Jump to content











Photo
- - - - -

Messed up Windows7 partitions


  • Please log in to reply
16 replies to this topic

#1 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 03 April 2013 - 02:31 PM

I had Windows 7 machine with 120GB hard disk that had two partitions, one very small(probably made by windows itself) and second 110GB+ which had everything from installation to data files. I was toying with bootICE and installed Lvyanan 1JF9z tool as boot manager, but when I was trying to run it, it seems that it created new partition on my hard disk, 3,8GB size(same as flash stick that it was instelled to), and made other two partitions unreadable. Certain tools like Partition Wizard can display hard disk as 3 having partitions - 8MB (unallocated), 3.8GB (other) and 108GB (unalocated). 3.8GB partition is shown as completely filled while two others are empty. Is there anything I can do? Under BOOTICE MBR of my HDD is show as Lvyanan 1JF9.

 

What is worse, it seems that activating certain functions makes USB flash stick also affected and I need to reformat.

 

Anyway after checking 3.8GB partition is actually sometimes reported as FAT32 bootable.

 

I don't think that it deleted anything from HDD because simply there was no time for that, as I plugged and uplaugged in few seconds...

 

This image shows a lot:

 

http://i.imgur.com/Zz6EjwF.jpg


Edited by popov, 03 April 2013 - 03:30 PM.


#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 April 2013 - 07:03 PM

This image shows a lot:

 

http://i.imgur.com/Zz6EjwF.jpg

Well, NO.

Actually it tells us nothing of use. :ph34r:

 

You should run TESTDISK with a LOG file and post the log.

See here for a detailed example on how to run it:

http://www.msfn.org/...ctor-windows-8/

(the issue in that thread has nothing to do with yours, but the procedure to run testdisk and provide the log is explained)

 

DO NOT, and I mean DO NOT write anything with TESTDISK (or *anything* else) until the log file has been reviewed.

 

:cheers:

Wonko



#3 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 03 April 2013 - 07:57 PM

Well I am running it in linux and can't find *.log file. Dumb prebuild recovery distro had messed up file search utility. I will try to install normal linux distro for normal testdisk.

 

U: here's my log

 

http://pastebin.com/VG5y7hGm


Edited by popov, 03 April 2013 - 08:44 PM.


#4 DarknessAngel

DarknessAngel

    Newbie

  • Members
  • 21 posts
  •  
    South Korea

Posted 03 April 2013 - 09:06 PM

you need to change partition type by partition utility on PE



#5 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 04 April 2013 - 10:40 AM

TBH I am not sure of that, because as shown in first image, strange 3,8 GB partition appeared that reports itself as bootable FAT32(which looks pretty much like a clone of one of my USB sticks). If it would be just about missing NTFS, then it would be ordinary routine, but with this weird thing I have serious considerations about that. First of all I have already changed partition type, but it doesn't do much. The one that is logged with size 143363997 and is listed as primary bootable wasn't like that. When clicking "p" on it, testdisk reports that filesystem cannot be read because it's damaged. The 91072422 partition lists some old trash that have been there before last format, which happened somewhere around 2011.

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 April 2013 - 11:41 AM

Was the disk originally partitioned/formatted with Vista :ph34r: or 7 Disk Management?

Or directly came with an install of 7?

 

This could be:

 

 

HPFS - NTFS 0 32 33 12 223 19 204800 [System Reserved]

 

the "small" (100 Mb) "standard" partition Windows 7 creates when installed on a "empty" disk.

And this:

 

 

HPFS - NTFS 12 223 20 14593 0 63 234229760

could be the "other" partition.

 

Do you have:


  1. the possibility to boot to a PE of some kind or you only have Linux as "possible boot OS"?

  2. the possibility of imaging that disk "as is" (you will need another disk with something more than120 Gb of space)

 

In any case, you do have dd available, don't you? (and know how to use it)

 

 

Next step is making a copy of a few "key" sectors.

