be something that Paragon is creating. As I can clone with other
software just fine like Acronis True Image 2009 (although you have to
shutdown Windows and can't do it live like Paragon). I am using the
clone copy right now and the partition starts at sector 63. Tried to
clone this copy with Paragon Drive Copy v11 and it still wants to boot
Windows 7 which doesn't exists.

I will have Acronis True Image 2011 here in a day or two. So maybe I
will wait until I see what Acronis True Image 2011 can do. Although I
have endless problems of Acronis True Image not seeing USB drives
sometimes. Yet everything else has no problems with them.

 

[Bill Blanton]

In

Yes I know. If Paragon Drive Copy v11 just cloned the drive, I wouldn't
have this problem. Although it clones and then insures the drive is
bootable. And for some dumb reason, it still thinks Windows 7 is still
there and it makes it bootable by the non-existing Windows 7. Running
FIXMBR and FIXBOOT corrects it. But this is getting old.

Not sure what you mean by making it bootable by 7... Is it creating the
System Reserved partition and/or the 7 boot folders and data?

Could it be something simple as Paragon checking the date of ntldr and
deciding that you are cloning 7. Ntldr isn't rewritten by a fixboot.

 

[BillW50]

In

Not sure what you mean by making it bootable by 7... Is it creating
the System Reserved partition and/or the 7 boot folders and data?

Could it be something simple as Paragon checking the date of ntldr and
deciding that you are cloning 7. Ntldr isn't rewritten by a fixboot.

No I installed Windows 7 along time ago and deleted the partition that
Windows 7 was on and expanded the original Windows XP partition. Of
course Windows XP won't boot in this state because the BCD is still
there. But FIXMBR and FIXBOOT got Windows XP booting and working
normally.

Problem reoccurs when running Paragon Drive Copy v11. Either copying the
one partition or the whole drive, Paragon thinks it is doing me a favor
by also correcting to make sure it will be bootable too (and you can't
turn this off). And it thinks Windows 7 is still there and instead of
booting ntldr, it boots bootmgr (part of Windows 7) instead. Deleted
bootmgr and the boot folder and it still tries to boot the missing
bootmgr.

So something is making Paragon to believe Windows 7 is still there. So
far, nobody knows. The date stamp on ntldr you say? This one says date
modified on 1/6/2010 12:26PM. You think?

 

[Bill Blanton]

In

No I installed Windows 7 along time ago and deleted the partition that
Windows 7 was on and expanded the original Windows XP partition. Of
course Windows XP won't boot in this state because the BCD is still
there. But FIXMBR and FIXBOOT got Windows XP booting and working
normally.

Problem reoccurs when running Paragon Drive Copy v11. Either copying the
one partition or the whole drive, Paragon thinks it is doing me a favor
by also correcting to make sure it will be bootable too (and you can't
turn this off). And it thinks Windows 7 is still there and instead of
booting ntldr, it boots bootmgr (part of Windows 7) instead. Deleted
bootmgr and the boot folder and it still tries to boot the missing
bootmgr.

Perhaps some configuration data in Paragon? Have you tried
uninstalling/reinstalling?

So something is making Paragon to believe Windows 7 is still there. So
far, nobody knows. The date stamp on ntldr you say? This one says date
modified on 1/6/2010 12:26PM. You think?

Or the size. Just a WAG though. I don't hold much hope for that being
the reason, but it's easy enough to check.

 

[Paul]

In

Might be something that Paragon is creating. As I can clone with other
software just fine like Acronis True Image 2009 (although you have to
shutdown Windows and can't do it live like Paragon). I am using the
clone copy right now and the partition starts at sector 63. Tried to
clone this copy with Paragon Drive Copy v11 and it still wants to boot
Windows 7 which doesn't exists.

I will have Acronis True Image 2011 here in a day or two. So maybe I
will wait until I see what Acronis True Image 2011 can do. Although I
have endless problems of Acronis True Image not seeing USB drives
sometimes. Yet everything else has no problems with them.

OK, I fired up my Windows 7 laptop, and I think I can see one contextual
piece of information Paragon could be using.

My first partition, starts at sector 63 (just like every other computer
in the house). That's how this Acer laptop arrived - I haven't modified
the partition structure, except to shrink C: a bit (leaving a large
unallocated chunk near the end).

Your first partition, starts at 2048. This is what a modern Windows OS
does, in the name of SSD support. My laptop doesn't have an SSD, so it
apparently still starts at 63. Starting at 2048 (which is not a multiple
of 63), helps align the SSD to the natural page size of the flash. If
you install WinXP on an SSD, then WinXP starts the first partition at 63,
and performance on the SSD will suffer for it, a bit.

Now, if Paragon sees a "violation" of the "divisible by 63" rule of yore,
it "knows" what OS has done it.

