Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Windows Filesystems Recovery

An ounce of prevention is worth a pound of cure.

An ounce of prevention is worth a pound of cure. I an strongly against stupid one partition windows systems installations that are prevalent today. I stall stem in right direction, splitting this partition into two and having a sizable FAT32 second partition other drive where you can store Ghost images on the first partition and you data significantly simplify recovery and helps to avoid the fees that are charges by specialists for restoration of your harddrive.

FAT32 has great advantage over other competitors: it has powerful, extremely well developed recovery tools.   NTFS recovery tools are weaker in comparison with the FAT32 recovery tools so if the speed is not important and size of the partition is below 20G, FAT32 is preferable as a filesystem.  FAT32 partitions are perfect for storing NTFS images created using GHOST or similar tools.

On low level there are few tools that are really helpful.

• Norton Disk Editor is probably the most well known recovery tool and it is reasonably good in FAT32. I have no experience with it on NTFS.  You can do wonders with FAT partitions if you know how to use it and understand the structure of FAT. To a certain extent it is impossible to lose data on FAT partitions unless they were overwritten or there is a problem with disk hardware. 
• Knoppix and other cd distributions
• Ghost 2003 and similar Linux based tools.  If you can create an image of the disk  in DOS you can access it on a different computer using Ghost explorer. Also it is important to have a backup copy of data that you try to recover as recovery can and often will go wrong.

Again let's talk about prophylactics.  I strongly recommend to create a sizable (let's say 10G) FAT32 partition  explicitly for recovery purposes when installing Windows 2000/XP. Here you can store Ghost images and other stuff  that is important to recover too.

Much depends on your level of understanding of assembler and FAT32 internals. If we are talking about serious problem that involves valuable data, then before practicing with Norton Disk Editor on real data I strongly recommend to create an image of the partition, install it on the second harddrive and try you ideas on it.

With NTFS everything is 10 times harder but general principles remain the same. After all you can always read and search the disk sector by sector and write some scripts to extract relevant portions of the disk based on heuristics that are pertinent to your data.  But it is preferable to operate on a higher level. NTFS can be mounted as readable partition from Linux which creates some interesting possibilities in case Windows is damaged to the extent is unable to boot and there is no recovery disk.  I have very little experi4nce with recovering NTFS volumes so I can not go father then rather generic recommendations.

Notes: Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected. This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books. The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link. Search Amazon by keywords:     Open directory Research Index

Old News ;-)

[Aug 26, 2007] How To Use NTFS Write Support (ntfs-3g) On Fedora 7

Write access to NTFS permits some using it virtual machines

"Normally Linux systems can only read from Windows NTFS partitions, but not write to them which can be very annoying if you have to work with Linux and Windows systems. This is where ntfs-3g comes into play. ntfs-3g is an open source, freely available NTFS driver for Linux with read and write support. This tutorial shows how to use ntfs-3g on a Fedora 7 desktop to read from and write to Windows NTFS drives and partitions.

See also:

How To Use NTFS Drives/Partitions Under Ubuntu Edgy Eft
Our-Picks: Access Your Linux Partitions Under Windows(Mar 05, 2007)
 

[Jan 26, 2007] Help! I can't retrieve my honeymoon photos from my memory card!by Lee Koo (ADMIN)

CNET Community Newsletter Q&A Forums

Question:

I need your help desperately. I have an xD-Picture Card (memory card) that I'm trying to retrieve my photos from. Normally I just insert the card into my card reader and transfer the photos to my computer. However, this time when I inserted the card into the card reader, it froze my PC so I had to do a cold reboot to get it going again. Once rebooted, I tried numerous times trying to get the PC to read the card, but was unsuccessful. So I tried it on another computer and it also failed to be recognize the reader and the content on the card also. My last attempt was connecting the camera to the computer and retrieving using that method, but every time I insert the memory card into the camera, the camera would display "Card error" and proceed to ask if I want to format. Reformatting is not an option. All I want is to be able retrieve my precious photos from my honeymoon in the Caribbean. Are there any other methods--software or hardware that I use to try to retrieve these photos safely? Please help, any recommendations or advice will be appreciated!

Submitted by: Irene D.

***********************************************************************

Answer:

Hi Irene, you have my sympathies--this is my worst nightmare. There are a couple of techniques I use to mitigate these kind of disasters. I tend to use several smaller capacity memory cards, rather than one big one - at least that way, if the worst happens, I only lose a small portion of my pictures. Also, whenever possible, I take a laptop with me and download my images at the end of each day. Of course, none of this helps with your current problem.

Health warning! I've never had to recover a memory card in anger personally, so I can't give a definitive answer; only suggest actions you might want to try.

Be VERY careful from here on in; you don't want to compound the problem. This is especially important, because xD memory cards (I use them) don't have a write-protect switch like some SD cards do, so you must double-check that any method you use to try to access the card is READ ONLY.

Looking at your post, there are a number of possibilities for the error. When you download images from the card, do you copy them to your PC or move them? I would always recommend copy, and delete them from the card when you have a verified copy on your hard disk. If you move them, you are effectively writing to the card and if you get an error, the card's Partition Table or File Allocation Table may be corrupted. This can happen if you are copying and get a hardware error but it is much less likely.

Anyway, since your camera is detecting an error and suggesting a reformat, it sounds as if the FAT is damaged. It may be possible to overcome this if you can access the card on a PC - the embedded operating systems in digital cameras are less forgiving because they don't have as much space for error recovery routines. You are absolutely right not to reformat the card. Your strategy at this stage is not to modify the card in any way while you try to get the images off it.

The other point in your post that is of concern is "So I tried it on another computer and it also failed to be recognize the reader and the content on the card also."

The piece that concerns me is that the other computer "failed to recognise the reader". That would suggest that maybe the card reader has developed a fault - this could explain why your original PC hung up and how the card came to be damaged. Do you have a spare card (with nothing on it) to try in your reader or do you know anyone who also has an xD compatible card reader? If so, try to read the card in their reader. You might be lucky and be able to copy the pictures off but likely not. Success here would be for the card to be recognised on the computer, albeit with the errors.

If you can access the card, then there is a plethora of software tools that may be able to recover the data - Some work by ignoring the errors in the FAT etc., and do a low level scan of the card for readable logical sectors and try to reassemble the images. They then allow the successful ones to be copied to the hard disk. Others attempt to dump the whole memory card on to the hard disk and then carry out a similar process there. There are Freeware programs available and a lot of commercial ones, most of which have a free or trial download available so you can see if they will be able to recover the images before you buy them. I've included a few links here but you can Google many more:

http://www.cardrecovery.com/
Download and Free Trial
http://www.digitalleo.com/photo_recovery.html
Free Demo USD 27 to buy
http://www.pcinspector.de/smart_media_recovery/uk/beschreibung.htm
German site, English text

http://www.softwarepatch.com/software/smartrecovery.html
Freeware

I would also recommend you take a look at http://www.ultimateslr.com/memory-card-recovery.php which is a discussion forum for this topic. Some of the links on the site are dead but there are some useful ones, e.g.

http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2002/05/21/ecrbtcm21.xml

that are helpful. The site helps to understand the problems you may encounter as well as suggesting possible approaches to recovery.

Let me repeat, though, make sure that any of the tools you try are READ ONLY - the descriptions say if they are - if it doesn't say, assume they are not.

