13 replies to this topic

[bilou_gateux]

Just successfully recover lost partition with the help of The Expert

http://reboot.pro/to...ry/#entry197482

 

and now i was given a desktop that won't boot all the way.

 

booted with WinPE to check disk:

PLPPART32 v0.1  20070403  by Elmar Hanlhofer  http://www.plop.at
Using physical drive 1

Drive geometry:
  Media Type         : FixedMedia
  Cylinders          : 19457
  Tracks per Cylinder: 255
  Sectors per Track  : 63
  Bytes per Sector   : 512

NR  ID  BOOT     SS  SH   SC    ES  EH   EC     LBAST    LBASEC  SIZE
-------------------------------------------------------------------------------
1  0x07 *[0x80]   1   1     0   63 254  1023        63 287370657 137.03 GByte
2  0x07          63 254  1023   63 254  1023 287386785  25189920 12.01 GByte
3  0x00           0   0     0    0   0     0         0         0 0.00 MByte
4  0x00           0   0     0    0   0     0         0         0 0.00 MByte

I have tried http://www.cgsecurity.org's TestDisk. Program could not recover partition 1.

 

Computer brand: hp

some hidden data stored in sectors [1-62] for recovery purpose

 

attached mbr and partition1 boot sector and backup boot sector

 

Attached Files

•  160Gb.zip   2.21KB   1 downloads

[Wonko the Sane]

Just successfully recover lost partition with the help of The Expert

That would be The Finder, Armand Gracious, The Expert,  is on dedoimedo's:

http://www.dedoimedo...rs/experts.html

 

However, what can you see from the PE?

Like volume is not mounted, etc, etc.

A system that "won't boot all the way" seems more like a OS file corruption, but describing "how far" it goes in the booting might help.

Also "I used Testdisk" means very little, you may want to use TESTDISK with a log (and provide the log ).

And ...

... what has DMDE to say? 

Boy, do I hate this deja-demandé feeling....

 

Wonko

[bilou_gateux]

That would be The Finder, Armand Gracious, The Expert,  is on dedoimedo's:

http://www.dedoimedo...rs/experts.html

 

However, what can you see from the PE?

Like volume is not mounted, etc, etc.

A system that "won't boot all the way" seems more like a OS file corruption, but describing "how far" it goes in the booting might help.

Also "I used Testdisk" means very little, you may want to use TESTDISK with a log (and provide the log ).

And ...

... what has DMDE to say? 

Boy, do I hate this deja-demandé feeling....

 

Wonko

 

I started diagnostics from WinPE without trying booting from the internal disk first (because i haven't done a backup yet) and don't want to write to the disk when trying to boot. User says he got a blue screen. Operating System is Windows XP Professional.

DMDE reports:

found

Primary (A) NTFS (07) Size 147 GB Indicators EBCF First sector 63 Last sector 287370719

Left panel, i can select $root and view directory tree

diskpart /s 160Gb.txt
 

list disk
select disk 1
list partition
select partition 1
detail partition
exit

  
   

Microsoft DiskPart version 5.2.3790.3959
    Copyright © 1999-2001 Microsoft Corporation.
    On computer: MOA

      Disk ###  Status      Size     Free     Dyn  Gpt
      --------  ----------  -------  -------  ---  ---
      Disk 1    Online       149 GB  8033 KB         

    Disk 1 is now the selected disk.

      Partition ###  Type              Size     Offset
      -------------  ----------------  -------  -------
      Partition 1    Primary            137 GB    32 KB
      Partition 2    Primary             12 GB   137 GB

    Partition 1 is now the selected partition.

    Partition 1
    Type  : 07
    Hidden: No
    Active: Yes

      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
    * Volume 0     C                RAW    Partition    137 GB  Healthy            

    Leaving DiskPart...

 

 

[Wonko the Sane]

The EBCF should mean (as suspected initially) that the partition table and also the bootsector are fine.

What is "suspect" now is the $MFT (actually its location address in the bootsector).

The partition has an offset of 63 sectors (which means that it has been partitioned originally under 2K or XP) BUT in the bootsector the $MFT is at LCN (Logical Cluster Number) 0x0A (10 dec) which is "queer" as the "standard" LCN created with MS tools is 0xC0000 or 786432 dec (for volumes of around 5 Gb or bigger).