I skimmed through the sectors 1-63 with hexedit, and it's pretty clean. There
are only a couple strings in there, which may have come from something
Acer did. The rest of it is still zeroed. So it doesn't seem there is some
structure in there, on this machine.

Sector 64, where NTFS nominally begins on my machine, has

"A disk read error occurred
BOOTMGR is missing
BOOTMGR is compressed"

which are presumably error messages as part of a partition boot sector or
the like. Now, if you reformatted the Windows 7 partition, I presume such
a partition boot sector would be overwritten. In your case, that would be
at sector 2048.

Just a guess,
Paul

 

[BillW50]

Perhaps some configuration data in Paragon? Have you tried
uninstalling/reinstalling?

Nope, I haven't tried that one yet. Just might work though. As the logs
that Paragon creates states the OS is Windows 7. And it never mentions XP.

Or the size. Just a WAG though. I don't hold much hope for that being
the reason, but it's easy enough to check.

I am sure I have backups of this XP before when Windows 7 was ever
installed. I hate to go back that far. I could pull off an older ntldr
though without problems.

Acronis True Image 2009 works okay. Sometimes it can't find some USB
drives (this problem only pops up with Acronis True Image). Although
with Acronis True Image 2009, you have to shutdown Windows to do it.
Under Paragon it does it live. And I am waiting for Acronis True Image
2011 to get here any day to see what happen with that one.

 

[R. C. White]

Hi, Paul.

Now, if Paragon sees a "violation" of the "divisible by 63" rule of yore,
it "knows" what OS has done it.

I've been using PCs since 1977, before IBM invented the name, and I've
rebuilt more partition tables, FATs and directories than most users, but I
don't think I ever heard of the "'divisible by 63' rule of yore". ;<}

Sectors 1-63 are 63 sectors, as you said. But Sectors 0-63 are 64 sectors -
and 2048 IS evenly divisible by 64. And Sector 63 IS the 64th sector on the
disk.

The MBR - and the partition table - are on physical sector zero on every HDD
I've ever inspected. And the boot sector for each partition is the first
physical sector of that partition, for which the sector number will always
be evenly divisible by 64. (I've not seen an SSD, so I don't know about
those - or GUID Partition Table disks.)

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3508.1109) in Win7 Ultimate x64 SP1


"Paul" wrote in message

In

Might be something that Paragon is creating. As I can clone with other
software just fine like Acronis True Image 2009 (although you have to
shutdown Windows and can't do it live like Paragon). I am using the clone
copy right now and the partition starts at sector 63. Tried to clone this
copy with Paragon Drive Copy v11 and it still wants to boot Windows 7
which doesn't exists.

I will have Acronis True Image 2011 here in a day or two. So maybe I will
wait until I see what Acronis True Image 2011 can do. Although I have
endless problems of Acronis True Image not seeing USB drives sometimes.
Yet everything else has no problems with them.

OK, I fired up my Windows 7 laptop, and I think I can see one contextual
piece of information Paragon could be using.

My first partition, starts at sector 63 (just like every other computer
in the house). That's how this Acer laptop arrived - I haven't modified
the partition structure, except to shrink C: a bit (leaving a large
unallocated chunk near the end).

Your first partition, starts at 2048. This is what a modern Windows OS
does, in the name of SSD support. My laptop doesn't have an SSD, so it
apparently still starts at 63. Starting at 2048 (which is not a multiple
of 63), helps align the SSD to the natural page size of the flash. If
you install WinXP on an SSD, then WinXP starts the first partition at 63,
and performance on the SSD will suffer for it, a bit.

Now, if Paragon sees a "violation" of the "divisible by 63" rule of yore,
it "knows" what OS has done it.

I skimmed through the sectors 1-63 with hexedit, and it's pretty clean.
There
are only a couple strings in there, which may have come from something
Acer did. The rest of it is still zeroed. So it doesn't seem there is some
structure in there, on this machine.

Sector 64, where NTFS nominally begins on my machine, has

"A disk read error occurred
BOOTMGR is missing
BOOTMGR is compressed"

which are presumably error messages as part of a partition boot sector or
the like. Now, if you reformatted the Windows 7 partition, I presume such
a partition boot sector would be overwritten. In your case, that would be
at sector 2048.

Just a guess,
Paul

 

[BillW50]

OK, I fired up my Windows 7 laptop, and I think I can see one contextual
piece of information Paragon could be using.

My first partition, starts at sector 63 (just like every other computer
in the house). That's how this Acer laptop arrived - I haven't modified
the partition structure, except to shrink C: a bit (leaving a large
unallocated chunk near the end).

Your first partition, starts at 2048. This is what a modern Windows OS
does, in the name of SSD support. My laptop doesn't have an SSD, so it
apparently still starts at 63. Starting at 2048 (which is not a multiple
of 63), helps align the SSD to the natural page size of the flash. If
you install WinXP on an SSD, then WinXP starts the first partition at 63,
and performance on the SSD will suffer for it, a bit.

