Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Hard Drive Bad Boot Sector Windows 8

- - - - -

  • Please log in to reply
25 replies to this topic

#1
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
Hey guys I've come across your community after some google searching and have seen some well versed folks in partition recovery.

My issue here is a laptop running windows 8 appears to have had a hard shut down thus messing up the partitions or something. I must note I am a newbie when it comes to in depth. I have imaged the disk, twice actually once with Active partition and once with dsfok.

It appears that the FAT32 partition for the boot is overlapped by two other partitions as shown in the attached pic

Im not sure what I need to do here. I am a novice. Thanks for any help in advance

Attached Files




How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Well, run TESTDISK on that disk (or it's image) with the log option.
http://www.cgsecurit...g/wiki/TestDisk
http://www.cgsecurit...sk_Step_By_Step
http://www.cgsecurit...:Create_log.gif

You want to allow for searching for "partitions made under Vista".
http://www.cgsecurit...Vista_check.gif

DO NOT "write" anything.

Post the log as attachment (or upload it somewhere and post a link to it).

The screenshot you posted does not provide enough info to provide you with any advice.

jaclaz

#3
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,913 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

The screenshot you posted does not provide enough info to provide you with any advice.


Maybe not that, but it does appear that the software is warez. :angry:
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#4
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
Hi Jaclaz seen you pop up in every thread I came across with similar issues. Lets hope I become a happy bunny too lol

Thanks for your help. I'm not sure if anything has been altered.

Attached Files



#5
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag


The screenshot you posted does not provide enough info to provide you with any advice.


Maybe not that, but it does appear that the software is warez. :angry:


I understand your problem here. You must have the same edition to be able to spot that straight away. I do however have a license for partition recovery, I do apologise for the screenshot I will change the license to my paid for version and re-snip

To add Jaclaz before I done anything I mage an image with active partition its a dim file how can I write this back to the drive I try

dsfi \\.\physicaldrive2 00 *filepath*

and get

\\.\physicaldrive2 - The parameter is incorrect

Attached Files


Edited by blackillusion, 14 March 2013 - 10:17 AM.


#6
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
The issue at first sight (but I have to re-read and understand better the log) seems to me connected to the sector size of the hard disk.
The disk is reporting 4096 bytes/sector (please read as "Advance Fornat"), whilst some data read in the bootsector/PBR BPB is about "normal" 512 bytes/sector data.

Can you post some info on what/how/when happened the issue first time? :unsure:

About dsfo/dsfi, they use a "common between them" syntax with "inverted" source/destination, the needed parameters are 4 (four):
Generically it is:
dsfo <source> <start> <length> <destination>
dsfi <destination> <start> <length> <source>

A <start> of 0 means "from the beginning".
A <length> of 0 means "the whole size of the source".

So you image a whole disk with:
dsfo \\.\PhysicalDriven 0 0 <some path>\image.dsk
which you can read as:
get out of \\.\PhysicalDriven, starting from the beginning, everything and save it as <some path>\image.dsk

and you restore with:
dsfi \\.\PhysicalDriven 0 0 <some path>\image.dsk
which you can read as:
put in \\.\PhysicalDriven, starting from the beginning, everything coming from <some path>\image.dsk

The two 0's in the command line are separated by a space, in your posted command line they look as "00" and the dsfok tools can only interpret them as a single parameter.

jaclaz

#7
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag

The issue at first sight (but I have to re-read and understand better the log) seems to me connected to the sector size of the hard disk.
The disk is reporting 4096 bytes/sector (please read as "Advance Fornat"), whilst some data read in the bootsector/PBR BPB is about "normal" 512 bytes/sector data.


OK

Can you post some info on what/how/when happened the issue first time? :unsure:


I can't specifically tell you what happened. Obviously its rather new with windows 8. It had no power when I got it I opened her up and found it to have some contaminants on multiple pins on the QFP chip so cleaned it off and resoldered the legs to clear any excess crap off.
She booted and just gave the message BAD BOOT SECTOR. I imagine it may have come into contact with a liquid source or something that contaminated it and shorted it out, thus hard shutting down the hard drive and corrupted data.
I will stress no liquid or contaminents near the Hard drive as it was the opposite side of the laptop. Im not even sure the contaminents are liquid, may just be Fag ash...