These sectors are:

LBA 0 - 1 sector

LBA 2048 - 16 sectors

LBA 206847 - 1 sector

LBA 206848 - 16 sectors

LBA 6498304 - 8 sectors

LBA 234436608 - 1 sector

 

You can get them with dd or with a disk/hex editor (or with whatever tool you are familiar with capable of copying sectors from the disk), then compress the files into a .zip archive, upload it to some free hosting site and post a link to it.

 

:cheers:

Wonko

 

 



#7 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 04 April 2013 - 12:07 PM

I have updated testdisk results, now they are properly shown:

 

http://pastebin.com/yGdqFt5R

 

 

Results
     HPFS - NTFS              0   1  1  8923 254 63  143363997
     NTFS, 73 GB / 68 GiB
     HPFS - NTFS              0  32 33    12 223 19     204800 [System Reserved]
     NTFS, 104 MB / 100 MiB
     HPFS - NTFS             12 223 20 14593   0 63  234229760
     NTFS, 119 GB / 111 GiB
     HPFS - NTFS           8924   1  1 14592 254 63   91072422 [BackUp]
     NTFS, 46 GB / 43 GiB

 

Computer with Win 7 as it was, but I remember that it had small partition in front, one that is used by 7. I do not have an empty 120GB+ storage at hand.

 

I don't have PE, but I can build some on my empty USB sticks - just recommend me something. As for now I have few linux distributions available. Afaik "dd" is default part of any linux system, just wondering on real size of those sectors.



#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 April 2013 - 01:14 PM

Computer with Win 7 as it was, but I remember that it had small partition in front, one that is used by 7. I do not have an empty 120GB+ storage at hand.

Yes, and that partition was found, please read my post, the two partitions that "look" like the right ones are listed.

 

I don't have PE, but I can build some on my empty USB sticks - just recommend me something. As for now I have few linux distributions available. Afaik "dd" is default part of any linux system, just wondering on real size of those sectors.

What do you mean "real size" of those sectors?

A sector is 512 bytes.

I need to have a look at the mentioned sectors.

Are you familiar with dd or do you need explicit instructions?

 

:cheers:

Wonko



#9 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 04 April 2013 - 01:26 PM

Here you go, not sure if I did it properly. Used "dd" and added .img extension to LBA files. Included command line in *.txt.

 

 

https://docs.google....dit?usp=sharing


Edited by popov, 04 April 2013 - 01:41 PM.


#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 April 2013 - 03:32 PM

Here you go, not sure if I did it properly. Used "dd" and added .img extension to LBA files. Included command line in *.txt.

 

 

https://docs.google....dit?usp=sharing

The good news are that almost all of the sectors are OK :thumbsup:

 

The one that is "wrong" is wrong because of my mistake :blush: , I needed:

LBA 234436607 - 1 sector and not (as I posted earlier) LBA 234436608 - 1 sector

but it doesn't really matter, as the bootsector @ LBA 206848 is seemingly good :).

 

Next step would be to write those two partition entries, can you do that directly with Testdisk (meaning are you confident in using testdisk to write them)?

 

Or do you prefer that I write them manually to the MBR sector and you dd it back?

 

In case, attached is the modified MBR (LBA0_mod.img)

 

The MBR code in the above is NOT the "standard" Windows 7 one, I am also attaching a MBR with the standard code (LBA0_mod_7.img)

 

You should have available anyway a Windows 7 install disk, as, even if the "main" structures seem OK, it is very possible that a number of files have been overwritten and/or the NTFS filesystem of either partition has been affected (and needs a CHKDISK to be performed).

 

BEFORE attempting booting from the disk, you should check if the Disk Signature (which now is 2D2613BF) is the "right" ine in the Registry, in the hive:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Keys 

\DosDevices\C:

and

\??\Volume{xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb}

(this latter is of course not the actual key, it varies on different systems).

There should have been no issues whatsoever with Disk Signature, but better be safe than sorry ;).

 

:cheers:

Wonko

Attached Files


  • popov likes this

#11 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 04 April 2013 - 04:29 PM

Okay, I have loaded w7 img and it worked. I am predicting like 2-3 hours more just for checkdisk, but I should be able to handle it by myself from now on. Thanks man! :good:


Edited by popov, 04 April 2013 - 05:23 PM.


