Now I’ve written the second tool of virt-bmap which lets you boot a guest and observe what files it is reading from disk. (NB if you want to try this out you will need a patched libguestfs)
The second tool is an nbdkit plugin, so to use the tool you just do:
$ nbdkit -r bmaplogger file=/tmp/win7.img bmap=/tmp/win7.bmap \ --run ' qemu-kvm -cpu host -m 2048 -hda $nbd '
and watch the output as the guest boots. Note that the bmap file must have been prepared previously by the virt-bmap tool (see part 1).
The results are interesting. Here is Windows 7 booting (edited down for brevity):
read v /dev/sda read p /dev/sda1 read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/BCD read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/tr-TR/bootmgr.exe.mui read f /dev/sda1 /Boot/zh-HK/bootmgr.exe.mui read f /dev/sda1 /Boot/zh-TW/bootmgr.exe.mui read f /dev/sda1 /bootmgr read v /dev/sda read p /dev/sda1 read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/BCD read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/Fonts/kor_boot.ttf read p /dev/sda1 read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/BCD read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/BCD read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/de-DE/bootmgr.exe.mui read p /dev/sda1 read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/BCD read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui read f /dev/sda1 /Boot/da-DK/bootmgr.exe.mui read f /dev/sda1 /Boot/BOOTSTAT.DAT read f /dev/sda1 /bootmgr read f /dev/sda1 /Boot/BOOTSTAT.DAT read v /dev/sda read p /dev/sda2 read d /dev/sda2 / read f /dev/sda2 /Windows/System32/Msdtc/MSDTC.LOG read d /dev/sda2 / read f /dev/sda2 /ProgramData/Microsoft/Search/Data/Applications/Windows/MSSres00001.jrs read d /dev/sda2 / read d /dev/sda2 /Users read p /dev/sda2 read d /dev/sda2 /Windows/assembly/NativeImages_v2.0.50727_64 read d /dev/sda2 /Windows read p /dev/sda2 read d /dev/sda2 /Windows/servicing read d /dev/sda2 /Windows read f /dev/sda2 /Windows/System32/config/SAM.LOG1 read p /dev/sda2 read d /dev/sda2 /Windows/System32 read p /dev/sda2 read d /dev/sda2 /Windows/System32/en-US/Licenses/_Default read d /dev/sda2 /Windows/System32 read p /dev/sda2 read d /dev/sda2 /Windows/System32 read d /dev/sda2 /Windows/System32/Tasks/Microsoft/Windows read d /dev/sda2 /Windows/System32 read p /dev/sda2 read f /dev/sda2 /Windows/System32/CIRCoInst.dll read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/clb.dll read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/cmmon32.exe read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/cryptnet.dll read d /dev/sda2 /Windows/System32 [...] read f /dev/sda2 /Windows/System32/iscsilog.dll read f /dev/sda2 /Windows/System32/ksetup.exe read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/ksproxy.ax read f /dev/sda2 /Windows/System32/NcdProp.dll read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/nci.dll read f /dev/sda2 /Windows/System32/profsvc.dll read d /dev/sda2 /Windows/System32 read f /dev/sda2 /Windows/System32/propsys.dll read d /dev/sda2 /Windows/System32 read p /dev/sda2 read f /dev/sda2 /Windows/System32/winload.exe [...]
Here is a Windows server that had McAfee (a “virus scanner”) installed:
read v /dev/sda
read f /dev/sda1 /Boot/BCD
read f /dev/sda1 /bootmgr
read v /dev/sda
read f /dev/sda2 /Program Files (x86)/McAfee/Real Time/log0.txt
read v /dev/sda
read p /dev/sda1
read f /dev/sda1 /Boot/BCD
read f /dev/sda1 /Boot/nl-NL/bootmgr.exe.mui
read f /dev/sda1 /Boot/pl-PL/bootmgr.exe.mui
read f /dev/sda1 /Boot/ru-RU/bootmgr.exe.mui
read f /dev/sda1 /Boot/zh-TW/bootmgr.exe.mui
read f /dev/sda1 /bootmgr
read f /dev/sda1 /Boot/BOOTSTAT.DAT
read f /dev/sda1 /Boot/BCD
read f /dev/sda1 /Boot/Fonts/kor_boot.ttf
read f /dev/sda1 /BOOTSECT.BAK
read f /dev/sda1 /Boot/BCD