OK, so what if that doesn't work? Your next recourse would be to one of the specialist companies that attempt data recovery. Again, there are a lot around, I've included a couple of links but these are for UK companies which may or may not be of use, depending where you live.

http://www.diskdoctorsdatarecovery.co.uk/ (Mail in Service)
http://www.disklabs.com/data-recovery-contact.asp

Be aware that these companies cannot guarantee success but if they can't retrieve the data, probably nobody can. Also be aware that they can be expensive - always get a quote from 2 or 3 before you buy. For irreplaceable pictures, such as yours, of course, you may consider the cost well worth it. Many of these companies offer a phone-in diagnostic chat, where you can discuss the specifics of your problem and they can give a more informed opinion.

Finally, you could try your local photolab, where they may be able to print your pictures - you'd need to scan them in again but better than a total loss. Chances are that the print machine will have the same problem reading your card, though, that your camera has.

A note of caution. Many of the recovery products claim to be able to recover images from reformatted cards. Theoretically, it might work with some cards and cameras but I have done a few tests with my camera (a Fujifilm Finepix S304) with three of the recovery programs. In all cases, if the files were deleted, they were able to recover them. BUT and it is a BIG BUT, NONE of them were able to recover the images from a reformatted card. Now this may be because my Fuji camera creates a three level directory structure when it reformats a card and the recovery programs can't interpret this correctly but obviously, I can't recommend this method. Olympus cameras, that also use xD cards, may be different.

If everything else has failed and you are facing a total loss, you might want to consider risking it. If you do, I'd definitely recommend you experiment with a spare card before you even think about touching your damaged card.

Good luck and I do hope you are able to recover at least the majority of your precious photographs.

Submitted by: Sav. M. of the United Kingdom

Failing Disk Imagers

The first step to carry out for an obviously or suspected failing disk is to copy the whole contents before it fails completely. The freeware below is probably all you need for this purpose.  Commercial Solutions won't be much better. Especially try PC INSPECTOR

• PC INSPECTOR≥ clone maxx Supported Software Versions or File Systems - "The copying process is always based on the physical drive and is independent of the file system (e.g. FAT12, FAT16, FAT32, HPFS, NTFS, Ext2, Reiser, etc.) or the number of partitions."
  Developer Provided Description - "PC INSPECTOR≥ clone maxx is the new professional hard drive copying program from CONVAR. Using the new direct DMA support, data can be copied from hard drives in high speed mode with speeds up to 3.3 GB per minute."
  Comment - CONVAR √ Die Datenretter≥ who provide the highest quality set of general use data recovery software on the Internet.  Check out all their software, it's quite impressive for them to give this stuff away.
• DriveImage XML OS - Windows XP Home Professional only

  File Size - 1.36 MB Supported Software Versions or File Systems - FAT 12/16/32/NTFS Developer Provided Description - "DriveImage XML is an easy to use and reliable program for imaging and backing up partitions and logical drives. The program allows you to:
  
  Backup logical drives and partitions to image files
  Browse these images, view and extract files
  Restore these images to the same or a different drive
  Copy directly from drive to drive
  Image creation uses Microsoft's Volume Shadow Services (VSS), allowing you to create safe "hot images" even from drives currently in use.
  
  Images are stored in XML files, allowing you to process them with 3rd party tools. Never again be stuck with a useless backup!
  
  Restore images to drives without having to reboot."
   Comment - Free for home use.

• Partition Saving

  Supported Software Versions or File Systems - "Most partition types are supported. In the case of FAT (12, 16 and 32), ext2/3 and NTFS partitions, you can choose between saving all sectors or in-use sectors only." Developer Provided Description - "Partition Saving is a DOS program that is used to save, restore and copy hard-drive, partitions, floppy disk and DOS devices.
  
  With this program you could save all data on a partition to a file (such as you could save this file on a CD for example). Then if something goes wrong, you can completely restore the partition from the backup file. You no longer have to reinstall every piece of software from scratch. All you have to do is restore the partition from the backup file and then update any software that was modified since the backup was created. "
   

• Roadkil's Raw Copy

  Supported Software Versions or File Systems - FAT16/32/NTFS Developer Provided Description - "This program copies a disk as a raw image from one drive directly to another. This utility is designed for people who have faulty drive and want to transfer the data directly to another drive without doing a file by file copy. This saves the need for operating system re-installs and allows drives with an unknown file system to be copied (including from console game machines, data recorders, Mac etc). The program has a built in data recovery function which will attempt to recover data from bad sectors to ensure all the available data is restored from the drive. This program is designed to run under nt/xp/2000 or later operating systems. It will run under Windows 95/98/Me operating systems but only Windows logical drives can be copied." Roadkil's Disk Image Supported Software Versions or File Systems - FAT16/32/NTFS Developer Provided Description -

  Comment - "Creates and writes disk images files to hard and floppy disks. Great for writing boot disk images download from the internet or creating a perfect copy of a disk to email to someone else."
   

• HDCopy

  Developer Provided Description - "With HDCopy you can make an identical copy of a hard drive onto another hard drive. If you buy a new hard drive and don't wish to change your Windows configuration in any way, you can use HDCopy to copy your old hard drive completely to the new one (hidden files as well."
   

• Restorer2000 Free DEMO

  Developer Provided Description - "Restorer2000 Free DEMO 2.0 allows you to evaluate Restorer2000 products and displays your hard drive structure with deleted files and folders. Also, with Restorer2000 Free DEMO 2.0 you can create an Image file for an entire disk, partition or its part. Then the Image file can be used like regular disk."  Comment - Interestingly the Demo's disk imaging feature works in unlimited for free but the undelete only shows you what can be undeleted.  Thus free disk imaging. :-)

• Diskman

  Supported Software Versions or File Systems - FAT16/32/NTFS

  Developer Provided Description - "Diskman is free for noncommercial use. Diskman products may be licensed for commercial use and may be fully customized to suit particular application requirements. The core Diskman library supports a variety of file system and disk manipulation commands which can be used to extract and modify information not normally available from the OS. Diskman is currently supported by MS-DOS (and its clones) and Microsoft Windows NT/2000/XP . A Linux version of Diskman may be developed in the future.

  Diskman 4 is the latest MS-DOS compatible release:

  Backup and restore VFAT (Windows 9X/nt/2000). Long File Names (LFN). Archive compatible with DOSLFNBK, the leading LFN backup utility. Support for disk image files up to 2GB (4GB coming soon). Support for spanned image files up to 2TB. Mount and manipulate disk images (such as those created for Rawrite). Export volumes or entire physical drives for later restore. Quickly copy every file into image files for easy backup and later restore. Directly edit disks at the sector level. Support for all BIOS supported disks, DOS supported drives and Image files. Help repair disks after a virus attack or rescue critical data."

• recoverdm

  Supported Software Versions or File Systems -Mac, Unix File Systems

  Developer Provided Description - "This program will help you recover disks with bad sectors. You can recover files as well complete devices.  In case if finds sectors which simply cannot be recovered, it writes an empty sector to the outputfile and continues. If you're recovering a CD or a DVD and the program cannot read the sector in "normal mode", then the program will try to read the sector in "RAW mode" (without error-checking etc.). This toolkit also has a utility called 'mergebad': mergebad merges multiple images into one. This can be useful when you have, for example, multiple CD's with the same data which are all damaged. In such case, you can then first use recoverdm to retrieve the data from the damaged CD's into image-files and then combine them into one image with mergebad."

• Roadkil's Unstoppable Copier

  Supported Software Versions or File Systems - FAT16/32/NTFS

  Developer Provided Description - "Recovers files from disks with physical damage. Allows you to copy files from disks with problems such as bad sectors, scratches or that just give errors when reading data. The program will attempt to recover every readable piece of a file and put the pieces together. Using this method most types of files can be made useable even if some parts were not recoverable in the end."