#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 April 2013 - 06:28 PM

Okay, I have loaded w7 img and it worked. I am predicting like 2-3 hours more just for checkdisk, but I should be able to handle it by myself from now on. Thanks man! :good:

Good, let me know how t went :)-

 

:cheers:

Wonko



#13 popov

popov

    Member

  • Members
  • 59 posts
  •  
    Abu Dhabi

Posted 04 April 2013 - 07:53 PM

Okay so it wanted installation instead of recovery, but after that I can get into Windows once again. I am getting random explorer crashes, but that might be related to the fact that HDD on that computer is old and has bad sectors. I will run routine windows checks and defrag it on finish. I consider this fully solved.



#14 leBob

leBob
  • Members
  • 2 posts
  •  
    United States

Posted 28 April 2013 - 07:58 PM

Hi guys! Interesting thread. For the sake of learning (and recently I faced a similar issue as Popov):

 

@Wonko or anyone that knows:

 

1)How can you tell what "key sectors" to check for?

2) Why in some key sectors you tell to copy only 1 sector whereas in other you say 16 sectors

3) just in case, Is there a tutorial which talks about this?

 

I suppose you were seeing the original log, but I still don't see those mentioned LBA sectors on the log:

http://pastebin.com/VG5y7hGm

 

Next step is making a copy of a few "key" sectors.

These sectors are:

LBA 0 - 1 sector

LBA 2048 - 16 sectors

LBA 206847 - 1 sector

LBA 206848 - 16 sectors

LBA 6498304 - 8 sectors

LBA 234436608 - 1 sector // As corrected above, it should be: LBA 234436607 - 1 sector

 

I've read some Testdisk guides and cases on their webpage. But so far I don't know a lot, but I'm willing to learn.

THaaaankks a lot!!


Edited by leBob, 28 April 2013 - 08:01 PM.


#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 April 2013 - 09:19 AM

@Wonko or anyone that knows:

 

1)How can you tell what "key sectors" to check for?

2) Why in some key sectors you tell to copy only 1 sector whereas in other you say 16 sectors

3) just in case, Is there a tutorial which talks about this?

Hmmm. :dubbio:

1) Basically for a disk (whole disk) the only meaningful sector is the MBR (Master Boot Record or first absolute sector of disk)

2) for a partition or volume the only meaningful sector is the PBR (Partition Boot Record) or VBR (Volume Boot Record) (first absolute sector of volume) BUT IF the partition is NTFS the whole PBR/VBR is 16 sectors long (of which only a few are useful, but anyway for what it costs it is easier to get the whole 16 of them) AND there is a copy of the first of these 16 sectors placed at the end of the partition (actually in the partition space but outside of the volume).

3) Of course not :w00t: we happened to learn about these things from aliens which abducted us after we had a very heavy dinner and lots of beer  :whistling:(it was boring in the flying saucer and to entertain us they taught us about MS partitioning and filesystems).

BTW this is probably how the good MS guys conceived the FAT32 BPB and most of the bootsector code :ph34r:.

 

Sure there is. ;)

Meet the Starman's Realm:

http://thestarman.pcministry.com/

http://thestarman.pc.../mbr/index.html

 

More or less, if anything related to MBR's and PBR's exists, is either there or it is mentioned/referenced there. :worship:

 

:cheers:

Wonko



#16 leBob

leBob
  • Members
  • 2 posts
  •  
    United States

Posted 03 May 2013 - 12:37 AM

:yahoo: Oh man, Thank you so much Wonko!

 

I've been doing from scrath your solution. This, your answers and links have helped me understand a lot of things!

 

Doing some maths, I've got the LBA sectors you asked for.

E.G. Because of Win 7 doing a 1 Mib Alignment (0 to 2047), I guess that's why you began with sector 2048 for the first NTFS Partition.

