Disk cloning has become common as IT professionals virtualize physical servers using tools like Sysinternals Disk2vhd
and use a master virtual hard disk image as the base for copies created
for virtual machine clones. In most cases, you can operate with cloned
disk images unaware that they have duplicate disk signatures. However,
on the off chance you attach a cloned disk to a Windows system that has a
disk with the same signature, you will suffer the consequences of disk
signature collision, which renders unbootable any of the disk’s
installations of Windows Vista and newer. Reasons for attaching a disk
include offline injection of files, offline malware scanning , and -
somewhat ironically - repairing a system that won’t boot. This risk of
corruption is the reason that I warn in Disk2vhd’s documentation not to
attach a VHD produced by Disk2vhd to the system that generated the VHD
using the native VHD support added in Windows 7 and Windows Server 2008
R2.
I’ve gotten emails from people that have run into the disk
signature collision problem and see from a Web search that there’s
little clear help for fixing it. So in this post, I’ll give you easy
repair steps you can follow if you’ve got a system that won’t boot
because of a disk signature collision. I’ll also explain where disk
signatures are stored, how Windows uses them, and why a collision makes a
Windows installation unbootable.
Disk Signatures
A disk signature is four-byte identifier offset 0x1B8 in a disk’s Master Boot Record,
which is written to the first sector of a disk. This screenshot of a
disk editor shows that the signature of my development system’s disk is
0xE9EB3AA5 (the value is stored in little-endian format, so the bytes
are stored in reverse order):
Windows
uses disk signatures internally to map objects like volumes to their
underlying disks and starting with Windows Vista, Windows uses disk
signatures in its Boot Configuration Database (BCD), which is where it
stores the information the boot process uses to find boot files and
settings. When you look at a BCD’s contents using the built-in Bcdedit
utility, you can see the three places that reference the disk signature:
The
BCD actually has additional references to the disk signature in
alternate boot configurations, like the Windows Recovery Environment,
resume from hibernate, and the Windows Memory Diagnostic boot, that
don’t show up in the basic Bcdedit output. Fixing a collision requires
knowing a little about the BCD structure, which is actually a registry
hive file that Windows loads under HKEY_LOCAL_MACHINE\BCD00000:
Disk signatures show up at offset 0x38 in registry values called Element under keys named 0x11000001 (Windows boot device) and 0x2100001 (OS load device):
Here’s
the element corresponding to one of the entries seen in the Bcdedit
output, where you can see the same disk signature that’s stored in my
disk’s MBR:
Disk Signature Collisions
Windows
requires the signatures to be unique, so when you attach a disk that
has a signature equal to one already attached, Windows keeps the disk in
“offline” mode and doesn’t read its partition table or mount its
volumes. This screenshot shows how the Windows Disk Management
administrative utility presents an offline disk that I caused when I
attached the VHD Disk2vhd created for my development system to that
system:
If
you right-click on the disk, the utility offers an “Online” command
that will cause Windows to analyze the disk’s partition table and mount
its volumes:
When
you chose the Online menu option, Windows will without warning generate
a new random disk signature and assign it to the disk by writing it to
the MBR. It will then be able to process the MBR and mount the volumes
present, but when Windows updates the disk signature, the BCD entries
become orphaned, linked with the previous disk signature, not the new
one. The boot loader will fail to locate the specified disk and boot
files when booting from the disk and give up, reporting the following
error:
Restoring a Disk Signature
One
way to repair a disk signature corruption is to determine the new disk
signature Windows assigned to the disk, load the disk’s BCD hive, and
manually edit all the registry values that store the old disk signature.
That’s laborious and error-prone, however. In some cases, you can use
Bcdedit commands to point the device elements at the new disk signature,
but that method doesn’t work on attached VHDs and so is unreliable.
Fortunately, there’s an easier way. Instead of updating the BCD, you can
give the disk its original disk signature back.
First, you
have to determine the original signature, which is where knowing a
little about the BCD becomes useful. Attach the disk you want to fix to a
running Windows system. It will be online and Windows will assign drive
letters to the volumes on the disk, since there’s no disk signature
collision. Load the BCD off the disk by launching Regedit, selecting
HKEY_LOCAL_MACHINE, and choosing Load Hive from the File menu:
Navigate
to the disk’s hidden \Boot directory in the file dialog, which resides
in the root directory of one of the disk’s volumes, and select the file
named “BCD”. If the disk has multiple volumes, find the Boot directory
by just entering x:\boot\bcd, replacing the “x:” with each of the
volume’s drive letters in turn. When you’ve found the BCD, pick a name
for the key into which it loads, select that key, and search for
“Windows Boot Manager”. You’ll find a match under a key named 12000004,
like this:
Select
the key named 11000001 under the same Elements parent key and note the
four-byte disk signature located at offset 0x38 (remember to reverse the
order of the bytes).
With the disk signature in hand, open an
administrative command prompt window and run Diskpart, the command-line
disk management utility. Enter “select disk 2”, replacing “2” with the
disk ID that the Disk Management utility shows for the disk. Now you’re
ready for the final step, setting the disk signature to its original
value with the command “uniqueid disk id=e9eb3aa5”, substituting the ID
with the one you saw in the BCD:
When
you execute this command, Windows will immediately force the disk and
its corresponding volumes offline to avoid a signature collision. Avoid
bringing the disk online again or you’ll undo your work. You can now
detach the disk and because the disk signature matches the BCD again,
Windows installations on the disk will boot successfully. You might find
yourself in a situation where you have no choice but to cause a
collision and have Windows update a disk signature, but at least now you
know how to repair it when you do.
No comments:
Post a Comment