LISA 2001 Paper LISA 2001 Paper about RUF

Crash Recovery Kit for Linux

Linux Today - NewsForge Linux to the Rescue A Review of Three System Rescue Cds

[Nov 8, 2005] Linux Journal/How a Linux Distro Saved Hard Disk Data Linux Journal

Rather strange article that still contains useful info. especially in user comments section. Actually there are several partition boundary finders. so dd is not necessary, but the idea of using a universal tool is not without its merits.

My friend's e-mail went on to explain:

The original configuration was Windows 98SE with GoBack installed. GoBack is a utility that is supposed to help disaster recovery by rolling back to earlier checkpoints. I disabled GoBack and set up a dual boot of Windows98 and XP on her PC since my daughter wanted to run a school program that only works on XP. Unfortunately, the school program did not work. So I deleted the XP partition with Partition Magic 7 and disabled the BootMagic. Then I re-enabled GoBack. Everything seemed to work fine for a couple of weeks.

Murphy's law dictates that disaster would strike while I was in Toronto. Norton SystemWorks was scheduled to run on Friday nights. No problem during the first couple of weeks. But when I was visiting my brother last week in Toronto, Norton reported a lost cluster. My daughter OKed the fix and, from that time on, the system would not boot.

In particular, when booting from the hard disk drive (HDD), the NT Loader (NTLDR) wasn't found. Trying to boot win98 from floppy produced a message about no FAT or FAT32 partition being found. Diagnostic programs pronounced the hardware healthy. My friend continued:

To my horror, I found that GoBack wrote on the MBR (Master Boot Record) using its proprietary format. The disk was originally divided into 4 partitions. But GoBack made the whole disk appear as a single partition of 40GB now since the software cannot access the partition tables in the MBR.

As sometimes happens, the vendor's recovery instructions didn't work. My friend was a little desperate, and I thought I could help, so I accepted the challenge. He told me that if we could recover only the files in the "data" partition, that would be enough: "I told her to back up her data every week, but...". You know the rest. Anyway, my friend handed over the disk drive, and I considered how to make use of tools I had on hand to help him out.

Can My Extra Linux PC Read the Drive?

I was lucky enough to have a "spare" desktop PC, which had been rescued from the dumpster a few months before. From loading SuSE 8.0 on it, I remembered that the hard drive was on /dev/hda (IDE0 "master") and a CD-writer was at /dev/hdc (IDE1 "master"). (See Sidebar 1 below for a brief review of IDE addressing.) This setup was good, because it meant two IDE ribbon cables were in the box--one for IDE0 and one for IDE1--and one might have a spare connector in a convenient physical location.

... .... ....

So, what did fdisk think of my friend's HDD?

    % sudo fdisk -l /dev/hdd
    Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders
    Units = cylinders of 16065 * 512 bytes
       Device Boot    Start       End    Blocks   Id  System
    /dev/hdd1   *         1      5005  40202631   44  Unknown
    % 

Sure enough, it found a single partition of type 0x44. I was unable to find any reference that explained this type of partition. I then examined the partition table directly.

    % dd if=/dev/hdd bs=512 count=1 | od -x
                                           ... 0180
    0000700 0001 fe44 ffff 003f 0000 e30e 04ca 0000
    0000720 0000 0000 0000 0000 0000 0000 0000 0000
    *
    0000760 0000 0000 0000 0000 0000 0000 0000 aa55

The infamous od program prints 16-bit quantities as big-endian "short" ints. Because x86 architecture is little-endian, I should not have used od. I would have done better to issue hexdump -C. Then, the offsets would have been in hex rather than octal, and the bytes would have been printed one at a time.

That said, let's dissect this partition table. It has only one entry, at bytes 0676-0715 (0x1be-0x1cd), with contents

    80 01 01 00 44 fe ff ff 3f 00 00 00 0e e3 ca 04

Looking at a site that describes the partition table, such as this one, we see the breakdown is:

             80: bootable flag (YES)
       01,01,00: starting C/H/S
             44: filesystem descriptor
       fe,ff,ff: ending C/H/S
    3f,00,00,00: starting logical sector (32-bit)
    0e,e3,ca,04: ending logical sector (32-bit)

where the starting C/H/S is head 1, sector 1, cylinder 0, and the ending C/H/S is head 0xfe (254), sector 0x3f (63), cylinder 0x3ff (1023). The cylinder number is suspicious, because all available bits are set to 1. I guess that's what happens when you try to represent cylinder number 5004 in ten bits. (Sidebar 2 contains a brief refresher on C/H/S addressing; Wikipedia probably has a better one.)

Looking at the 32-bit logical sector numbers shows that the disk should have 0x04cae30e (80405262) sectors, which exactly matches the 40202631 blocks of "1K" or 1024 bytes each that are shown above.

Sure enough, this partition table was useless. It should have been simple enough to fix using fdisk or cfdisk or sfdisk. The old fdisk is my favorite, but that's only because I'm a dinosaur; you don't have to follow my example. All I needed was the original cylinder numbers, and I could just plug them in.

Do you remember this bit of advice your distro's installation manual: "Keep a hardcopy of your output from fdisk -l"? This situation is exactly why you're advised to save that printout. If that information had been available, a few commands could have restored everything on my friend's HDD.

When No Cylinder Numbers Are Available

But, of course, the cylinder number information wasn't available, as I soon found out from my friend:

Windows does not give you the cylinder and block numbers. The original first partition C was 8G. I think I shrank it to 6G (or 4GB) and created an XP partition of 2G (or 4GB). Then I deleted the XP partition but did not expand the C partition back to original due to lack of time (I had to leave her apartment). The second partition D (for applications) is 8G. The third one E (for data) is 2G. Then the rest 20G for drive F (for multimedia).

What to do? Should I add up the amount of space my friend told me and pray that the partition began right there? This option didn't seem safe to me. Although the data partition probably began about 16GB from the start of the disk, I didn't know if a GB here was 1000MB or 1024MB? For that matter, what's an MB--1000KB or 1024KB? Worse, my friend's memory of partition sizes didn't seem to be 100% rock solid either.

I was hoping that there might be a telltale sign at the beginning of each FAT partition. I wasn't sure what exactly to look for, although I knew each partition had a "boot sector" containing the filesystem parameters, such as the super block of ext2 and other filesystems. But what did it look like?

Figuring that I'd have to look at a lot of sectors, I hacked together a script, which would print out the contents of

 * head 0, sector 0
 * head 0, sector 1
 * head 1, sector 0

I chose these because the partition's boot sector probably would be in one of those positions in some cylinder or another. At this point, I must apologize because I refer to the first sector as 0, whereas traditionally it's referred to as 1.

