Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.
On Tue, 3/10/2026 2:06 PM, Java Jive wrote:
On 2026-03-10 14:23, Paul wrote:
Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.
Also you should disable it if you use imaging software to back up
your system disk.
You can back up the system hot. Not a problem.
(That's why it uses VSS, the Volume Shadow Service, it
freezes a "snapshot" of the OS files, and anything saved
after the ten second quiesce phase, will be backed up
on your *next* backup.)
Backing up from a Rescue CD, the X: OS partition there does not
have VSS, but the C: filesystem is at rest and so it is
easier to back up (compared to backing up hot).
Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.
It would be nice if some utilities would agree as to what--- Synchronet 3.21d-Linux NewsLink 1.2
files are on various representations of a partition like C:
(and the C: backup), but this hardly happens. There are
too many little differences to get an exact match out of anything.
Whereas a data partition like D: , it is more likely to have utilities
that see the same things on there.
On 2026-03-10 23:25, Paul wrote:
Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.
Which is the sort of reason why I think the whole idea of imaging a
running system is dodgy, and always shut a system down before imaging it.
IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of Windows to load, even if there's only one, or whether to load safe mode, etc.
This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently unembarrassed to try!
Java Jive <java@evij.com.invalid> wrote:
IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running
system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of
Windows to load, even if there's only one, or whether to load safe mode,
etc.
I think it's extremely unlikely that this is actually a problem,
because if it was, Macrium Reflect would not offer online image backup
(of system partitions) or would at least warn for the consequences and
what precautions/ measures to take when restoring.
--This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of
corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently
unembarrassed to try!
On 12/03/2026 15:41, Frank Slootweg wrote:
Java Jive <java@evij.com.invalid> wrote:
IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running >>> system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of
Windows to load, even if there's only one, or whether to load safe mode, >>> etc.
I think it's extremely unlikely that this is actually a problem,
because if it was, Macrium Reflect would not offer online image backup
(of system partitions) or would at least warn for the consequences and
what precautions/ measures to take when restoring.
No, agreed, not an actual problem as such, it's just the result seems somewhat unprofessional. Fine for home use, but perhaps not good for your professional reputation at work :-), which is why I added ...
This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of
corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently
unembarrassed to try!
On Wed, 3/11/2026 2:08 PM, ...w¡ñ§±¤ñ wrote:
Some of the articles are missing the point and spreading fear beyond what will/does happen.
The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.
It is the lack of industry expertise in UEFI and Secure Boot that
strikes fear for the unlucky computer owners.
It would help greatly, if we had a tool to properly list the certs
and revokes.
Paul
That's why I said Macrium Reflect probably doesn't even backup (the sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.
Frank Slootweg wrote on 3/12/2026 8:26 AM:
That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.
cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>
Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.
***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts. These files will be visible in the imaged file system, but will take up zero space in the image file.
Paul wrote on 3/11/2026 1:11 PM:
On Wed, 3/11/2026 2:08 PM, ...w¡ñ§±¤ñ wrote:
Some of the articles are missing the point and spreading fear beyond what will/does happen.
The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.
They lost the curation chain b/c of Secure Boot requirements?
On Fri, 3/13/2026 3:18 AM, ...w¡ñ§±¤ñ wrote:
Frank Slootweg wrote on 3/12/2026 8:26 AM:
That's why I said Macrium Reflect probably doesn't even backup (the >>> sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.
cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>
Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.
***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts. These files will be visible in the imaged file system, but will take up zero space in the image file.
I just tested this. I had a lot of trouble with the test subject, just getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while to get set up for this.
The Online backup was 46,716,473 KB and the Hiberfil.sys (after having just used it to hibernate the session then wake up again) was all zeros. While it reads out as zeros, the zeros don't seem to be recorded as such. The same is true of the pagefile.sys, it's zeros and they might or might not be stored.
The Offline backup was 81,806,033 KB and the Hiberfil.sys is recorded.
The first four characters are "WAKE". The pagefile.sys is similar recorded. #HSTR:Trojan:MSIL/AgentTesla <=== a piece of some virus definitions, incoming.
