Personal Backup

© 2001 - , Dr. J. Rathlev

Tips and tricks




Protecting the backup from malware (Ransomware)

Of late, ever more news items are published reporting malware (so-called Ransomware) that maliciously encrypts a user's data and demands a ransom in return for the decryption key. Unfortunately a simple backup is not capable of preventing such attacks because it too can be maliciously encrypted and hence cannot be used to restore the data.

As reported, the currently-rampant malware program Locky does not encrypt all file types but unfortunately the information about this varies. It seems that gze files used by Personal Backup by default for encrypted backups are not affected and so should not be corrupted, but it is uncertain whether this will remain the case in the future. The list of file types not affected can change at any time. You should not rely on any current immunity and instead, take other actions.

The best way to protect your data from such malware is to preclude any access to the backup files, e.g. by backing up to an external drive that is not permanently connected to the computer. In this case the user has to connect the drive every time before making a backup. This can be very inconvenient but the method should always be used when performing a "backup of a backup". This is not required every day, but should be done periodically. If you want to protect your backups also from other risks (fire, burglary, etc.), you should deposit the backup medium in a safe place.

There are other safe ways for carrying out daily backups that can be used for internal and permanently-connected external drives. An essential requirement is to format these drives in NTFS (Windows default). In this case access can be adjusted by setting suitable user permissions: the currently logged-on user should have permission only to read the backup directory, so that no program started by this user can write into this directory. To perform a backup you can then use one of the following methods:

Important prerequisite: The logged-on user must not have administrator rights. Unfortunately this is not established by default during Windows installation, hence the settings for the relevant users accounts must be changed manually. The following configuration is recommended:

  1. Activate the default administrator account and assign a password
  2. Add another administrator account using the user's password for additional security and program installation.
  3. Downgrade all other accounts to standard user.

For all normal activities on your computer (mail, internet, text processing, image processing, etc.) administrator rights are not required. If a program is to be installed, the Windows user access control will pop up automatically and prompt for a temporary logon as administrator (see above under 2.).

Important preliminary note: The following descriptions were compiled carefully, but the author assumes no responsibility for the topicality, correctness, completeness or quality of the information provided. Every user should be aware of the risks involved in changing system settings. Liability claims against the author whether material or non-material caused by the use of the information provided shall be rejected.

It is assumed for the following description that the backup is to be made to a directory on drive F:, e.g. F:\Backup. If desired, you can replace the drive letter with any other applicable to your system. To understand the procedure, it is important to know that permissions of a parent directory are automatically passed to all its child objects (files and subdirectories). In our example the directory F:\Backup will inherit permissions from its parent directory F:\. Because permissions for F:\Backup and its subdirectories are to be amended, inheritance of this directory must first of all be turned off. How this can be done is described below in detail.

There are several ways to perform a protected backup on a local drive:

  1. Automatic backups using Windows Task Scheduler
    The user logs on with an administrator account (see above) and creates for example the backup directory F:\Backup. Then, a new standard user account only for performing the backups is created (Control Panel – User Accounts), with for example the account name BackupUser. This user needs read access to all data to be backed-up and write access to the backup directory.
    Change permissions of directories to be backed-up: Change permissions of the destination directory: The backup must then be configured for the destination directory in the normal way. Take care that the task is saved into a directory where the backup user has write permissions. After this, the backup task is to be added to the list of Windows Scheduled Tasks (see here). Insert the name and the password of the newly-created user BackupUser under User account
  2. Starting the backup manually by using another user account
    The current Personal Backup Version 5.8 contains the additional program PbStarter which can be used to configure backups started under a different user account in a very comfortable way (detailed description).
    Another way is to use the Windows command RunAs. As described above, at first create a new user account only for backup and then change permissions for the destination directory. On configuring the backup task, take care that it is saved into a directory where the backup user has write permissions.
    Then open the Windows Command prompt window or type the Windows-R key and insert the following line:
    Windows 32-bit with Personal Backup 32-bit or Windows 64-bit with Personal Backup 64-bit:
    runas /user:Backup "%ProgramFiles%\Personal Backup 5\PersBackup.exe /i:pb <task>"
    Windows 64-bit with Personal Backup 32-bit:
    runas /user:Backup "%ProgramFiles(x86)%\Personal Backup 5\PersBackup.exe /i:pb <task>"
    Replace <task> by the full path of the backup task to be executed. After inserting the password for the user (in this case BackupUser), Personal Backup will be started under this account and the specified backup task will be opened. To start the backup, click the Start button.
    For simplification you can insert the above line into a batch file to start the backup. By adding the command line option /force, the backup will be started immediately without opening the desktop.
    Important note: This procedure cannot be used for automatic backups.
  3. Starting the backup manually or via a desktop shortcut using changed permissions
    In this case the backup will be performed using the account of the logged-on user. For reasons mentioned above, this user must have only read permissions on the destination directory. These permissions are to be raised temporarily only for the time the backup is running so that the user may write to that directory. The following issue could be problematic: due to inheritance (see above) before and after the backup, all permissions of the files in the backup directory must be changed and, if there are many files, this will need some time. The following procedure is similar to that described in 1.
    The user remains logged on under his normal account and creates the backup directory to be used F:\Backup after which, permissions of the destination directory are adjusted: The backup must then be configured for the destination directory in the normal way. For the adjustment of permissions before and after the backup, the External programs option must be used. Insert the following command lines:
    Before backup:
    %sysdir%\icacls.exe %dest% /grant:r %username%:(OI)(CI)M
    After backup:
    %sysdir%\icacls.exe %dest% /grant:r %username%:(OI)(CI)RX
    After saving the backup task it can be started either manually or by creating a desktop shortcut.
    Important note: This procedure cannot be used for an automatic backup at logoff or shutdown because in this case the execution of external programs is disabled by the Windows system. Instead of using the Windows start button to shut the computer down, you can use a desktop shortcut to Personal Backup to do so. On creating this shortcut, select Power off as Action after backup. In contrast, a time-scheduled backup or a backup after logon is possible.