The first 3,000 cylinders would cover over 20GB, which ought to include completely the desired data partition. The script deduces the size of each track and cylinder by looking at the fdisk output. I stored the results in a rather large disk file, where I was hoping to find some commonalities regarding where each partition was likely to begin. Then, I hoped, it would be obvious exactly where partition E began, as that was the important one. Anyway, here's the script:

#!/bin/bash
cyl=0                   # let's start at the very beginning
disk=/dev/hdd
climit=3000             # about 3/5 of the disk
# I am gonna take it for granted that the disk sector size is "1b" or 512.
SECTS=`fdisk -l $disk | sed -n '/^Disk/s/^.* \([1-9][0-9]*\)  *sector.*$/\1/p'`
CYLSIZE=`fdisk -l $disk | sed -n '/^Units/s/^.*cylinders of  *\([1-9][0-9]*\)  *\*.*$/\1/p'`
((count=SECTS+1))
echo on disk $disk, cylinder size is $CYLSIZE blocks
echo I am going to make $climit passes, each time reading $count sectors
echo and printing sectors 0, 1, and $SECTS
echo 'Is this OK?  Hit ctrl-C if not.'
read X
echo -n 'OK, abandon hope all ye who proceed.  Start in five seconds.'
sleep 5
echo Done.
while [[ $cyl -lt $climit ]] ; do
    ((skip=cyl*CYLSIZE))
    dd if=$disk of=/tmp/x bs=1b skip=$skip count=$count 2>/dev/null
    echo Cylinder $cyl sector 0:
    dd if=/tmp/x bs=1b             count=1 conv=swab 2>/dev/null | od -Ax -x
    dd if=/tmp/x bs=1b             count=1           2>/dev/null | od -Ax -c
    echo Cylinder $cyl sector 1:
    dd if=/tmp/x bs=1b skip=1      count=1 conv=swab 2>/dev/null | od -Ax -x
    dd if=/tmp/x bs=1b skip=1      count=1           2>/dev/null | od -Ax -c
    echo Cylinder $cyl sector $SECTS:
    dd if=/tmp/x bs=1b skip=$SECTS count=1 conv=swab 2>/dev/null | od -Ax -x
    dd if=/tmp/x bs=1b skip=$SECTS count=1           2>/dev/null | od -Ax -c
    ((cyl=cyl+1))
done > out

Looking at the potential boot sectors on my friend's disk, I found out that I was very lucky. Not only was there a boot sector at each partition, there was another partition table at each partition. These partition tables announced their presence by the tell-tale byte pattern 55,AA at the end of the sector. The swab in the script means I could search for 55AA *$ in the file and see exactly where this nice pattern was located.

According to Werner Almesberger's excellent LILO User's Guide, this is what happens when all partitions are logical partitions. His guide, which contains a detailed description of the disk layout, is located at /usr/doc/packages/lilo/user.ps.gz on my distribution. Or you can Google on "lilo user guide", without the quotes, of course.

If the disk had been repartitioned many times, I might have found a bunch of residual 55AAs lying around. Instead, I found only one extra occurrence--where my friend had deleted the XP partition.

The partition table closest to 16GB from the beginning of the disk happened to be 2073 cylinders in. From the fdisk output above, a cylinder is 16065 * 512 bytes. So 2073 cylinders is fairly close to 17GB, if a GB is 1000*1000*1000 bytes:

    % dc
    2073 512* 16065*p
    17051005440

But if a GB is 1024MB, and if an MB is 1024KB, then 16GB would be

    16 1024*1024*1024*p
    17179869184

This seemed about right. Looking at the partition table, I discovered that the partition began 33302808 sectors from the start of the disk. This works out to 63 sectors from the beginning of cylinder 2073, or cylinder 2074 if you start counting with cylinder 1.

The size of the partition, translated into decimal, was 2040192 sectors. This works out to be 63 sectors shy of 127 cylinders. That is, 127 * 16065 - 63 = 2040192. So it looked like my friend's E drive occupied 127 cylinders. But I wasn't 100% sure this was true, and I didn't want to write on his disk until I was 100% sure.

Another thing: as alert readers may have noticed, 2040192 sectors works out to about 1GB for the size of the E partition, rather than the 2GB my friend remembered.

Performing a Sanity Check

From here, I copied out a subset of the disk onto a spare area on my disk, something like this:

    # dd if=/dev/hdd of=/extra/diskimage bs=512 skip=33302808 count=2040192
    # mount -t vfat -o ro,loop /extra/diskimage /mnt
    # ls /mnt

And it worked! This step provided me with a sanity check without actually writing on the disk drive. I even ran a du and sent the results to my friend. He was very encouraged that I was able to get to this point.

Burning a Windows-Visible CD

I burned a Windows-visible CD from the data on the partition, but I had trouble with one file. It had a very long name, well beyond the 64-character limit on the Joliet extension.

At the time, I don't think I knew about the -joliet-long option to mkisofs. Anyway, I told mkisofs to hide that file from the Joliet directory and then e-mailed the file to my friend separately, using mpack(1).

Exactly how did I burn the Windows-visible CD? True confession: I don't remember. But the process probably was similar to the way I described in this earlier article.

Not being completely confident in my ability to burn a Windows-visible CD, I took the CD with me to the office, where the corporate Windows laptop was able to read it just fine. I e-mailed my friend a Windows Explorer screenshot and told myself that even if I later trashed the disk drive, at least I had the CD to give him.

Fixing the Partition Table on the Hard Drive

My friend was delighted that his daughter would soon have her data back. He told me that if I was short on time--and I was--that it would be enough simply to get the data partition back. So I contented myself with only partitioning the drive that far.

Remembering that fdisk numbers the cylinders starting at 1 rather than 0, I told the HDD to

1. delete the old 0x44 partition
2. create a primary partition of about 16GB (2073 cylinders)
3. create an extended partition starting at cylinder 2074
4. create a FAT32 partition starting at cylinder 2074, occupying 127 cylinders and ending at the end of cylinder 2200

like this:

