Frank Slootweg wrote on 3/12/2026 8:26 AM:

That's why I said Macrium Reflect probably doesn't even backup (the sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and
reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation
(hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows
starts. These files will be visible in the imaged file system, but will
take up zero space in the image file.


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copyÿÿÿ
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just
getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while
to get set up for this.

The Online backup was 46,716,473 KB and the Hiberfil.sys (after having just used it to hibernate the session then wake up again) was all zeros. While it reads out as zeros, the zeros don't seem to be recorded as such. The same is true of the pagefile.sys, it's zeros and they might or might not be stored.

The Offline backup was 81,806,033 KB and the Hiberfil.sys is recorded.
The first four characters are "WAKE". The pagefile.sys is similar recorded. #HSTR:Trojan:MSIL/AgentTesla <=== a piece of some virus definitions, incoming.

Restoring an all-zeros pagefile.sys does not hurt anything. That is
because there is a GPEdit security policy that does exactly that.
It zeros the pagefile.sys at shutdown, so you "can't find those virus definitions" sitting there.

https://www.ninjaone.com/blog/virtual-memory-pagefile-encryption/

"To securely erase sensitive virtual memory data,
enable ClearPageFileAtShutdown via Group Policy...

This protects data remnants and enhances system security compliance."

The hiberfile has one header pattern for a valid head. And something
different when it is invalidating the hiberfile content to prevent
accidental reuse (which might not align with file system state). so
while I can see the word "WAKE", I don't know which byte is the invalidate byte.

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 3:09 AM, ...w­¤?ñ?¤ wrote:

Paul wrote on 3/11/2026 1:11 PM:

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

They lost the curation chain b/c of Secure Boot requirements?

When they now offer BIOS updates to users (like issuing
a BlackLotus patch in a BIOS), the existing BIOS does not
know whether the incoming BIOS about-to-be-flashed, is valid
or not. It's possible some signing materials were lost.
A bare minimum for a BIOS flash to happen, is for an eight
character string near the end of the file, to match what is
already on the motherboard. The version number may be involved
too (some BIOS, there is a separate tool for taking versions
backwards).

This means, if they are asked for any more Security changes,
they "aren't really secure". A Russian could have prepared the
BIOS image and hacked into the web site and offered their file for usage.

The custody chain for BIOS updates is broken, and that injures
their ability to help customers have the best most secure
motherboards possible.

And the other companies are just stupid, and they don't
care about anything. This is why Asus is on parole for
some router firmware issues. Something about a lack of
best practice. I don't remember all the details.

https://www.zdnet.com/article/asus-hit-by-ftc-with-20-year-audit-for-bungled-router-security/

There are some things the computer industry is good at,
but there are also certain topics where they like
to feint a certain incompetence. This could be based
on the management considering "excess engineering work" to be
a "reduction in profits". If Microsoft comes up with
a scheme that costs more hours of engineering time
per motherboard than before, then they have the option
of showing their displeasure by doing a poor job
on the maintenance of the scheme.

Paul


--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 4:46 AM, Paul wrote:

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copyÿÿÿ
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while to get set up for this.

The Online backup was 46,716,473 KB and the Hiberfil.sys (after having just used it to hibernate the session then wake up again) was all zeros. While it reads out as zeros, the zeros don't seem to be recorded as such. The same is true of the pagefile.sys, it's zeros and they might or might not be stored.

The Offline backup was 81,806,033 KB and the Hiberfil.sys is recorded.
The first four characters are "WAKE". The pagefile.sys is similar recorded. #HSTR:Trojan:MSIL/AgentTesla <=== a piece of some virus definitions, incoming.

Restoring an all-zeros pagefile.sys does not hurt anything. That is
because there is a GPEdit security policy that does exactly that.
It zeros the pagefile.sys at shutdown, so you "can't find those virus definitions" sitting there.

https://www.ninjaone.com/blog/virtual-memory-pagefile-encryption/

"To securely erase sensitive virtual memory data,
enable ClearPageFileAtShutdown via Group Policy...

This protects data remnants and enhances system security compliance."