The location of the $MFTMirr in my experience is variable, so cannot say, but the value in the bootsector, 944139, seems as well "out of the common".

To have a $MFT at LCN 10 means that any of the following is accurate (you could ask about the "history" of the system):

• a ms tool has been used to create a much smaller partition (and later the partition has been "expanded")
• a non-ms tool has been used to partition the disk and format the volume (or a at least to format the volume)
• some other tool/procedure/whatever has moved the $MFT from its normal location to a very early $MFT (it is a lot of time I don't play with some "defragmenters", but I seem to recall that some can actually move the $MFT towards the beginning  if the disk)

 

DMDE however will find the actual $MFT and you can verify if it is actually on such a low value LCN.

As well, you could extract the $MFTmirr and compare it with the first 8 sectors of the $MFT.(TESTDISK also provides this feature)

 

As always, you should FIRST make an image for safety, but in the PE, this time, the volume should have the drive letter assigned, so you could run CHKDSK on the volume (run it first without parameters, and only on second run, if needed, run it with the /F parameter).

 

Wonko

[bilou_gateux]

The EBCF should mean (as suspected initially) that the partition table and also the bootsector are fine.

What is "suspect" now is the $MFT (actually its location address in the bootsector).

The partition has an offset of 63 sectors (which means that it has been partitioned originally under 2K or XP) BUT in the bootsector the $MFT is at LCN (Logical Cluster Number) 0x0A (10 dec) which is "queer" as the "standard" LCN created with MS tools is 0xC0000 or 786432 dec (for volumes of around 5 Gb or bigger).

The location of the $MFTMirr in my experience is variable, so cannot say, but the value in the bootsector, 944139, seems as well "out of the common".

To have a $MFT at LCN 10 means that any of the following is accurate (you could ask about the "history" of the system):

• a ms tool has been used to create a much smaller partition (and later the partition has been "expanded")
• a non-ms tool has been used to partition the disk and format the volume (or a at least to format the volume)
• some other tool/procedure/whatever has moved the $MFT from its normal location to a very early $MFT (it is a lot of time I don't play with some "defragmenters", but I seem to recall that some can actually move the $MFT towards the beginning  if the disk)

 

DMDE however will find the actual $MFT and you can verify if it is actually on such a low value LCN.

As well, you could extract the $MFTmirr and compare it with the first 8 sectors of the $MFT.(TESTDISK also provides this feature)

 

As always, you should FIRST make an image for safety, but in the PE, this time, the volume should have the drive letter assigned, so you could run CHKDSK on the volume (run it first without parameters, and only on second run, if needed, run it with the /F parameter).

 

Wonko

 

W: about the "history" of the system

A:: I can confirm that hp (the manufacturer) deploy OS image from Recovery Partition (WinPE) to a small [30-40]Gb parttion and extend it later to the full available space during factory process.

 

 

W: the volume should have the drive letter assigned, so you could run CHKDSK on the volume (run it first without parameters, and only on second run, if needed, run it with the /F parameter).

A: Yes letter is assigned (as shown from diskpart output in one previous post) but C:\ is not accessible

The file or directory is corrupted and unreadable.

 

 

I will have to learn (reading the manual or getting suggestions from valuable helping people) how to "convert" volume from RAW to NTFS to get access.

Attached Files

•  Volume_C_not_accessible.png   6.84KB   0 downloads

[Wonko the Sane]

But that screenshot/message is about attempting to access it from "Exporer" or "My Computer"

What happens if you try opening a command prompt and run CHKDSK C: (or is the screenshot the result of this latter?)

 

The  $MFT location is still suspect, I think I never tested exactly when the location changes, but is around 5 or 6 Gb, so even the "Initial" small partition of 30 or 40 Gb should normally have the $MFT at LCN 786432, maybe the WinPE used by the "manufacturer installer" is a 2.x or 3.x notwithstanding the fact that the system deployed is XP and this changes the location, or more simply they deploy an image that has been created by a non-ms tool.

 

At which LCN does DMDE find the $MFT?

 

Largely OT , but still "connected" and JFYI:

http://reboot.pro/to...disk-emulation/

 

Wonko

[bilou_gateux]

Booted with WinPE
run chkdsk c: from command line [read-only mode]
CHKDSK has started finding a number of issues including "Deleting an index
entry with Id xxx from index $SII of file xxxxx" and is now displaying thousands
of "Replacing invalid security id with default security id for file xxxxx"
messages.