Command (m for help): m
Command action
a   toggle a bootable flag
b   edit bsd disklabel
c   toggle the dos compatibility flag
d   delete a partition
l   list known partition types
m   print this menu
n   add a new partition
o   create a new empty DOS partition table
p   print the partition table
q   quit without saving changes
s   create a new empty Sun disklabel
t   change a partition's system id
u   change display/entry units
v   verify the partition table
w   write table to disk and exit
x   extra functionality (experts only)
Command (m for help): p
Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot    Start       End    Blocks   Id  System
/dev/hdd1   *         1      5005  40202631   44  Unknown
Command (m for help): d
Partition number (1-4): 1
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-5005, default 1): 
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-5005, default 5005): 2073
Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
e
Partition number (1-4): 2
First cylinder (2074-5005, default 2074): 
Using default value 2074
Last cylinder or +size or +sizeM or +sizeK (2074-5005, default 5005): 
Using default value 5005
Command (m for help): n
Command action
l   logical (5 or over)
p   primary partition (1-4)
l
First cylinder (2074-5005, default 2074): 
Using default value 2074
Last cylinder or +size or +sizeM or +sizeK (2074-5005, default 5005): 2200
Command (m for help): p
Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot    Start       End    Blocks   Id  System
/dev/hdd1             1      2073  16651341   83  Linux
/dev/hdd2          2074      5005  23551290    5  Extended
/dev/hdd5          2074      2200   1020096   83  Linux
Command (m for help): t
Partition number (1-5): 5
Hex code (type L to list codes): L
0  Empty           1c  Hidden Win95 FA 65  Novell Netware  bb  Boot Wizard hid
1  FAT12           1e  Hidden Win95 FA 70  DiskSecure Mult c1  DRDOS/sec (FAT-
2  XENIX root      24  NEC DOS         75  PC/IX           c4  DRDOS/sec (FAT-
3  XENIX usr       39  Plan 9          80  Old Minix       c6  DRDOS/sec (FAT-
4  FAT16 <32M      3c  PartitionMagic  81  Minix / old Lin c7  Syrinx         
5  Extended        40  Venix 80286     82  Linux swap      da  Non-FS data    
6  FAT16           41  PPC PReP Boot   83  Linux           db  CP/M / CTOS / .
7  HPFS/NTFS       42  SFS             84  OS/2 hidden C:  de  Dell Utility   
8  AIX             4d  QNX4.x          85  Linux extended  df  BootIt         
9  AIX bootable    4e  QNX4.x 2nd part 86  NTFS volume set e1  DOS access     
a  OS/2 Boot Manag 4f  QNX4.x 3rd part 87  NTFS volume set e3  DOS R/O        
b  Win95 FAT32     50  OnTrack DM      8e  Linux LVM       e4  SpeedStor      
c  Win95 FAT32 (LB 51  OnTrack DM6 Aux 93  Amoeba          eb  BeOS fs        
e  Win95 FAT16 (LB 52  CP/M            94  Amoeba BBT      ee  EFI GPT        
f  Win95 Ext'd (LB 53  OnTrack DM6 Aux 9f  BSD/OS          ef  EFI (FAT-12/16/
10  OPUS            54  OnTrackDM6      a0  IBM Thinkpad hi f0  Linux/PA-RISC b
11  Hidden FAT12    55  EZ-Drive        a5  FreeBSD         f1  SpeedStor      
12  Compaq diagnost 56  Golden Bow      a6  OpenBSD         f4  SpeedStor      
14  Hidden FAT16 <3 5c  Priam Edisk     a7  NeXTSTEP        f2  DOS secondary  
16  Hidden FAT16    61  SpeedStor       a9  NetBSD          fd  Linux raid auto
17  Hidden HPFS/NTF 63  GNU HURD or Sys b7  BSDI fs         fe  LANstep        
18  AST SmartSleep  64  Novell Netware  b8  BSDI swap       ff  BBT            
1b  Hidden Win95 FA
Hex code (type L to list codes): b
Changed system type of partition 5 to b (Win95 FAT32)
Command (m for help): p
Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot    Start       End    Blocks   Id  System
/dev/hdd1             1      2073  16651341   83  Linux
/dev/hdd2          2074      5005  23551290    5  Extended
/dev/hdd5          2074      2200   1020096    b  Win95 FAT32
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
pav23:/home/collin # mount -t vfat -o ro /dev/hdd5 /mnt
pav23:/home/collin # ls /mnt
[[DELETED... it worked]]
pav23:/home/collin #

I congratulated myself, disconnected the drive from the ribbon cable, put my spare desktop back together and cleaned up the den. I then returned the disk drive to my friend, along with the CD I had burned.

Sidebar 1. Review of IDE/ATA Nomenclature

A typical PC has two IDE buses, allowing four separate disk or CD drives to be connected:

IDE bus 0
     +-------- "master" = /dev/hda
     +-------- "slave" = /dev/hdb
              
IDE bus 1
     +-------- "master" = /dev/hda
     +-------- "slave" = /dev/hdb

Note that one drive on a given IDE bus is the so-called "master" and one is the "slave." These are traditional misnomers, but the thing to remember is that conflicts must be avoided. For example, two masters on a single bus equals bad medicine.

If you have only one disk or CD drive on a given IDE bus, it used to be important to make sure this one drive was configured as master. It may or may not be necessary for your particular controller. I've violated this rule at times and nothing bad has happened. But, if you have a slave-without-master configuration and things are flaky or don't work at all, it might be worth a try to make the slave into the master.

What determines whether a particular drive is a master or a slave on the bus? Every ATA drive I've seen answers this question with one word: jumper. Depending on the position of the jumper(s), a drive can declare itself to be master, declare itself to be slave or say cable select. Cable select means the drive's orientation depends on which connector on the cable it's plugged into. Apparently there is a wiring trick on the cable that allows the drive to know which connector it's plugged into and, hence, whether it should respond to commands directed at the master or the slave drive. I don't recommend the cable select (CS) setting, because of past reports of flaky behavior.

Sidebar 2. Review of Disk Addressing

Here is a brief tutorial for those unfamiliar with C/H/S addressing. More elegant explanations probably are available elsewhere on the Web, but here's my take on the topic.

Imagine your disk drive as a set of platters stacked one above the other and spinning in unison. The platters are divided into concentric tracks, with track 0 typically nearest the outer rim. One point in the platters' rotation is arbitrarily defined as "sector 0".

Each platter is coated on both sides with magnetic material. Just micro-inches from each surface is a head that can read or write data. The heads can move toward the outer rim or toward the center of the platters, but they do not spin. To read and write data on a particular sector on a particular track, the heads must "seek" to the appropriate track, settle into place and then wait for the desired sector to pass under the heads so that the data can be read or written.

In the old days, disk drives could be accessed in "surface mode" or "cylinder mode". In surface mode, head 0 track 0 is followed by head 0 track 1, then head 0 track 2, and so on. At the end of each track, you have to move the head to the next track. This makes surface mode slow, but it was useful for disk drives with one fixed and one removable platter.

In cylinder mode, head 0 track 0 is followed by head 1 track 0 and so on. That is, once sector 0 is under the heads, you don't have to move the heads right away. Instead, you switch to using the next read/write head. Only when you've read track 0 with all heads do you need to move the heads to track 1. This group, track 0 on all heads, collectively is referred to as cylinder zero.

The BIOS on most PCs and utilities such as fdisk refer to blocks on the disk in terms of cylinder, head and sector numbers. For historical reasons, the heads are numbered starting at 0, and the number is represented in 8 bits. Sectors are numbered starting at 1, and the numbers are represented in 6 bits. Cylinders are numbered from 0 and are represented in 10 bits. Older BIOSes could address the disk using only this C/H/S method; thus, they could address only the first 1024 cylinders on a drive. This is why it used to be important to put your Linux kernel on a partition that was contained entirely within the first 1024 cylinders.

When you buy a disk drive today, you likely will see "255 heads, 63 sectors, N cylinders" written on it. There are not really 255 heads in such a disk drive, but the drive identifies itself that way to the BIOS to allow C/H/S addressing to get at the largest possible area on the disk.

Although the cylinders are fictional nowadays, the BIOS and the partitioning utilities still want disk partitions to begin at cylinder boundaries.

By the way, newer BIOSes aren't restricted to C/H/S addressing, in particular to the old 1024-cylinder limit. Instead, every 512-byte block on the disk drive can be addressed using a 32-bit linear address space. This is what "lba32" in lilo.conf means. Newer BIOSes thus can access over a terabyte (1000 gigabytes), which ought to be enough for at least a few more months.

gnu parted

Submitted by Anonymous (not verified) on Wed, 2005-11-09 01:09.

Numerous times I've had to recover lost partition tables for windows machines.

I usually boot from a Knoppix live cd and then take it from there.

I once even wrote a script to search for the start of the NTFS partition based on the NTFS signature (which worked, but took few moments to do.)

The I learned there's the same functionality in GNU Parted:

info parted
===============================================================
2.4.12 rescue
-------------

-- Command: rescue START END
rescue a lost partition that used to be located approximately between START and END. If such a partition is found, Parted will ask you if you want to create a partition for it. This is usefulif you accidently deleted a partition with parted's rm command, for example.

Example:

(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags
1 0.031 8056.032 primary ext3
(parted) rm
Partition number? 1
(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags

OUCH! We deleted our ext3 partition!!! Parted comes to the
rescue...

(parted) rescue
Start? 0
End? 8056
Information: A ext3 primary partition was found at 0.031MB ->
8056.030MB. Do you want to add it to the partition table?
Yes/No/Cancel? y
(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags
1 0.031 8056.032 primary ext3

It's back! :)
===============================================================

It even recognizes way more file system types.