Starting a backup automatically on connecting an external drive

To start a backup automatically when an external drive is connected to the computer via USB, the program AutoRunner is required. After downloading the setup file, the program must be installed as described on the AutoRunner website.
To start a backup using this program, follow these steps:

  1. After connecting the external drive, first the backup must be configured and stored as a task file (e.g. usb-1.buj). It would then be advisable to start the backup once manually to prove that everything functions as expected.
  2. After this, a small batch file must be created using any text editor (e.g. Notepad). The file contains depending on the installation only one line:

    Personal Backup 32-bit version:
    Windows XP:
    "%ProgramFiles%\Personal Backup 5\PersBackup.exe" <path>\usb-1.buj /force /hide /quiet
    Windows 7/8/10 (32-bit):
    "%ProgramFiles%\Personal Backup 5\PersBackup.exe" <path>\usb-1.buj /force /hide /quiet
    Windows 7/8/10 (64-bit):
    "%ProgramFiles(x86)%\Personal Backup 5\PersBackup.exe" <path>\usb-1.buj /force /hide /quiet
    Personal Backup 64-bit version:
    Windows 7/8/10 (64-bit):
    "%ProgramW6432%\Personal Backup 5\PersBackup.exe" <path>\usb-1.buj /force /hide /quiet
    <path> should be replaced by the path of the buj file. Save this batch file in the root directory of the external drive (e.g. StartPb.bat).
  3. Then start the AutoRunner program and add a new start object selecting the batch file just created for this.
    Trigger (File): ?:\StartPb.bat
    Command: c:\Windows\System32\cmd.exe
    Parameter: /c ?:\StartPb.bat
  4. Remove the external drive.

Now whenever the external drive is reconnected, the batch file and consequently the backup will be started automatically.

Note: If you have any problems on executing this procedure, for example if you specified an invalid path, you should replace the option /c in Parameter by /k for debugging. This will cause the command prompt window not to be closed so that error messages remain visible.



Daily alternating backup on two external drives

To prevent a backup from attacks by malware (e.g. so called Ransomware), it is usually recommended to use an external drive only connected to the computer to perform the backup. Using two external drives alternately will cause an additional protection.
Using Personal Backup this can be realized as described in the following example:

  1. Two external drives are provided with the volume names Bu-1 and Bu-2. Right-clicking on a drive in for example Windows Explorer and selecting Properties will allow you to edit these names.
  2. Create a Backup task containing all directories to be backed up using the Update mode. Specify a volume name containing a placeholder for alternating days: :Bu-%d#2%:\Backup.
  3. Save the task and create a Desktop Shortcut.
  4. The backup can be started anytime by double clicking the Desktop Shortcut. If the required external drive is not connected, the user will be automatically prompted to do so.

On odd-numbered days (1,3,5,.. counting from January 1) the backup will be stored on Bu-1, on even-numbered days on Bu-2.


Automatically alternating backup on several external drives

The procedure will be explained below using two examples. It is assumed that two external drives are permanently connected to the computer and provided with the volume names Bu-1 and Bu-2. Right-clicking on a drive in for example Windows Explorer and selecting Properties will allow you to edit these names.

Daily change
  1. Create a Backup task containing all directories to be backed up using the Update mode. Specify a volume name containing a placeholder for alternating days: :Bu-%d#2%:\Backup.
  2. Save and then add the task to the list of automatic tasks. Select an appropriate time (e.g. On logoff) for execution.

On odd-numbered days (1,3,5,.. counting from January 1) the backup will be stored on Bu-1, on even-numbered days on Bu-2.