E.G. Then, to know where it ended, you added the size from TD's log (204800 + 2048) = 206848 -1 =  206847

 

Additional Question if I may ask you:

 

1. Why for sector "6498304" did you ask for 8 Sectors and not 16?

I'm guessing you were trying to see if there was a valid VPR, but why only 8 sectors?

 

2. What software did you use to both: see the VPR that popov extracted from his HDD? and to create the MBR you sent him?

 

3. In theory, if the first absolute sector of my HDD where resides the MBR, somehow was physically damaged, is there a way to keep functional the HDD, e.g. relocating the MBR to sector #2 or whichever is not damaged?

 

Thaaankkk you a lot :D!!!

 

Here's the TestDisk log from above:

http://pastebin.com/VG5y7hGm

LBA 0 - 1 sector - MBR

LBA 2048 - 16 sectors - NTFS VBR

LBA 206847 - 1 sector NTFS VBR END

LBA 206848 - 16 sectors NTFS VBR

LBA 6498304 - 8 sectors

LBA 234436607 - 1 sector // Corrected NTFS VBR END


Edited by leBob, 03 May 2013 - 12:44 AM.


#17 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14913 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 03 May 2013 - 10:08 AM

E.G. Then, to know where it ended, you added the size from TD's log (204800 + 2048) = 206848 -1 =  206847

Yes/No. (No :ph34r:)

NTFS keeps a copy of the first sector of the bootsector (the one with the actually relevant data, the BPB) as last sector of the partition, (this sector is outside the filesystem but inside the partition or - if you prefer, a NTFS filesystem is always one sector less than the size of the partition it occupies).

I wanted a copy of sector LBA 206847 in the case sector LBA2048 had issues. 

 

Additional Question if I may ask you:

 

1. Why for sector "6498304" did you ask for 8 Sectors and not 16?

I'm guessing you were trying to see if there was a valid VPR, but why only 8 sectors?

Naaah :w00t: (see below).

 

 

2. What software did you use to both: see the VPR that popov extracted from his HDD? and to create the MBR you sent him?

I tend to use Tiny-hexer (with my little viewers for it):

http://reboot.pro/to...-hexer-scripts/

and my CHS-LBA spreadsheet:

http://reboot.pro/to...a-translations/

http://reboot.pro/to...ations/?p=74116

 

3. In theory, if the first absolute sector of my HDD where resides the MBR, somehow was physically damaged, is there a way to keep functional the HDD, e.g. relocating the MBR to sector #2 or whichever is not damaged?

Yes/No.

You might probably be able to create a HPA :w00t:, but it may depend on the specific device :unsure: (make/Model).

Most hard disks - automatically or through really low-level tools that may (or may not exist/be available/be compatible with your disk) - should be able to relocate a bad-sector.

You normally should not need to do that, and if you actually *need* to do it your best option is usually to get anyway a working hard disk as a replacement.

 

Here's the TestDisk log from above:

http://pastebin.com/VG5y7hGm

 

 

 

LBA 0 - 1 sector - MBR

LBA 2048 - 16 sectors - NTFS VBR

LBA 206847 - 1 sector NTFS VBR END Mirror

LBA 206848 - 16 sectors NTFS VBR

LBA 6498304 - 8 sectors <-see below

LBA 234436607 - 1 sector // Corrected NTFS VBR END Mirror

The 6498304-206848=6291456

Try making 786432*8 ;).

 

The 8 sectors are "arbitrary" it's just the very beginning of the $MFT (and indirectly a way to make sure that the data in the VBR's @206848 and @234436607 is valid).

I normally use the first 8 sectors of the $MFT as they correspond to 4 records, i.e. exactly to what is (should be) in the $MFT Mirror.

If you prefer, if the contents of those 8 sectors seem "queer", one can later check the $MFT Mirror and hopefully correct the $MFT, but anything beyond the first 4 records (or 8 sectors) is not mirrored anywhere and so it is pretty much pointless at this stage to have anything more than 8 sectors, as they cannot be rebuilt from the $MFT Mirror.

 

:cheers:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users