 

od -t x1

Submitted by Anonymous (not verified) on Tue, 2005-11-08 19:46.

You can use od -t x1 to print bytes in hex.

gpart

Submitted by sq5bpf (not verified) on Tue, 2005-11-08 14:55.

you could just use gpart to find the lost partitions ( http://www.stud.uni-hannover.de/user/76201/gpart/ ). this would shorten the article to:
- connect the disk
- make an image (just in case)
- make gpart guess the partition table
- fdisk -l /dev/hdd - and voila - the xp partition is back
- mount the partition, burn a cd etc...

sorry to spoil your fun :)

re: gpart

Submitted by collin (not verified) on Tue, 2005-11-08 17:10.

Very cool. Thanks for telling us about this; I will definitely remember the next time this kind of problem comes up.

 

re: re: gpart

Submitted by ray (not verified) on Wed, 2005-11-09 06:24.

a gpart rpm is on the SuSE 8.0 Pro CDs

 

Should the IDE Bus diagram

Submitted by Anonymous (not verified) on Tue, 2005-11-08 10:44.

Should the IDE Bus diagram under "Sidebar 1. Review of IDE/ATA Nomenclature" read:

IDE bus 1
+-------- "master" = /dev/hdc
+-------- "slave" = /dev/hdd

re: Should the IDE Bus diagram

Submitted by collin (not verified) on Tue, 2005-11-08 17:04.

Absolutely correct! Thanks for catching that!
IDE1 has "master" hdc and "slave" hdd.

 

File System Analysis Techniques

Search. In this scenario, we will search the unallocated space of the "wd0e.dd" image for the string "abcdefg". The first step is to extract the unallocated disk units using the "dls" tool (as this is an FFS image, the addressable units are fragments).

     # dls -f openbsd images/wd0e.dd > output/wd0e.dls

Next, use the UNIX strings(1) utility to extract all of the ASCII strings in the file of unallocated data. If we are only going to be searching for one string, we may not need to do this. If we are going to be searching for many strings, then this is faster. Use the '-t d' flags with "strings" to print the byte offset that the string was found.

     # strings -t d output/wd0e.dls > output/wd0e.dls.str

Use the UNIX grep(1) utility to search the strings file.

     # grep "abcdefg" output/wd0e.dls.str | less
     10389739: abcdefg

We notice that the string is located at byte 10389739. Next, determine what fragment. To do this, we use the 'fsstat' tool:

     # fsstat -f openbsd images/wd0e.dd
     <...>
     CONTENT-DATA INFORMATION
     --------------------------------------------
     Fragment Range: 0 - 266079
     Block Size: 8192
     Fragment Size: 1024

This shows us that each fragment is 1024 bytes long. Using a calculator, we find that byte 10389739 divided by 1024 is 10146 (and change). This means that the string "abcdefg" is located in fragment 10146 of the "dls" generated file. This does not really help us because the dls image is not a real file system. To view the full fragment from the dls image, we can use dd:

     # dd if=images/wd0e.dd bs=1024 skip=10146 count=1 | less

Next, we will identify where this fragment is in the original image. The "dcalc" tool will be used for this. "dcalc" will return the "address" in the original image when given the "address" in the dls generated image. (NOTE, this is currently kind of slow). The '-u' flag shows that we are giving it an dls address. If the '-d' flag is given, then we are giving it a dd address and it will identify the dls address.

     # dcalc -f openbsd -u 10146 images/wd0e.dd
     59382

Therefore, the string "abcdefg" is located in fragment 59382. To view the contents of this fragment, we can use "dcat".

     # dcat -f openbsd images/wd0e.dd 59382 | less

To make more sense of this, let us identify if there is a meta data structure that still has a pointer to this fragment. This is achieved using "ifind". The '-a' argument means to find all occurrences.

     # ifind -f openbsd -a images/wd0e.dd 59382
     493

Inode 493 has a pointer to fragment 59382. Let us get more information about inode 493, using "istat".

     # istat -f openbsd images/wd0e.dd 493
     inode: 493
     Not Allocated
     uid / gid: 1000 / 1000
     mode: rw-------
     size: 92
     num of links: 1
     Modified: 08.10.2001 17:09:49 (GMT+0)
     Accessed: 08.10.2001 17:09:58 (GMT+0)
     Changed: 08.10.2001 17:09:49 (GMT+0)
     Direct Blocks:
     59382

Next, let us find out if there is a file that is still associated with this (unallocated) inode. This is done using "ffind".

     # ffind -f openbsd -a images/wd0e.dd 493
     * /dev/.123456

The leading '*' identifies the file as deleted. Therefore, at one point, the file '/dev/.123456' allocated inode 493, which allocated fragment 59382, which contained the string "abcdefg".

If "ffind" returned with more than file that had allocated inode 493, it means that either both were hard-links to the same file or that one file (chicken) allocated the inode, it was deleted, a second file (egg) allocated it, and then it was deleted. The string belongs to the second file, but it is difficult to determine which came first. On the other hand, if "ffind" returns with two entries where one deleted and one not, then the string belongs to the non-deleted file.

As previously mentioned, Autopsy will do all of this for you when you do a keyword search of unallocated space.

Smart Tip for installing Windows with NTFS

Windows NT, 2000, 2003, and XP with the NTFS (New Technology File System) cannot always be installed using the Repair Console, so creating a third drive is a smart idea. The following only pertains to those people who wish to use NTFS. The following will elimate the need for formatting and losing all your files the next time you install Windows.

Without a FAT or FAT32 drive the DOS Setup program will not be able to copy files to the hard drive, even if you install from the CD-ROM. Windows NT, 2000, and XP need a FAT or FAT32 to copy files to. It cannot see the NTFS partition yet. This is not the case if you install Windows from inside of Windows NT, 2000, 2003, or XP.

Lets say you currently have only the C drive and a CD-ROM, you will need to fdisk and format the C drive into at least two drives, a C and a D. Make a D drive that is NTFS and a C drive in FAT32 that is large enough to hold your I386 folder times 2.5 times the size of the I386 folder. You will need the C drive large enough for the I386 folder and the copying of files for the Windows installation. Just copy the entire I386 folder to the C drive , do not make it a sub folder. You now can make your D drive NTFS for added security. If you only have a Recovery Cd, you can create either a CD with the I386 folder on it or move the I386 to a partition that is FAT ot FAT32 while you are setting up you new partitions. If you are coping the I386 folder that was installed to your hard drive by a recovery CD then read the section How to make a Windows CD.

Now you need only to change the settings in the Registry so Windows can find them when it needs them if you already had Windows installed to a different drive other than the C drive. You will need to go to the Registry Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup and change the location for "SourcePath" to the new Drive letter (E:) Also change the setting at "Installation Sources". You should also change the setting "SourcePath" at the Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

Now when you need to reinstall Windows  you can use a Windows 9x or ME startup disk to get to the command prompt, or the XP / 2000 Repair console. If you use a 9x or ME disk you will go to the C drive at the Command prompt. Windows 9x  can only see FAT or FAT32, DOS cannot see any NTFS drives. You can go to the C:\I386 folder and type "Winnt" without the quotes. This will start the installation, and all files will be copied to the C drive. When you reboot to finish the installation, setup will then ask you where to install Windows to

Making a Windows Installation CD from a Recovery Disk

I have been asked many times "I have Windows XP, how can I install Windows without having to lose all my files. I only have a Recovery Disk". Well it is really very simple, so long as you have a CD burner; or at least a second hard drive.

