Newly created NTFS files deleted during System Hive restore

[Patrick]

This morning I woke up to find my Win2k Pro PC with a
system hive too large error (IE the Systemced not found
issue). I followed the steps of copying the winnt/repair
version of system to the system32/config folder and booted
into Windows. I was pressed for time and was on my way
out when I rebooted. I came back to check on the progress
and found Windows (I'm assuming checkdsk) deleting files
because of some index error or something like that. I
prayed it was nothing and left. After finishing the
restore procedure to get my original system hive working
again, I finally got back into Windows propperly. To my
horror, I discovered that indded the files from the last
15 or so days created on my NTFS storage partition had
been deleted. I've tried all sorts of undelete programs
and nothing can find any traces of them. In fact, they
claim there are no deleted files on that entire drive. I
need these files back.

Has anyone encountered this problem before? Anyone know
how I can restore these files? Please email me.

 

[Guest]

Update: After further investigation, it appears that the MFT was corupted.
Chkdsk in it's attempt to curtail the coruption, deleted the newly created
files. Please, someone tell me there's a way to fix the MFT? Some of the
undelete utilities are finding raw files (when they ignore the MFT). I
haven't written much if anything to to drive so the files should be mostly
intact. Please help before I seriously consider spending $99 on emailing
Microsoft.

 

[Ndi]

Because both MFT and the log were fixed by chkdsk, I find it unlikely (as
close to impossible as "unlikely" goes) for the file names to be recovered
in any other way than a (restore of a) full system backup of a drive
snapshot utility.

You've got a slightly better chance to recover *some* nameless raw files
and restore those. If some were hand-written 200-page reports, you might
want to recover all the files any tool can find and rename those. Otherwise,
I'd consider the files lost.

I also sincerely doubt anyone (even Microsoft) can help you there. If they
do, please post back, it should prove enlightening.

 

[Guest]

So chkdsk runs automatically after a crash and just deletes files it doesn't
like and there's nothing that can be done about it (aside from making regular
backups)?

 

[R. C. White]

Update: After further investigation, it appears that the MFT was
corupted.
Chkdsk in it's attempt to curtail the coruption, deleted the newly created
files. Please, someone tell me there's a way to fix the MFT? Some of the
undelete utilities are finding raw files (when they ignore the MFT). I
haven't written much if anything to to drive so the files should be mostly
intact. Please help before I seriously consider spending $99 on emailing
Microsoft.

 

[R. C. White]

Hi, Patrick.

(Sorry about that blank reply. I hit Send by mistake.)

My symptoms weren't identical to yours, but the results were about as bad.
One morning about a year ago, I turned on the power and went to get a cup of
coffee while it booted. (Several drives, both SCSI and RAID controllers, so
it took a while to boot.) When I came back, Chkdsk was running on a 25 GB
NTFS volume on my second HD - and not doing well. (My guess is that during
that boot process, a momentary glitch - bad or loose cable - had caused a
mis-read of the system information on the HD, causing Chkdsk to try to fix
something that wasn't broken.) Eventually, Chkdsk gave up and reported that
the volume was not repairable. Dir did no good, neither did further tries
to run Chkdsk or anything else I could think of. Luckily, I had plenty of
unpartitioned space on my third HD, so I created a new volume there, gave it
the "bad" volume's drive letter and worked from there for a few months while
I tried to figure out how to recover my data. I tried some recovery
utilities I already had, plus demo versions of a couple of others, but none
did any good.

Finally, I downloaded R-Studio from www.r-tt.com ($70) and ran that. In a
few hours, it recovered almost all the "lost" files from my bad volume.
When I gave up on getting any more files, I reformatted that volume, put all
my recovered files back and restored its drive letter.

I don't know if R-Studio will fit your situation, but it was worth the $70
in my case.

RC

 

[Guest]

That's good to hear. I did download R-Studio and gave it a glance over a few
days ago. It's currently scanning my drive. Are there any options I should
be aware of? Were you able to recover the file names and directories or were
they all just raw files? About how much of the drive were you able to
recover? Any special settings I should choose?

 

[Ndi]

So chkdsk runs automatically after a crash and just deletes files it
doesn't

like and there's nothing that can be done about it (aside from making regular
backups)?

The purpose of having such a tool is to make the volume readable. Should a
file get crosslinked with another one and you write one, both get modified
and the whole thing mounts into a great snowball to the point where
everything becomes raw data. So the system is configured to fix such errors
as they pop.

Unfortunately, if such a large ball of nothingness gets large, cleaning it
up is a real pain in the neck. A software is not intelligent, it cannot see
all exceptions on a disk (and it can't since the definition of a disk error
is that data is at some point unreliable - it can't tell if the filename is
readable or not for example). Unreliable data must be deleted as a whole,
otherwise it can continue to propagate.

Rare reboots increase the chance of such an error propagating, as well as
small logs per drive, physical errors, weird configuration, etc.

BTW, did you perform a SMART comprehensive test on the drive? (takes about
20-30 minutes on my 60 GB drives). The drive might have failed at some
point. A physical failure might take a whole partition straight to heck,
invalidating half of the MFT and prompting chkdsk to nuke it. Also, doing
recovery on a failed drive can help nuke existing data (if any).

And no, it doesn't run after a crash unless the crash took place in a
delicate state of the disk, most likely power failure or critical hardware
failure. If the system caught the error and did a STOP, chkdsk will not run
(at least on my machine).

 

[Guest]

Alright, I think I know why most of the file recovery programs aren't finding
anything. Most of them seem to think the drive is only about 128 gig
(268430084 sectors) when the drive is really 250 gig (488392001 sectors),
thus they aren't even scanning the area where the files were lost. The true
size is reported by Partition Magic.

 

[R. C. White]

Hi, Patrick.

Aha! We may be back to the basics here: How new is your
mobo/chipset/BIOS/Windows?

HDDs over ~137 GB require updated hardware and supporting software to use
the 48-bit addressing scheme. Older equipment simply can't read the larger
disks because they don't have enough address lines to store addresses that
large.

Is your Win2K up to date? Have you visited Windows Update regularly?
Recently? What is your SP level? The quickest way to check that is with
Win+Break. That is, hold the Windows logo key while you press the
Pause/Break key. The System Properties page will pop up on your screen.
That should tell you, under System, what OS you are running, including which
Service Pack is installed. I've not run Win2K in nearly 4 years, since
WinXP arrived, but I believe Win2K should be up to SP4 now; the original
Win2K did not support 48-bit addressing.

Even if you have SP4, you still might need to check with your computer or
mobo maker to be sure you have a BIOS that supports the "big drives", too.

I've used R-Studio a few times, but I'm far from an expert on what it can
and cannot do. Like most of us, once I got my "lost" files back, I quit
exploring R-Studio. As I recall, it did an excellent job of recovering the
files themselves, but a less-than-excellent job on the directories. Some of
the directory tree was intact, but there were a lot of directory names that
were converted to numbers and moved into the Root so that I had to do some
exploring, renaming and shuffling to get them back into their previous
order. If you have a simple, shallow directory tree, that's not too hard to
do, but if you have many levels of sub-directories, it can be a big project.

RC

 

[Guest]

One man's opinion: I just used the demo version of R-Undelete to recover
files deleted from the file server. It worked great, we'll consider buying
the full version.
So Server 2K does not offer ANY file recovery functionality? This is
absurd, especially with the recycler not used for remote operations. If it
worked on NTFS, I'd dig up a DOS or 3.X box and copy UNDELETE.EXE.