Replacing invalid security id with default security id for file xxxxx.
213600 security descriptors processed.
Security descriptor veriication completed.
7479 data files processed.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows found problems with the file system.

Sectors per Cluster 8
MFT Start Cluster 10
MFT Mirror Cluster 944139  MetaData.png   75.77KB   1 downloads

[Wonko the Sane]

Well, the CHKDSK (not-so-surprisingly given who wrote it ) lies and it is not really-really read-only if run without parameters (unlike how it is documented) but those modifications should anyway be OK.

To the DMDE screenshot.

If you open the [Metadata] folder on the left, then click on the $MFT (and/or on the $MFT [1]) on the right upper pane, in the right lower pane it should open the (presumed) $MFT in hex mode on $MFT record 0, showing its start address, is this what you did to produce that screenshot?

 

Wonko

[bilou_gateux]

@Jaclaz

 

Played again keystrokes and click as asked in your previous post and done a capture attached to this post.

 

Attached Files

•  MetaData2.png   85.39KB   0 downloads

[Wonko the Sane]

Good.

So, definitely the $MFT is on LCN 10 (as said very unusual for an XP machine).

 

Now you should make the usual image of the disk as is (you never know) FIRST, then run a CHKDSK /F , followed by a CHKDSK /R.

Most probably the filesystem will be repaired.

 

Not that there are that many alternatives, mind you, either CHKDSK manages to repair it or the most you will be able to do will be to recover single files either from the disk image or from the (partially) repaired disk.

 

Wonko

[bilou_gateux]

Booted again into WinPE

I ran command:

chkdsk c: /f /r

on the corrupted volume for about 1 hour.

output below

 

Replacing invalid security id with default security id for file 213554.
213600 security descriptors processed.
Security descriptor verification completed.
7479 data files processed.
Correcting errors in the Master File Table (MFT) mirror.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

 143685328 KB total disk space.
  27549372 KB in 176968 files.
     52788 KB in 7481 indexes.
         0 KB in bad sectors.
    222528 KB in use by the system.
      4096 KB occupied by the log file.
 115860640 KB available on disk.

      4096 bytes in each allocation unit.
  35921332 total allocation units on disk.
  28965160 allocation units available on disk.

 

 

 

All security descriptors were left and replaced with default.

 

I know i had to set some valid ID descriptors and define permissions

"administrators" group "full control"

"system" "full control"

to the OS folders:

%windir%

%ProgramFiles%

"C:\Documents and Settings"

 

before rebooting.

Otherwise, i will not boot to the windows desktop, but auto restart before switching to GUI

i can see that it just restarts again. Over and Over and Over before GUI,  when starting in safe mode.

 

After setting the right permissions, i rebooted and started Windows XP from the hard drive.

 

Checking user folders, all important data were here.

 

Finally decided to reinstall the operating system to have a clean OS with the latest service pack 3.

 

@Wonko

As usual, thanks for helping and giving the right instructions.

[Wonko the Sane]

 

 

After setting the right permissions, i rebooted and started Windows XP from the hard drive.

 

Checking user folders, all important data were here.

 

Finally decided to reinstall the operating system to have a clean OS with the latest service pack 3.

 

@Wonko

As usual, thanks for helping and giving the right instructions.

You are welcome.

 

Wonko

[Agent47]

Hi

 

Would you mind to share how exactly you changed permissions from WinPE ? - using command line tools like setACL, icacls or some GUI way ?.

[bilou_gateux]

I was initially planning to use setACL command line tool to automate permissions.

but could'nt find examples to export permissions from a running Windows XP (another install) and import offline to Windows XP reset to the default permissions.

You have to set permissions at least to Administrators S-1-5-32-544 group and Local System S-1-5-18

to allow boot to Windows Desktop.

Other SIDs doesn't exists under WinPE (running under Local System)

Permissions for system drive root directory (usually C:\) must conform to minimum requirements.

 

 

I finally used explorer GUI from the running WinPE to right click the three folders (from root) listed in previous post.

Time consuming task and not error prone.

 

Some setacl examples.

Edited by bilou_gateux, 13 February 2016 - 06:40 PM.