The hiberfile has one header pattern for a valid head. And something different when it is invalidating the hiberfile content to prevent
accidental reuse (which might not align with file system state). so
while I can see the word "WAKE", I don't know which byte is the invalidate byte.

https://knowledgebase.macrium.com/display/KNOW/Macrium+Reflect+default+settings

Option Description

Intelligent Sector Copy

Only backup the sectors that are being used by data on the disk.
Pagefile (pagefile.sys) and hibernation (hiberfil.sys) will also be excluded.

This reduces the time it takes for the backup to complete.

Forensic Copy

Backup every sector.

*******
I've completed a bit more testing.

This time, I hibernated Windows, then shut down the power at the back.
On power up, my Macrium Rescue stick was then inserted, and the plan was to
do a backup of C: to "see what would happen".

Well, the result was "more interesting than I would have expected".

There is in fact, no safety flag raised about backing up a Hibernated OS.

I examine the backup image, and the Hiberfil.sys has the word "HIBR"
as the first four characters. So this is how the invalidation mechanism
works. "HIBR" indicating the file is awaiting a chance to boot, and
"WAKE" indicating it was just used (WAKE == now invalid).

After the backup was finished, I rebooted the computer. No complaint yet.
I ran a CHKDSK from Properties. It tells me C: needs to be repaired. I
look in Eventvwr and see this. This is caused by Macrium, writing to
the C: it just backed up (you can't write to the file systems while
they are dirty). The directory 0x5,0x5 is filenum 5, having parent 5
and is the root of the filesystem, otherwise known as C: in this case.
It was then, attempting to write C:\rescuepe.log indicating that the
backup had just started.

Stage 2: Examining file name linkage ...
Found an unneeded link (SFILE_NAME: "rescuepe.log") in index "SI30" of directory "\ <0x5,0x5>"
was not able to send command for self-healing due to lack of memory.

*******

CoPilot tells me:

Why Backup Tools Don?t Warn You

Macrium Reflect (and similar tools):

- operate at the **block level**, not the filesystem level
- don?t interpret NTFS metadata <=== wrongo!
- don?t inspect `hiberfil.sys`
- don?t check the NTFS hibernation flag
- assume the user knows what state the OS is in

Why This *Should* Trigger a Warning (but doesn?t)

You?re correct:
**Restoring a hibernated OS image is dangerous unless you intend to resume immediately.**

A practical backup tool *should* warn:

?This volume appears to be hibernated. Restoring it later may cause resume corruption.
Consider shutting down Windows before imaging.?

I get a different answer this time, regarding "how to make it safe".

How to Make This Safe

Here?s the reliable rule:

### If you restore a hibernated image, **you must delete `hiberfil.sys` before booting**.

You can do this by:

- Booting into WinPE or rescue media
- Deleting C:\hiberfil.sys
- Clearing the hibernation flag by running: powercfg /h off

To me then, this implies a normal boot will happen, and
any uncommitted files (with fragments) would be cleared
via USN Journal playback.

Summary: This is NOT what I was expecting. Caveat emptor .

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/13/2026 10:01 PM, Paul wrote:

On Fri, 3/13/2026 4:46 AM, Paul wrote:

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the >>>> sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base >>>> etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just
getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while >> to get set up for this.

Paul

I don't use hibernation, routinely disabled(or verified as disabled)
shortly after a Windows install of any type(clean, on-top, repair,
feature update[now only H2]...except for testing(like you are doing).

I recall from an earlier on-MSFT-campus discussion that hiberfil.sys
that was intended(oobe) to have a minimum size, but as expected that's
just a starting point and growth can occur even with the same identical footprint of programs, apps, services, etc. running and without any
changes to Windows.

It's like a monster *It's alive* (Victor Frankenstein, after turning
on/off the electricity or lightning strike - movie version; Shelley's
version - no electricity or lightning) and for my use not needed.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/13/2026 1:59 AM, Paul wrote:

On Fri, 3/13/2026 3:09 AM, ...w­¤?ñ?¤ wrote:

Paul wrote on 3/11/2026 1:11 PM:

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

They lost the curation chain b/c of Secure Boot requirements?