Weekly change with schedule
  1. Create a Backup task containing all directories to be backed up using Update or Full mode. Specify a volume name containing a placeholder for alternating weeks: :Bu-%w#2%:\Backup.
  2. Save and then add the task to the list of automatic tasks. Select an appropriate time (e.g. Daily at 20:00) for execution.
  3. Adjust a schedule for this automatic task using a cycle of 7 days (1 x As defined in Task + Differential or Incremental) with Monday for the full backup.

In odd-numbered weeks (1,3,5,..) the backup will be stored on Bu-1: with a full backup on Monday and a differential or incremental backup (depending on selection) on the other days. In even-numbered weeks the backup will be appropriately stored on Bu-2.


Configuring individual alternating schedules

The program supports saving data in accordance with a daily alternating schedule, i.e. one full and several differential or incremental backups (for more information refer to Wikipedia). To do this, you can use either the internal automatic backup or the additional program PbPlaner together with Windows Task Scheduler.

In addition, it is possible to use Windows Task Scheduler with its manifold options for starting an application to realize almost any alternating schedule. How to do so, is explained below using an example.

Example for an alternating schedule with several backups per day

On every day of the week, a full backup shall be performed at 08:00 and then at 11:00, 14:00 and 17:00 in each case these being differential backups. No backups shall be overwritten before the following week. The destination is a hard disk with the volume name Backup.

  1. Configure a task for a full backup with the following settings:
    Destination: :Backup:\Bu-%dow%\Full
    Directories to backed up: Select as required
    Settings for backup destination: Single files and Separate directories for drives (recommended)
    Compress files: yes (recommended)
    Backup mode: Either Full or Update (with the Archive bit options Use and Reset checked)
    In the case of Full, all files in the destination directory will be deleted and then all files copied from the source anew. This may take an appreciable length of time. In the case of Update, only new and changed files will be copied, which will take less time. On the other hand, all files deleted from the source directory will be retained in the target directory. To avoid this, it is recommended also to use Synchronization.
    If you wish, you can in addition select other features, e.g. to encrypt files or send a mail notification. Finally the configured task will be saved as file using a suitable name (e.g. Bu-Full).
  2. Create a differential backup using the same settings as above with the following exceptions:
    Destination: :Backup:\Bu-%dow%\D-%hour%
    Backup mode: Differential
    Then save this task (e.g. as Bu-Diff).
  3. Insert the full backup into Windows Task Scheduler:
    Open the full task (Bu-Full) and insert it into Windows Task Scheduler by clicking the button New backup .. (in the upper right of the program window): Daily start at 08:00.
  4. Insert the differential backup into Windows Task Scheduler:
    Open the differential task (Bu-Diff) and insert it into Windows Task Scheduler as described above: Daily start at 11:00 and using Advanced settings set Repeat task to every 3 hours and duration to 10 hours.

On the destination drive the following directory structure will be created:
Seven directories Bu-Mon, Bu-Tue, Bu-Wed, ..., Bu-Sun in each of which appear the subdirectories Full (for the full backup) and D-11,D-14 and D-17 (for the differential backups).


Version-5.6 backups using Volume Shadow Copies (VSS)

For the first time Personal Backup Version 5.6 offers the possibility of using Volume Shadow Copies available since Windows XP under NTFS to back up even locked files directly. In difference to version 5.7 that has this feature included, a separate utility program is needed:
either Volume Shadow Copy Simple Client (Windows XP, 7 and 8) or Vs-Toolkit (Windows 7 and 8).


  1. Download vscsc or VS-Toolkit as zip file
  2. Extract the desired version (32 or 64 bit, Windows XP or Windows 7) into a suitable directory, e.g. E:\Programs\Vss.
  3. Create a backup task (e.g. BuAppData.buj) to back up one or more directories all located on the same drive, e.g. C:\Users\<Name>\AppData
  4. Create a batch file (BuAppData.bat) to be used by the programm vscsc to start the backup:
      @echo off
      call "%ProgramFiles%\Personal Backup 5\Release\Win32\Persbackup.exe" /f BuAppData.buj /repl:C=%1
  5. Create a batch file (StartBuAppData.bat) to start the backup process using a volume shadow copy:
      @echo off
      e:\Programs\Vss\vscsc.exe -exec=BuAppData.bat C:
      @echo off
      e:\Programs\Vss\vstoolkit.exe -exec=BuAppData.bat C:


StartBuAppData.bat can be started either directly from the Windows Explorer or using a suitable desktop shortcut. In both cases this must be done via right-clicking and the option Run as administrator even if you are logged on as a user with adminstrative rights.

vscsc or vstoolkit will at first create a snapshot of the specified volume (in this case C:) which will correspond with an internal virtual volume name, e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyxx.

This name will be transferred to the batch file BuAppData.bat and substituted for %1 in the command line to start Personal Backup. By dint of the option /repl:C=.., before copying files from all source directories Personal Backup will substitute the newly-created name for the snapshot for drive letter C:. In this way even locked files can be backed up without invoking errors.

After backing up is completed, the snapshot will be deleted by vscsc automatically.