On Mon, 12 Apr 2004 10:29:24 +0100, "Michael Walsh"
I would be really grateful if anyone could help me recover a huge amount of
important data which I, in my wisdom/arrogance/meanness, haven't backed up.
It happens regularly in the real world, that
I was upgrading my XP Home to XP Pro when I was hit with a succession of
BSOD's (IRQ_NOT_EQUAL, PAGE_FAULT_IN_NON_PAGED_AREA or similar) in the
middle of the upgrade. The shortened version of a very long story is that
now I can't boot from that drive. If I boot from the XP CD, it keeps trying
to re-install XP.
When I see cases like this, I follow a very formal approach:
- pull HD out of sick PC
- test PC without HD (RAM test loops, fans etc.)
- pull data off HD in another host PC and then test/av-scan HD
I've removed the drive and put it in another PC. The Bios sees the drive
but Windows doesn't.
Same version of NT? NTFS gets re-versioned, so an older NT may not be
able to read a newer NT's NTFS (and disasterously, a newer NT may
upgrade an older NTFS even if that breaks that HD's ability to boot).
Are the two PCs of the same age? Else there may be geometry
mismatches at the CMOS settings level.
Is the HD physically OK? Test with the HD vendor's OS-agnostic
diagnostics to determine that; NOT ChkDsk.
Is the file system OK? Don't let ChkDsk "fix" anything yet, in fact
it's safer to use some compitent 3rd-party utility.
The strange thing is that the Hardware Manager sees the faulty drive and
says it's OK. Not only that, but If I go into Properties (in Hardware
Manager) I can populate the drive and get the correct information displayed.
What do you mean by "populate"?
It may be the file system's barfed - something that a poster in an
earlier thread things will never happen, i.e. that NTFS is so
bulletproof you'd "never need ChkDsk".
Did you have Black Ice Defender on the afflicted PC? Witty is a pure
worm (like Lovesan, only needs vulnerable PCs to be connected to
attack them) that exploits a defect in Black Ice Defender firewall and
related products, and then performs direct raw disk writes to trash
the HD contents. Yes, right through NT and NTFS's defences.
If I go into Tools (still in Hardware Manager) I can get the Error Checking
utility to scan the disk and if I start Norton Disk Doctor, it will also see
and scan the disk. Surprisingly, both these tests tell me that my drive is
OK, but I can't see the drive in Windows Explorer.
That really is strange.
The drive is formatted as NTFS.
Yes, I thought that would be the punchline, else you'd have evacuated
it from DOS mode by now (Tip: Use Odi's LFN Tools to preserve LFNs)
Please help prevent a kind and generous old man (me) from topping himself
I promise I will buy a back-up system and use it - honest.
OK; what I'd start with is a DOS-based tool that can copy off subtrees
from NTFS volumes. In fact, you have a few possible free tools, and
I'll list the ones I've played with...
1) ReadNTFS (
www.NTFS.com)
This is a stand-alone DOS-based tool that lets you view the NTFS file
system much as the old "PC Shell"used to. You can then copy off files
or subtrees. You can't select more than one at a time, and you will
lose LFNs (Long File Names). Also, it takes quite a while to first
read a directory, and it doesn't "remember" where it was before and
has to re-read all the time.
You will come to HATE gratuoitously-nested paths like "Documents and
Settings\Somename\My Documents\Blah\Blah\Blah\x\y\z\aargh!"
2) NTFSDOS (
www.systeminternals.com)
The "free" version is a read-only DOS TSR that hogs about 300k of DOS
memory, fails to recurse the directory tree properly, and doesn't
preserve LFNs. Other than that it's OK.
The "fee" version can write NTFS as well as read it, but it is
"informal" from the perspective of malware clean-up; it shells the
HD's own NTFS reading code to read the HD. That's great for
compatibility, but bad if that code is barfed or malware'd.
3) Odi's LFN Tools
A set of replacement DOS commands that perform LFN-aware file
operations from DOS mode; LDir, LMD, LCD, LRen, LDel and most
powerfully, LCopy. This utility is brilliant for evacuating sick HDs;
it doesn't beat the HD to death retrying on sick sectors and just
carries on until all is done. LCopy D:\* C:\SICK /A /S will
copy *everything* from D: to C:\SICK in one go, with LFNs.
But Odi's LFN Tools won't work through an extra driver layer, and thus
can't be used with NTFS via (say) the NTFSDOS TSR.
Other LFN tools for DOS mode exist, including two TSRs that confer LFN
skills to software that can use them (uncommon in DOS mode, but
examples include InfoZip and Edit). One of these is fatally flawed;
it generates non-unique 8.3 names under matching LFNs, e.g.
LONGNA~1.TXT, LONGNA~1.TXT instead of LONGNA~1.TXT, LONGNA~2.TXT
4) The Recovery Console
As booted off XP CD, this can perform a number of useful recovery
tricks. But it is NOT an OS and cannot run other apps such as
antivirus scanners, and unless you manually set a couple of registry
settings *beforehand*, it will not read volumes other than C: and will
not write to other disks - making it useless for data recovery.
Also, no matter how you set it up, it will NOT copy off files in bulk,
using wildcards or whole subtrees at a time. So compared to ReadNTFS
or Odi's LFN Tools, it's pretty useless for data recovery even if you
do set it up beforehand to allow access and copying other than C:
5) Bart's PE Disk
Not really useful for your case, but potentially useful for malware
management (if you can find an antivirus that will run from it, and
you do the registry fixes manually). This creates a bootable XP CDR,
which can do.... some stuff.
You can also use Linux bootable CDRs to access NTFS, but even the
Linux fans are cautious about the quality of NTFS support.
6) Boot It New Generation (
www.bootitng.com)
BING is a partition and boot manager, and it can do an image copy of
your NTFS volume if you need to evacuate a dying HD. The process can
take days (literally) as it bogs down on bad sectors, and if the HD
dies partway through, you are left with zilch.
7) NTFS Data Recovery Tools
Not much that is free, but they do exist; some have time-bombed trials
you can download, others may work but only let you save 5 files or
something. No much free lunch for NTFS victims, I'm afraid;
understandable, gived NTFS is undocumented and thus has to either be
reverse-engineered or the beneficiary of a close relationship with MS,
and both of those cost a lot, one way or another.
General approach:
a) Cherry-pick via ReadNTFS
b) Image off the whole volume
c) Paste image onto a known-good HD
d) Perform data recovery on this known-good HD
e) Meantime do diagnostics on the original HD
Because a dying HD may have an hour or less of remaining spin time,
and may shed sectors faster than something that sheds stuff very
quickly, it's important NOT to do (e) or (b) before (a). If (d)
screws up, you want the original image to exist somewhere safe, not
only on the sick HD. If you have kit to get three systems going, you
can test the rest of the PC, test the sick HD, and work on the image
splatted onto a known-good HD all at the same time.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