Restoring an all-zeros pagefile.sys does not hurt anything. That is
because there is a GPEdit security policy that does exactly that.
It zeros the pagefile.sys at shutdown, so you "can't find those virus definitions" sitting there.
https://www.ninjaone.com/blog/virtual-memory-pagefile-encryption/
"To securely erase sensitive virtual memory data,
enable ClearPageFileAtShutdown via Group Policy...
This protects data remnants and enhances system security compliance."
The hiberfile has one header pattern for a valid head. And something different when it is invalidating the hiberfile content to prevent
accidental reuse (which might not align with file system state). so
while I can see the word "WAKE", I don't know which byte is the invalidate byte.
On Fri, 3/13/2026 4:46 AM, Paul wrote:
On Fri, 3/13/2026 3:18 AM, ...w¡ñ§±¤ñ wrote:
Frank Slootweg wrote on 3/12/2026 8:26 AM:
That's why I said Macrium Reflect probably doesn't even backup (the >>>> sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base >>>> etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.
cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>
Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.
***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts. These files will be visible in the imaged file system, but will take up zero space in the image file.
I just tested this. I had a lot of trouble with the test subject, just
getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while >> to get set up for this.
Paul
On Fri, 3/13/2026 3:09 AM, ...w¡ñ§±¤ñ wrote:
Paul wrote on 3/11/2026 1:11 PM:
On Wed, 3/11/2026 2:08 PM, ...w¡ñ§±¤ñ wrote:
Some of the articles are missing the point and spreading fear beyond what will/does happen.
The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.
They lost the curation chain b/c of Secure Boot requirements?
The custody chain for BIOS updates is broken, and that injures
their ability to help customers have the best most secure
motherboards possible.
I don't use hibernation, routinely disabled(or verified as disabled) shortly after a Windows install of any type(clean, on-top, repair, feature update[now only H2]...except for testing(like you are doing).
I recall from an earlier on-MSFT-campus discussion that hiberfil.sys that was intended(oobe) to have a minimum size, but as expected that's just a starting point and growth can occur even with the same identical footprint of programs, apps, services, etc. running and without any changes to Windows.
It's like a monster *It's alive* (Victor Frankenstein, after turning on/off the electricity or lightning strike - movie version; Shelley's version - no electricity or lightning) and for my use not needed.
I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.
Paul <nospam@needed.invalid> wrote:
[...]
I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.
Your findings seem to be an argument for NOT making offline (Macrium Reflect) image backups, because, as mentioned/documented before, an
online image backup does NOT backup the hiberfil.sys file.
On Sun, 3/15/2026 9:31 AM, Frank Slootweg wrote:
Paul <nospam@needed.invalid> wrote:
[...]
I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.
Your findings seem to be an argument for NOT making offline (Macrium Reflect) image backups, because, as mentioned/documented before, an
online image backup does NOT backup the hiberfil.sys file.
Good point.
A better way to run a computer, is like a lot of us are
already doing (on *desktops* at least).
powercfg /h off
Now your backups are in no danger whatsoever :-)
You cannot do that on a laptop, due to battery management issues.
(Laptop resorts to hibernation, when sleep operation depletes
the battery sufficiently to cause alarm.)
My test of Macrium, was done on 7.2 or so. While on a lot of--- Synchronet 3.21d-Linux NewsLink 1.2
softwares, it could be argued a newer version would "fix"
the lack of detection of a potential issue, that's not a
pattern I note in Macrium. If they're letting something slip
like that, that is design intent and not a bug.
That's why I would prefer to see a competing product flag this.
Just so we know someone cares about the topic.
*******
A percentage of users, will be attracted to online backup, as
the provided scheduler will manage their incremental or
incremental-forever pattern. I'm not sure the offline tool
is clever enough to find the backup pattern definition file,
but it might...
| Sysop: | Scott Duensing |
|---|---|
| Location: | Freeburg, IL, USA, Earth |
| Users: | 5 |
| Nodes: | 16 (0 / 16) |
| Uptime: | 493213:10:31 |
| Calls: | 5 |
| Messages: | 18,934 |