If you have a Recovery CD from your computer manufacturer, the Recovery CD will install the Windows installation files to a folder, normally to C:\I386 or C:\Winnt\I386 or C:\Windows\I386 . Open the Windows Explorer and look for them. Make sure you have the file Winnt.exe, Winnt32.exe and EULA.txt. Each version of Windows has a different number of files and almost all the files will be compressed so they will have an underscore at the end of the file extension like "Shell32.dl_"

You can do a search for the folder I386. You will need to copy the entire folder to your CD burner. Do not change the  name of the folder and do not make it a sub folder as in E:\Windows\I386 , it must be E:\I386. This folder will contain about 1000 or more files, in some cases nearly 1500 files.

Be sure to review the section A little updated info before making the CD.

Now comes the tough part, getting the Windows CD Key. The NT platform does not store the CD Key in the Registry in plain text as on the Windows 9x platform. It stores only the Product ID, which is different each time you reinstall windows. So you will need to check your computer for it. My laptop has a Windows CD Key pasted to the bottom of it. Your Recovery CD may have it on its label, or your paper work has it written somewhere. If you cannot find the key you can modify the file I386\Setupp.ini

For Windows 9x click here.

To modify the Setupp.ini file, open it in notepad. It will look like this:
[Pid]
ExtraData=6376796F71737A76767385CA66F124
Pid=51873OEM

Change the OEM to 270  on the Pid Value so it looks like this:
[Pid]
ExtraData=6376796F71737A76767385CA66F124
Pid=51873270

This should work on most CDs. This will allow you to install Windows 2000 without a serial number, this will NOT work on evaluation versions of Windows, or Windows 2003.

For those who do not know how to start the installation of Windows for NT, XP, 2000, and 2003 there are two files available in the I386 folder. The file Winnt.exe will start the installation from a DOS prompt, and Winnt32.exe will start it within Windows. If you have a problem with Winnt32.exe when in Windows you can use the Winnt.exe instead, however it is much slower.

Data Recovery Software - Zero Assumption Recovery

• Zero Assumption Recovery is a suite of highly effective data recovery software.
• Our tools can help you recover your data if it is lost due to accidental reformatting, power spike, virus attack, hardware malfunction or some other reason.
• The toolkit contains several tools, allowing the following tasks to be performed:
• Data recovery for Windows (ZAR32). ZAR32 recovers FAT16/FAT32/NTFS file systems.
• Recover data from a damaged FAT16/FAT32 volume (ZARFAT).
• Recover data from a damaged NTFS volume (ZARNTFS).
• Additionally, we developed a free tool to: Recover digital camera images (Zero Assumption Digital Image Recovery). 

Norton Systemworks 2005

• Norton Utilities

  • Optimizes and defragments files for faster hard drive performance.

  • Detects and fixes many Windowsr and disk problems automatically.

  • Can monitor your PC continuously to spot problems before they occur.
     

• Norton GoBack

  • NEW! SafeTry Mode creates a temporary environment that allows you to test new programs and accept or reject changes to your system.

  • NEW! Familiar, intuitive search bar makes it easy to find the files or folders you want to restore.

  • Restores your disk drive to a previous healthy state after a system crash, failed software installation, user error, virus attack, or other problem.

  • Allows you to restore just the files or folders you need, or an entire drive.
     

CHKNTFS command

You are probably familiar with the chkdsk command, but you may not know that there is a new command available with Win2000: chkntfs.  Here is the usage and syntax:

C:\>chkntfs /?

Displays or modifies the checking of disk at boot time.

CHKNTFS volume [...]
CHKNTFS /D
CHKNTFS /T[:time]
CHKNTFS /X volume [...]
CHKNTFS /C volume [...]

volume Specifies the drive letter (followed by a colon), mount point, or volume name.

/D Restores the machine to the default behavior; all drives are checked at boot time and chkdsk is run on those that are
dirty.

/T:time Changes the AUTOCHK initiation count down time to the specified amount of time in seconds. If time is not specified, displays the current setting.

/X Excludes a drive from the default boot-time check. Excluded drives are not accumulated between command invocations.

/C Schedules a drive to be checked at boot time; chkdsk will run if the drive is dirty.

If no switches are specified, CHKNTFS will display if the specified drive is dirty or scheduled to be checked on next reboot.

NOTE: You, the customer, are solely responsible for data security. WinBook strongly recommends that you perform a backup of all personal data contained on your system prior to performing this procedure. Warning: WinBook will NOT be held responsible for any data loss incurred during this process.

Basic error checking

1. Double left click on the My Computer icon
2. Right click on the “C:” drive
3. Left click on Properties
4. Left click on the Tools tab
5. Left click on Check Now … under Error-checking
6. Left click Start

If you want to do a more in-depth error checking there are 2 other options available:

First option is to Automatically fix file system errors (choosing this option will require a restart of the computer to run).  When choosing this option you will see a box pop up that says, "The check disk could not be preformed because exclusive access to the drive could not be obtained.  Do you want to schedule this disk check to occur next time you restart the computer?"

When prompted for this you would choose Yes if you want it to run on the next reboot of the system.

The second option for error checking is Scan for and attempt recovery of bad sectors (this will not require a restart of the system)

 

---

Copyright © 1996-2007 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Recommended Links

Failing Disk Imagers Several disk imagers with the capability of skipping errors.

HDDRecovery...data recovery for failed hard drives - dead disk

Partition (computing) - Wikipedia, the free encyclopedia

**** System recovery with Knoppix

*** NewsForge/Linux to the Rescue A Review of Three System Rescue Cds. The author did not mentioned rip (R)ecovery (I)s (P)ossible Linux rescue system. Here is some information  from rip-55.readme

The bootable cd image `rip-55.iso.bin' can be written to a cd/dvd disk, using cdrecord/dvdrecord etc.

The kernel has IDE and SCSI support. The kernel also has RAID and Ethernet/cable/dsl networking support.

These are some of the programs it contains (partimage, parted, reiserfsck, cfdisk, sfdisk, mke2fs, e2fsck, tune2fs, debugfs, mkfs.xfs, jfs_mkfs,jfs_fsck, xfs_repair, cdrecord/dvdrecord, mkisofs, growisofs, ntfsresize, mkntfs, convertfs, losetup + AES encryption, lynx, mutt, fetchmail, ncftp,
irc, tin, telnet, wget, zgv).

It also includes the DVD udf filesystem packet writing tools (cdrwtool, mkudffs, pktsetup).

The 'reiserfsck' program is used to check and repair  a linux reiserfs filesystem.

The 'xfs_repair' program is used to repair a linux xfs filesystem.

The 'jfs_fsck' program is used to check and repair  a linux jfs filesystem.

The 'e2fsck' program is used to check and repair a linux ext2 or ext3 filesystem.

The 'ntfsresize' program non-destructively resizes Windows XP/2000/NT4 or Windows Server 2003 NTFS filesystems. Read /usr/doc/ntfsresize.txt on the rescue system.

The partition image program 'partimage' saves partitions in the ext2, ext3, reiserfs, jfs, xfs, ufs, ntfs, fat16, and fat32 formats to an image file. Only used blocks are copied to save space and increase the speed. The image file can be compressed, in gzip or bzip2 formats.

