9 replies to this topic

[bilou_gateux]

My boss daughter laptop [Lenovo]

Won't boot Windows 7 Home Premium.

After selecting F8 option

Recovery
Your PC needs to be repaired.
The application or operating system couldn't be loaded because a required file is missing or contains errors.
file: \Windows\system32\winload.exe

Error code: 0xc0000225

I have booted laptop with WinPE and checked disk.

 

PLPPART32 v0.1  20070403  by Elmar Hanlhofer  http://www.plop.at
Using physical drive 0
Drive geometry:
  Media Type         : FixedMedia
  Cylinders          : 60801
  Tracks per Cylinder: 255
  Sectors per Track  : 63
  Bytes per Sector   : 512

NR  ID  BOOT     SS  SH   SC    ES  EH   EC     LBAST    LBASEC  SIZE
-------------------------------------------------------------------------------
1  0x07 *[0x80]  33  32     0    6 159    25      2048    409600 200.00 MByte
2  0x07           7 159    25   63 254  1023    411648 884609024 421.81 GByte
3  0x0f          63 254  1023   63 254  1023 885020672  60809216 29.00 GByte
4  0x12          63 254  1023   63 254  1023 945829888  30943280 14.75 GByte

 

 

I have tried http://www.cgsecurity.org's TestDisk. Program could not recover partition 2.

 

partition 1: BOOTMGR+\boot\ folder

partition 2: the lost partition, most important with user data and OS

partition 3: LENOVO [drivers and applications]

partition 4: diag

 

Attached MBR backup.

 

sure The Expert here is listening and could give me some help to rebuild partition and access data.

Attached Files

•  TOS500GO.zip   629bytes   1 downloads

[Wonko the Sane]

Try having a look at the disk (preferably AFTER having made a dd-like full image of it) with DMDE:

http://dmde.com/

 

The issue is seemingly not in the MBR partition table, that at a quick glance seems to me like fine.

 

Wonko

[bilou_gateux]

I have already made a full disk backup (raw) with live Linux.

 

Launched DMDE tool

Opened Volume

 

if i select $noname 02 in left panel

i can see full content of the partition under $Root

 

Should i export some sectors from the start (and/or end) of partition and post here to help me diagnose what's wrong with the NTFS partition.

[Wonko the Sane]

if i select $noname 02 in left panel
i can see full content of the partition under $Root

This is good .
 

Should i export some sectors from the start (and/or end) of partition and post here to help me diagnose what's wrong with the NTFS partition.

Which "flags" or "indicators" does the volume (when found in the "first" dialog) shows?
http://dmde.com/manual/partitions.html
http://dmde.com/imag...titions-480.png

Anyway the first thing to check is whether the bootsector/PBR (first sector of the partition/volume) is (besides being at the offset indicated in the partition table in the MBR) identical to the backup sector (last sector of the partition, first sector after the end of volume) and whether the $MFT and $MFTMirr are actually at the offset marked and if they are identical (but TESTDISK should have already automatically checked these).

If these checks result OK, you could try running CHKDSK (personally I recommend to run just CHKDSK without parameters and see what it says on the volume), and depending on the output try running CHKDSK /F and finally (if needed) run CHKDSK /R.


Wonko

[bilou_gateux]

Partition 2 Indicators

ExCF
 

from manual

 

x – structure is absent or damaged

 

 

Can't run checkdisk. Partition is viewed as RAW in windows disk management console. not mounted and no drive letter assigned.

 

I'm convinced that MFT and MFT mirror are OK because i can recover files with the free version and export a full list of files after running a full scan.

Will report more infos tomorrow. Time to leave Office.

[Wonko the Sane]

The x (that Never, ever marks the spot) :
http://www.imdb.com/...t0097576/quotes

means that the "B" structure is either missing (or failed or both).

The "B" is "B – volume boot sector" without it (or with it "botched") a number of other NTFS info cannot be found.

So, it is likely that the issue is with the bootsector, provide a copy of it (it is/should be sector LBA 411648) AND a copy of (hopefully) its backup (it is/should be sector LBA 885020671).

As you surely know, a NTFS bootsector (the actual $boot file) is normally 16 sectors in size, but the actually relevant part (the BPB or Bios Parameter Block and the NTFS data structures addresses) are in the first sector (of which there should be a backup).

Even if both copies are "botched", usually the bootsector data can be rebuilt manually, since DMDE can find the $MFT (which should be at LCN 786432) and the $MFTmirr, the rest of the data can be easily derived from the MBR partition table data and from using "default" data.


Wonko

[bilou_gateux]

After saving both volume start and volume end sectors

sector LBA 411648

corrupted

sector LBA 885020671

found some ASCII strings such as NTFS

Attached Files

•  Partition2_sectors.zip   864bytes   1 downloads

[Wonko the Sane]

The backup bootsector seems fine.

 

It is "queer" how/why the "original" bootsector has been corrupted.

 

Copy (dd or dsfo/dsfi or with a hex editor) the backup bootsector over sector LBA 411648.

 

You might need to reboot/refresh the disk volume.

Also (depending on which OS you are using) the bootsector might be "locked" even if it is not valid (the mechanism relies on the partition table entry AFAIK), or you will need to put the disk "offline" see:

http://reboot.pro/to...tfs-bootsector/

 

Under Linux or XP and earlier (and PE 1.x) you should not have any such issues, you could even use grub4dos internal dd, but as hinted earlier TESTDISK has a function that should work also on PE 2.x and later and Vista and later.

http://www.cgsecurit...sector_recovery

 

Try again with TESTDISK, maybe it did not find the partition because you did not select the "right" options, namely that disk is NOT aligned to Cylinder boundary:

http://www.cgsecurit...ki/Menu_Options

and you have to change the default "yes" to "no" AND change the "Allow partial last cylinder" from the default "no" to "yes".

 

Wonko

[bilou_gateux]

PHYSICALDRIVE0 Partition2

Save Backup Boot Sector

dsfo 885020671 sector x 512 = 453130583552 bytes

dsfo \\.\PHYSICALDRIVE0 453130583552 512 PART2BBS.BIN

Save Original Boot Sector (should i go back)

dsfo 411648 sector x 512 = 210763776 bytes

dsfo \\.\PHYSICALDRIVE0 210763776 512 PART2OBS.BIN

compare content 1st sector PHYSICALDRIVE0 Partition2 versus .bin with Mirkes TinyHex

OK

noticed PHYSICALDRIVE0 partition 2 sector [1-32] are filled with garbage

 

overwrite Original Boot Sector with Backup Boot Sector

dsfi \\.\PHYSICALDRIVE0 210763776 512 PART2BBS.BIN

Reboot notebook

Successfully booted OS located on partition2.

 

don't have Boss' daughter password to open user session.

 

Will ask his daughter if she can explain what happened.

 

Many thanks The Expert for your help.

[Wonko the Sane]

Good.

As soon as you can access the system, do run a CHKDSK on that volume, and you might additionally want to run bootsect (the "garbage" you see from sector 2 of the partition onwards is not really garbage, it is the rest of the bootsector and some other file after it, bootsect should be able to re-write corrrectly the whole bootsector, i.e. 16 sectors).

 

Wonko