The custody chain for BIOS updates is broken, and that injures
their ability to help customers have the best most secure
motherboards possible.

May very well be broken, but doubtful it's because of Secure Boot.
- which seems to indicate your answer to my earlier question would be 'No'

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/14/2026 5:12 PM, ...w­¤?ñ?¤ wrote:

I don't use hibernation, routinely disabled(or verified as disabled) shortly after a Windows install of any type(clean, on-top, repair, feature update[now only H2]...except for testing(like you are doing).

I recall from an earlier on-MSFT-campus discussion that hiberfil.sys that was intended(oobe) to have a minimum size, but as expected that's just a starting point and growth can occur even with the same identical footprint of programs, apps, services, etc. running and without any changes to Windows.

It's like a monster *It's alive* (Victor Frankenstein, after turning on/off the electricity or lightning strike - movie version; Shelley's version - no electricity or lightning) and for my use not needed.

I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Paul <nospam@needed.invalid> wrote:
[...]

I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.

Your findings seem to be an argument for NOT making offline (Macrium
Reflect) image backups, because, as mentioned/documented before, an
online image backup does NOT backup the hiberfil.sys file.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 3/15/2026 9:31 AM, Frank Slootweg wrote:

Paul <nospam@needed.invalid> wrote:
[...]

I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.

Your findings seem to be an argument for NOT making offline (Macrium Reflect) image backups, because, as mentioned/documented before, an
online image backup does NOT backup the hiberfil.sys file.

Good point.

A better way to run a computer, is like a lot of us are
already doing (on *desktops* at least).

powercfg /h off

Now your backups are in no danger whatsoever :-)

You cannot do that on a laptop, due to battery management issues.
(Laptop resorts to hibernation, when sleep operation depletes
the battery sufficiently to cause alarm.)

My test of Macrium, was done on 7.2 or so. While on a lot of
softwares, it could be argued a newer version would "fix"
the lack of detection of a potential issue, that's not a
pattern I note in Macrium. If they're letting something slip
like that, that is design intent and not a bug.

That's why I would prefer to see a competing product flag this.
Just so we know someone cares about the topic.

*******

A percentage of users, will be attracted to online backup, as
the provided scheduler will manage their incremental or
incremental-forever pattern. I'm not sure the offline tool
is clever enough to find the backup pattern definition file,
but it might...

Paul


--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Paul <nospam@needed.invalid> wrote:

On Sun, 3/15/2026 9:31 AM, Frank Slootweg wrote:

Paul <nospam@needed.invalid> wrote:
[...]

I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.

Your findings seem to be an argument for NOT making offline (Macrium Reflect) image backups, because, as mentioned/documented before, an
online image backup does NOT backup the hiberfil.sys file.

Good point.

A better way to run a computer, is like a lot of us are
already doing (on *desktops* at least).

powercfg /h off

Now your backups are in no danger whatsoever :-)

You cannot do that on a laptop, due to battery management issues.
(Laptop resorts to hibernation, when sleep operation depletes
the battery sufficiently to cause alarm.)

Well, my laptop does indeed use hibernation, because that's the most natural/convenient, but one can set the 'Critical Battery Action' in the
'Power Options' applet to 'Shut down' instead of 'Hibernate' and that
would work with 'powercfg /h off'.

But, as mentioned before, I just use online (Macrium Reflect) image
backup. I might worry about a lot of things, but online image backup
isn't one of them! :-)

My test of Macrium, was done on 7.2 or so. While on a lot of
softwares, it could be argued a newer version would "fix"
the lack of detection of a potential issue, that's not a
pattern I note in Macrium. If they're letting something slip
like that, that is design intent and not a bug.

That's why I would prefer to see a competing product flag this.
Just so we know someone cares about the topic.

*******

A percentage of users, will be attracted to online backup, as
the provided scheduler will manage their incremental or
incremental-forever pattern. I'm not sure the offline tool
is clever enough to find the backup pattern definition file,
but it might...

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)