I was wondering if anyone could explain what exactly is happening when Emergency boot is performed.
This is usually used when there is some corruption in the Preboot file system - in order to get in Windows and eventually recreate the PBFS on synchronization.
But what exactly is happening before you login in Windows - how does the DETech skip the corrupted PBA environment?
According to some official documentation provided by McAfee we have the following situation -
"The McAfee Drive Encryption Master Boot Record replaces the standard Master Boot Record (Sector 0 of the boot disk) during activation.
The McAfee Drive Encryption MBR is referred to as the EPEMBR. The control is passed to the EPEMBR following BIOS initialization and the code contained in the EPEMBR is executed. The EPEMBR contains a pointer to the first sector of a sector chain that hosts the BootCode (safeboot.rsv), which is executed straight after the EPEMBR. It also contains a pointer to the first sector of a sector chain of the Drive Encryption file system (Safeboot.fs), which hosts the Windows OS original MBR that is executed after successful authentication.
It is important that the two files (Safeboot.rsv, Safeboot.fs) and the EPEMBR are maintained on the disk and are never moved at a sector level. The files are sector chains and copying the file from one place to another does not work as they are not real files. They appear in this way inside the operating system to prevent it from being moved or overwritten."
So since the PBFS is corrupted (safeboot.fs) the machine cannot boot normally and returns some error. What information is used by the DETech Emergency Boot procedure in order to boot?
As far as I know the partition table is not altered in any way during the DE encryption/activation. So does it use the information in the partition table to find the active boot partition and jump there directly (this information should also be available in the recovery XML file - original MBR backed up there).