“Ghost” Your Windows System for Free Using Open-Source Tools

Create the System Image

If you made it this far, congratulations. Most of the hard work is behind you. All that is left now is understanding how the ntfsclone tool works. ntfsclone does exactly what it sounds like: it clones the data on an NTFS partition. Unlike a tool such as the venerable dd command, ntfsclone only copies the used data on a partition, whereas dd copies every sector bit by bit. The result is that ntfsclone will create a much smaller image than dd.

Image compression is handled by an independent tool, such as gzip or bzip2. Unless you are absolutely pressed for space, I recommend using gzip for compression as it will work much faster. The beauty of Linux is that we can easily chain these commands together. Here we go.

Image creation, compression, and saving to the spare partition can all be accomplished in one fell swoop. Assuming that the Windows partition is /dev/hda1, and /mnt/hda2 is our previously-designated save location, here is an example:

# ntfsclone -s -o – /dev/hda1 | gzip -c > /mnt/hda2/name-of-image.img.gz

Here is the anatomy of the above command:

  • (-s) essentially means “save to an image”
  • (-o) means “output to a file”
  • (-) means “clone to the standard ouput,” which is then passed to gzip
    through a pipe (the vertical character “|”)
  • (-c) an option passed to gzip telling it to keep the incoming file unchanged
  • (>) sends all of the incoming information to the path and file that you
    specify

That’s it. Let ntfsclone work its magic. Depending on the size of your Windows image, the process may take anywhere from a few minutes to a half hour or more. For me, imaging a roughly 6 GB Windows installation took about 12 minutes.

Note: for maximal gzip compression, pass the -9 option to gzip in the above command (… gzip -c -9…). This will take a little longer, but should result in a slightly smaller image.

Restore the System Image

No backup solution is complete without verifying that the restoration process works. To restore the image that you created, simply reverse the tasks. First we need to “unzip” the compressed archive, then use ntfsclone to restore the data.
Can we do all of this in one command? Of course! Here is an example:

# gunzip -c /mnt/hda2/name-of-image.img.gz | ntfsclone -r -O /dev/hda1 –

The above command un-archives the image that you created and passes the data directly to ntfsclone, which then restores (-r) and overwrites (-O) the data on hda1. Don’t forget the trailing hyphen (-) in the above command.

I found that restoring the image took significantly less time than creating it. Easy as pie, huh? Reboot, and as long as the Master Boot Record (MBR) and partition table are undamaged, Windows should come to life.

Remote Storage Over SSH

If you have access to a remote server over SSH (if you do not know what this means, then you don’t have it), you can send your Windows image directly to the remote server during the creation process. There is no need to mount any partitions when you boot the Linux live CD. Please test your SSH connection before you proceed.

Assuming that Windows is installed on the first partition of the first hard disk, this is an example command:

# ntfsclone -s -o – /dev/hda1 | gzip -c | ssh username@server ‘cat > name-of-image.img.gz’

Notice the two “pipes” in the above command? We use ntfsclone to clone hda1, pass the data directly to gzip for compression, then pass the compressed data directly to the remote server, writing it to the name of the file that you specify. Neat, huh?

To restore the image from the remote server, simply reverse the procedures. First we will SSH into the server to retrieve the image, unzip it, and pass the resulting data to ntfsclone, all in one fell swoop.

# ssh username@server ‘cat name-of-image.img.gz’ | gunzip -c | ntfsclone -r -O /dev/hda1 –

Once again, don’t forget the trailing hyphen (-) at the end of the above command.

A note about SSH passwords: unless you are using SSH keys, the above commands will hang right after you issue them, as they will be waiting for your SSH password. Type your password, press Enter, and they should proceed as normal.

24 thoughts on ““Ghost” Your Windows System for Free Using Open-Source Tools

  1. I’ve found that on most of the machines these days, the MBR is initially much too small. It was originally sized for earlier days when system storage was much smaller. That means you often have fragmented MBR records. Of course, nowdays, a couple of the defragmentors can put them back together.

    But, when setting up from scratch, there’s a command line to set up a larger MBR from the start. This usually results in much faster boot times and running for slower machines. It’s a two step process. Step 1 you create a new file of the desired size, and step 2, you format and specify on the command line to use this new file for the MBR. I’m not listing the commands simply because the reference to them isn’t on my computer at the moment. I have it on a backup drive. You can contact me if you need the specifics.