read f /dev/sda1 /BOOTSECT.BAK
read f /dev/sda1 /Boot/BCD
read f /dev/sda1 /Boot/BOOTSTAT.DAT
read f /dev/sda1 /Boot/BCD
read f /dev/sda2 /Program Files (x86)/McAfee/Real Time/log4.txt
read f /dev/sda1 /Boot/BCD
read p /dev/sda2
read f /dev/sda2 /Program Files (x86)/Common Files/microsoft shared/DAO/dao360.dll
read f /dev/sda1 /Boot/cs-CZ/bootmgr.exe.mui
read f /dev/sda2 /Program Files (x86)/Common Files/System/msadc/adcjavas.inc
read f /dev/sda2 /ProgramData/McAfee/Common Framework/Mesh/SvcMgr_WPLCLDWA170.log
read f /dev/sda2 /Program Files (x86)/McAfee/Policy Auditor Agent/auditmanager.log
read f /dev/sda2 /Program Files (x86)/Common Files/microsoft shared/DAO/dao360.dll
read f /dev/sda2 /Program Files (x86)/McAfee/Real Time/log7.txt
read f /dev/sda2 /Program Files (x86)/MSBuild/Microsoft/Windows Workflow Foundation/v3.0/Workflow.Targets
read f /dev/sda2 /Windows/ServerEnterprise.xml
read f /dev/sda2 /Windows/inf/setupapi.dev.log
read f /dev/sda2 /Program Files (x86)/McAfee/Real Time/log7.txt
read f /dev/sda2 /Program Files (x86)/Internet Explorer/en-US/jsprofilerui.dll.mui
read f /dev/sda2 /Users/tempadmin/AppData/Local/Microsoft/Internet Explorer/Recovery/High/Last Active/{7101D2F0-982F-11E0-A584-005056A7000F}.dat
read f /dev/sda2 /Program Files (x86)/McAfee/Policy Auditor Agent/Plugins/AuEngineUpdater.dll
read f /dev/sda2 /Windows/System32/clusapi.dll
read f /dev/sda2 /Windows/System32/cmcfg32.dll
read f /dev/sda2 /Windows/winsxs/Backup/amd64_microsoft-windows-com-base_31bf3856ad364e35_6.1.7600.16385_none_69e3281e403684ea_comcat.dll_8571d1d1
read f /dev/sda2 /Windows/System32/comdlg32.dll
read f /dev/sda2 /Windows/SysWOW64/comexp.msc
read f /dev/sda2 /Program Files (x86)/McAfee/Policy Auditor Agent/Schema/linux-definitions-schema.xsd
read f /dev/sda2 /ProgramData/McAfee/Common Framework/Mesh/SvcMgr_WPLCLDWA170.log
read f /dev/sda2 /Windows/SysWOW64/C_10003.NLS
read f /dev/sda2 /Windows/SysWOW64/C_10004.NLS
read f /dev/sda2 /Windows/SysWOW64/C_20005.NLS
read f /dev/sda2 /Windows/SysWOW64/C_21025.NLS
read f /dev/sda2 /Windows/CMAgent/Installer/Providers/ExecutionEngine/providers.catalog
read f /dev/sda2 /Windows/SysWOW64/dfsrHealthReport.xsl
read f /dev/sda2 /ProgramData/McAfee/Common Framework/Mesh/SvcMgr_WPLCLDWA170.log
read f /dev/sda2 /Windows/SysWOW64/C_10003.NLS
read f /dev/sda2 /Windows/SysWOW64/C_10004.NLS
read f /dev/sda2 /Windows/SysWOW64/C_20005.NLS
read f /dev/sda2 /Windows/SysWOW64/C_21025.NLS
read f /dev/sda2 /Windows/CMAgent/Installer/Providers/ExecutionEngine/providers.catalog
read f /dev/sda2 /Windows/SysWOW64/dfsrHealthReport.xsl
read f /dev/sda2 /ProgramData/McAfee/Common Framework/Mesh/SvcMgr_WPLCLDWA170.log
read f /dev/sda2 /Windows/System32/hhctrl.ocx
read f /dev/sda2 /Program Files (x86)/McAfee/Real Time/log2.txt
read f /dev/sda2 /Windows/System32/KBDA1.DLL
read f /dev/sda2 /ProgramData/McAfee/Common Framework/Mesh/SvcMgr_WPLCLDWA170.log
read f /dev/sda2 /Windows/System32/Kswdmcap.ax
read f /dev/sda2 /Windows/SysWOW64/NOISE.CHS
read f /dev/sda2 /Windows/System32/NlsData0003.dll
read f /dev/sda2 /Windows/SysWOW64/RacRules.xml
read f /dev/sda2 /Windows/System32/ROUTE.EXE
read f /dev/sda2 /Windows/SysWOW64/en-US/tapimgmt.msc
read f /dev/sda2 /Windows/SysWOW64/en-US/tpm.msc
read f /dev/sda2 /Windows/System32/TpmInit.exe
read f /dev/sda2 /Program Files (x86)/McAfee/Policy Auditor Agent/oval.db
read f /dev/sda2 /Windows/Microsoft.NET/Framework64/v4.0.30319/ngen.log
read f /dev/sda2 /Program Files (x86)/McAfee/Policy Auditor Agent/Audit.db
read f /dev/sda2 /Windows/System32/winload.exe
I wouldn’t take any of these traces very literally right now. Our method of mapping files to disk blocks is a bit shaky, especially for ntfs-3g. However I did check the major points of the McAfee trace against the raw log and block map and it seems plausible.
Richard WM Jones 