Google Directory - Computers Software Disk Management Error Checking and Repair

Open Directory - Computers Software Disk Management Error Checking and Repair

***** Sysinternals Freeware The Sysinternals web site provides you with advanced utilities, technical information, and source code related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me internals that you won't find anywhere else. Mark Russinovich and Bryce Cogswell alone write and update everything here.

SourceForge.net Project Info - Linux Disk Editor

lde is a disk editor for linux, originally written to help recover deleted files. It has a simple curses interface that was supposed to resemble an old version of Norton Disk Edit for DOS. Works well with ext2, minix, xiafs. Not so hot w/fat and iso9660

Norton Systemworks 2003 (Full Product) (Symantec-10025223) - PC World.com Product Finder

Norton System Works review

NTFS.com Hard Drive Data Recovery Information

Data Recovery Software - File System Utilities

Partition Recovery Software and NTFS Recovery - NTFS Undelete and FAT Recovery

How I recovered an unbootable NTFS Windows System

Hard Drive Data Recovery Software Tools, Disk Recovery Utilities -Stellar

Easy recovery, Easyrecovery, FAT recovery, NTFS recovery, Undelete fat, Undelete NTFS, Undelete utilities

Free Programs, Useful Tools (If you're a tech at heart or an Assembly programmer, then read my page on The MBR in Detail here. )

http://www.phystechsoft.com/en/index

Download: PTSDE104.ZIP now!  
V.1.04 (30 NOV 1998) [162 kb .zip]

NOTE: Direct disk access is not allowed under Win2k/XP. Therefore you must use a DOS boot diskette! For a Review of PTS-Disk Editor and SCREENSHOTS click here.
PTS Disk Editor: CAUTION: Do NOT attempt to WRITE to (Edit) any portion of your hard drive while MS-Windows ( or any other 'active' Operating System that randomly writes to your disk ) is running!   NORTON Disk Edit doesn't have 3 separate detailed WARNING Screens about this for nothing!! They're protecting themselves every way they can! As a matter of fact, Norton tells the Windows-dependent novice who knows nothing of DOS consoles, that it's impossible to run Disk Edit with Windows running (NOT true)! There are NO warning messages at all before the PTS-Disk Editor pops-up ready to go !! But, hey, that's the main reason I like it! If I ever wanted to make a change without having to shut-down the OS, then PTSDE gives me NO hassle. Saving any data DISPLAYED by PTSDE as a binary or text file is, unfortunately, a difficult thing to do! Although you could use a DOS-Window to copy and then paste what you see into a text file, this version of PTS-DiskEditor does NOT allow you to 'dump' sectors to a file like NORTON's DISKEDIT does! ( Note: This is the ONLY free program available from this company, and there are no help files included. SEE my Review of the PTS-Disk Editor for usage instructions! Or, see PTSDE's readme file - PTSde104.txt right now.)

Recommended Articles

FAT32 or NTFS Making the Choice

Choosing the file system to use on a Windows XP system is seldom easy, and frequently it's not just a one time decision.. Different factors can blur the decision process, and some tradeoffs are more than likely. No matter what method you choose to adopt Windows XP, you will have to face the FAT32 versus NTFS decision. Clean and upgrade installs both require you to address the situation early on in the process. Later on, if you add a drive or repartition an existing drive the decision process faces you yet again. Circumstances may dictate the choice for you, but in most cases the options have to be weighed and the tradeoffs of using each method analyzed. Let's look at the available choices.

File System Choices

Most articles discussing file system choices look at FAT32 and NTFS as the two available choices. In reality, there are three systems which could be selected. FAT, FAT32, and NTFS. Granted, FAT32 and NTFS are the primary choices, but on occasion you'll still find the need for a FAT volume. A FAT volume has a maximum size of 2GB and supports MS-DOS as well as being used for some dual boot configurations, but backward compatibility is about  the only reason I can think of that FAT should ever be used, other than for the occasional floppy diskette. That said, let's move on to FAT32 and NTFS.

Which File System to Choose?

As much as everyone would like for there to be a stock answer to the selection question, there isn't. Different situations and needs will play a large role in the decision of which file system to adopt. There isn't any argument that NTFS offers better security and reliability. Some also say that NTFS is more flexible, but that can get rather subjective depending on the situation and work habits, whereas NTFS superiority in security and reliability is seldom challenged. Listed below are some of the most common factors to consider when deciding between FAT32 and NTFS.

The Naked PC Newsletter

This article concludes a series on Norton Utilities ("NU"), and covers Rescue Disk, Registry Tracker, Registry Editor, Integrator, and the DOS-based Disk Editor.

(Note: Of these tools, only Integrator is Windows 2000 compatible.)

Rescue Disk can produce two different types of disk sets. A "basic rescue set" is a set of floppies, at least one of which is bootable to a DOS prompt, that also includes tools to help you investigate and repair whatever problem has caused the PC to need rescuing. A "Norton Zip rescue set" writes data to an Iomega Jaz or Zip cartridge, along with one bootable floppy. A Norton Zip rescue set will boot you back to Windows (not MS-DOS), at which point the Rescue Recovery Wizard starts automatically. Personally, although I make a basic rescue set whenever I upgrade NU (that's maybe once a year), I don't take Symantec's advice to keep my rescue set updated. I don't even bother to make a Norton Zip rescue set even though I have a nice Iomega Zip 250 drive.

Why? If a PC is so out of whack that it can't boot, in my opinion it's time for a scorched-earth reformat/reinstall (note that I *do* keep all my data religiously backed up; otherwise of course I'd be inviting misery by not at least trying to do a rescue).

Registry Tracker monitors changes that either programs or you make to your PC's Registry keys, INI files, startup files (like autoexec.bat and config.sys), and data files and folders. (Registry Tracker can't show you the exact changes made to data files but it can keep snapshots of them so you can restore from a previous version.) If you elect to track a folder, the tool takes a snapshot whenever the folder contents change so you can see what files were added or deleted.

I find Registry Tracker's user interface very awkward and confusing. To me, it does not makes sense to tie up system resources with this type of tool constantly monitoring the Registry et al. I don't install suspect applications on my system, and if for some reason I have to, I do that on a test PC (or a test partition on my production PC) that I can quickly and easily delete and recreate. What do I do if a program really wrecks a PC under my care? I roll back to the previously known- good version of the Registry using the free, built-in Windows Registry Checker. For more information on using the Registry Checker to roll back the Registry, see pp. 321-323 of our ebook "The Book That Should Have Come with Your Computer."
http://www.TheNakedPC.com/t/419/tr.cgi?lee1

Norton Registry Editor offers two conveniences not provided by Windows' own built-in Registry Editor tool (Regedit.exe). First, Norton's version has an interface for making a backup (select File, Backup Entire Registry, enter a filename, Save). Second, Norton's version supports bookmarks so you can mark your most frequently visited Registry keys. Unfortunately this feature is not name-based so you can't assign your own names to Registry bookmarks. Instead there is a tree-style listing of all the bookmarks you've created. It's easy to traverse the list if you only have a few bookmarks but with more than about 10 the list can quickly become overwhelming. I'd prefer that NU offer a name- based system so that I could bookmark the key "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Today" with the name "Outlook_Today_Disable".

Integrator is just a fancy wrapper interface for all of NU's tool. It is a helpful control panel, and that's all there is to say about that.

Disk Editor is a tool for advanced users. It allows you to view and edit a hard disk down at the sector and byte level, from inside a DOS window. You can *really* get yourself into trouble with this tool, but it can occasionally come in handy, say, if you wanted to study the binary file structure of a Word document. Not something any of us are likely to do on a daily basis, but you never know.