Now, if Paragon sees a "violation" of the "divisible by 63" rule of yore,
it "knows" what OS has done it.

I skimmed through the sectors 1-63 with hexedit, and it's pretty clean.
There
are only a couple strings in there, which may have come from something
Acer did. The rest of it is still zeroed. So it doesn't seem there is some
structure in there, on this machine.

Sector 64, where NTFS nominally begins on my machine, has

"A disk read error occurred
BOOTMGR is missing
BOOTMGR is compressed"

which are presumably error messages as part of a partition boot sector or
the like. Now, if you reformatted the Windows 7 partition, I presume such
a partition boot sector would be overwritten. In your case, that would be
at sector 2048.

Just a guess,
Paul

I don't think Windows 7 had anything to do with starting the partition
at sector 2048. Although I could check that on earlier clone drive
copies. As I was trying to get Paragon Drive Copy v11 to do this right,
since so far it is only Paragon can do a live drive copy. Also Paragon
Drive Copy v11 is also the first Paragon version that aligns the drive
(especially useful for SSD).

And it is only these newer Paragon versions that are starting the
partition at 2048. Acronis True Image 2009 starts the clone at sector
63. But this version of ATI doesn't align either.

Tried cloning this ATI clone with Paragon to see if it makes a
difference? And that Paragon clone started at sector 1024. But XP still
won't boot since Paragon still thinks Windows 7 is still here. And it
would work fine if Windows 7 was here, but it has been deleted.

Fired up Paragon Partition Manager 2009 on CD which has a disk editor.
Looked at this one that starts at sector 63.

Sector 0
Looks like a perfectly normal MBR
Sector 1
AF 00 04 -> then all 00's
Sector 2 to 31
Filled with all 00's
Sector 32 and 33
Hit ESC For Boot (doing this at POST will allow you to chose
which device will boot on this machine) <-- Don't know if
this is what that is?
Sector 34 to 62
Filled with all FF's
Sector 63
Disk Read Error, NTLDR is missing, etc
Sector 64
Looks like the NTLDR file to me

 

[Paul]

Hi, Paul.


I've been using PCs since 1977, before IBM invented the name, and I've
rebuilt more partition tables, FATs and directories than most users, but
I don't think I ever heard of the "'divisible by 63' rule of yore". ;<}

Sectors 1-63 are 63 sectors, as you said. But Sectors 0-63 are 64
sectors - and 2048 IS evenly divisible by 64. And Sector 63 IS the 64th
sector on the disk.

The MBR - and the partition table - are on physical sector zero on every
HDD I've ever inspected. And the boot sector for each partition is the
first physical sector of that partition, for which the sector number
will always be evenly divisible by 64. (I've not seen an SSD, so I
don't know about those - or GUID Partition Table disks.)

RC

63 is related to the fake CHS value. When disks surpassed the values that
could be represented by CHS, they used a fake value to signal large
disk operation. 63 comes from that, and alignment is to the fake
CHS. (In other words, they're using CHS for alignment decisions,
when it is meaningless with today's large disks. This doesn't stop
partition management tools from continuing to do that, or from
bitching if the rule is violated.) And 63 is a perfectly horrid value...
precisely because it isn't a multiple of two. A disaster.

http://en.wikipedia.org/wiki/Cylinder-head-sector

"The 16-byte entries within an MBR or EBR Partition Table have CHS-tuples
which are limited to only (1023,254,63) for a total of 1024 cylinders,
255 heads and 63 sectors"

Modern disks use zoned recording, so even "sectors per track" is a silly notion.
The number of sectors per track, could vary across the surface of the disk.

http://www.dewassoc.com/kbase/hard_drives/hard_disk_sector_structures.htm

In the column "Sectors Before" here, all the values are divisible by 63.

http://img26.imageshack.us/img26/1381/sixtythree.gif

Physically, we know there aren't 255 heads or 254 heads on a disk drive. On
a modern drive, there might be four platters and eight heads. So the geometry
doesn't bear any resemblance to reality. Neither sectors per track, or head
count, makes any sense. It's just a flag value.

But try and set up an SSD, to start on a comfortable multiple of the
flash page size (128KB, 256KB, whatever), and watch what happens when
you open some of your older disk management tools. I imagine there'd
be a bit of humor there, although I've not had an SSD here yet to try it.
Virtually every time you touch that SSD, you're going to be seeing warnings
of impending doom I bet Windows 7 is the only thing that won't be
treating you like a leper.

HTH,
Paul

 

[Gene E. Bloch]

In the column "Sectors Before" here, all the values are divisible by 63.

http://img26.imageshack.us/img26/1381/sixtythree.gif

I didn't believe you - I thought it would be that all values, taken mod
64, would equal 63.

So I checked. Looks like I will need a new superstition