  2. Brian, thanks for this guide! Very instructive and easy to follow even for someone with almost no linux experience.

  3. Excellent tutorial, Brian. Although this technique is becoming pretty well-documented in “Hack” books, your presentation, along with mention of NTFSCLONE, is a valuable addition to the literature. Kudos for a valuable and freely available technique!

  4. I have been using NTFSTOOLS for about 2 years and share your opinion on the ease of use. I have tested ntfsclone on Vista–It works flawlessly. My suggestion if you are going to use this on Vista, use the latest version of ntfsclone that you can find. The resizing tools didn’t work too well, so I recommend that you use the disk manager in Vista to resize the partition and then use a Linux distro with ntfsclone.

  5. Really, kudos, Brian.
    I have just been setting up a new laptop for my aunt and don’t want nothing more and nothing less then a comfortable way to archive the fresh XP installation and application setup. And I was almost going to bind a commercial solution because I did not want to spent time to learn tweaking/building BartPE with DriveImageXML.
    🙂

  6. What about if you have multiple OS on the hard drive and wants to move all of them to a bigger hard drive?

    I currently have three OS on my 80GB hard drive and I want all three to a 250 GB HD. Right now I have the following:

    Windows 2003 Server
    Windows XP 64-Bit
    Ubuntu 6 (Feisty Fawn).

  7. In the article towards the end when talking about restoring the image you state:
    “as long as the Master Boot Record (MBR) and partition table are undamaged”.

    When you restore the image does it not restore the MBR and partition table?

  8. There’s a new livecd called clonezilla that is simple, easy to use, and combines drb. ntfsclone, udpcast, and partition image.

  9. I’ve been messing with this. I’m thinking about using some tools to get the partitions and mbr brought over to the clients via udpcast also.

    On Golden Boy
    ntfsclone -s -o – /dev/sda1 | udp-sender –max-bitrate=40M –pipe “gzip -c”

    On Clients
    udp-receiver –pipe “gzip -dc” | ntfsclone -r -O /dev/sda1 –

  10. All this is fine. But in my laptop, (HP Compaq presario AU 6000 series preloaded with Vista Home Basic) g-parted does not work. I get the first screen on boot-up from my flash drive. It offers different choices, but after that nothing works. The same thing happens with clonezilla and different other Dard disk cloning and partitioning software. Can anyone tell me why this happens? Is it because the Bios itself has been engineered to ignore any program not based on Windows?

  11. NO ! I am NOT afraid of the Command Line !

    I have done it. Using Puppy; “Ghosted” my working XP C Drive to a new partition in a harddisk connected via USB. I did not get the ultimate proof by overwriting my C Drive and seeing it re-boot. But I accepted the next best thing by checking that all the files in my C Drive are exactly showing in my ghosted partition.

    To get the final proof. I intend at a later date to open up my computer case; disconnect the cable and power of my C Drive and plug them into the ghosted harddisk. If it boots. then there is the proof.

    GParted treats every device the same; be it sda1 or sdb5 (this latter is on USB) Along as one has got the device numbers right, the imaging and restoring goes between partitions quite smoothly.

    Overall, I am well pleased/

  12. good e
    ici j utilise <>
    je stoke le ghost de la part C sur dvd-rw.
    restauration de C 5go = 25 minutes
    tink you macrium reflect free

  13. Thanks for the great tutorial. I just ran it on my new Vista Business x64 box and it worked flawlessly. 65GB of OS, Apps and Files became a 25GB image file.

    Notice that I used the partitioning tool that comes with Vista to create a storage partition (not GParted). It’s actually an amazing tool. No reboot required!

    I booted Ubuntu 9.04 live CD, mounted the secondary partition and used Brian’s commands as is (just the names changed). Creating the image probably took about 60 to 90 minutes. Restoring it took about 20 minutes.

    I look forward to using this technique frequently.

  14. This all sounds good but I’m not sure where to start.
    I figure I have to download Puppy, but do I have to find ntfs-3g, GParted and ntfsclone also. Do I put them all on the one cd to be the live cd?
    The rest of your explanation sounds clear enough, but I’m just not understanding how to get started. Thanks for the good info.

Comments are closed.