About dsfo/dsfi, they use a "common between them" syntax with "inverted" source/destination, the needed parameters are 4 (four):
Generically it is:
dsfo <source> <start> <length> <destination>
dsfi <destination> <start> <length> <source>

A <start> of 0 means "from the beginning".
A <length> of 0 means "the whole size of the source".

So you image a whole disk with:
dsfo \\.\PhysicalDriven 0 0 <some path>\image.dsk
which you can read as:
get out of \\.\PhysicalDriven, starting from the beginning, everything and save it as <some path>\image.dsk

and you restore with:
dsfi \\.\PhysicalDriven 0 0 <some path>\image.dsk
which you can read as:
put in \\.\PhysicalDriven, starting from the beginning, everything coming from <some path>\image.dsk

The two 0's in the command line are separated by a space, in your posted command line they look as "00" and the dsfok tools can only interpret them as a single parameter.

jaclaz


Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Edited by blackillusion, 14 March 2013 - 02:20 PM.


#8
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

Well, I have no idea which format that tool uses, dsfo/dsfi is simply a (very small/compact) dd-like tool and only operates with "RAW images", and as such it is only compatible with "pure" dd-like tools.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Well testdisk won't write data, and as well getdataback won't (of course unless you explicitly tell them to write on the disk), cannot say about that other Active tool.

If, by any chance, the .dim image is not a RAW image and the dsfi command "went through" even partially it is very probable (please read as certain :ph34r: ) that the result will be completely "botching" the hard disk.

If you want my advice, STOP fiddling with that disk, NOW!

jaclaz

#9
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag


Understood. I believe I wrote the command wrong while posting but correctly when I was running the program. I managed to start reading the disk with commands but trying to write the image CREATED with ACTIVE PARTITION (*.dim*) creates that error.

Well, I have no idea which format that tool uses, dsfo/dsfi is simply a (very small/compact) dd-like tool and only operates with "RAW images", and as such it is only compatible with "pure" dd-like tools.

The reason I want to get the image back to disk is because I know it is completely untouched. Where as the disk has had some software run, testdisk, active and getdataback...

Well testdisk won't write data, and as well getdataback won't (of course unless you explicitly tell them to write on the disk), cannot say about that other Active tool.

If, by any chance, the .dim image is not a RAW image and the dsfi command "went through" even partially it is very probable (please read as certain :ph34r: ) that the result will be completely "botching" the hard disk.

If you want my advice, STOP fiddling with that disk, NOW!

jaclaz


Noted. Strange thing is with getdataback partitions suddenly appeared readable in windows after a quick search which was strange.....

The image is a raw image created by Active@

So as to where to go from here. Obviously I have that Image from 1st usage. I can open it and recover any files there though there is not much data.

The whole purpose is to try and recover the partitions etc and learn. In worst case scenario I can just format and resinstall windows.

I do really appreciate your help no matter which way it goes.

Edited by blackillusion, 14 March 2013 - 03:24 PM.


#10
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
As I see it there are three possible issues on that disk:
1) a partition is missing, i.e. there is a "hole" at the beginning of the disk
2) there is seemingly NO overlapping of any kind of the three "current" partitions:
1 * HPFS - NTFS 10 168 31 18 160 14 128000 [WINRETOOLS]
2 P HPFS - NTFS 18 160 15 7402 197 27 118626304 [OS]
3 P HPFS - NTFS 7402 197 28 7600 41 57 3171072 [PBR Image]
so I wonder what is the Active thingy trying to tell us
3) Something is seemingly not right (but it might be a "quirk"in testdisk, see below) with total size of the disk, testdisk senses a geometry of:
Disk /dev/sdc - 500 GB / 465 GiB - CHS 7600 255 63, sector size=4096 - WDC WD50 00LPVT-75G33T0, S/N:152D20337A0C
which should mean that last cylinder is #7599, whilst the last partition is using cylinder #7600 (partially)

All in all the only issue that is connectable to a power down is the corruption/missing of the first partition.

BUT the data found by Testdisk about this possible first partition:
NTFS at 667/224/5
Warning: number of bytes per sector mismatches 512 (NTFS) != 4096 (HD)
filesystem size 85833728
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 16
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 4 5 667 224 6 10729216
NTFS found using backup sector, blocksize=4096, 43 GB / 40 GiB
is however "strange", it's beginning could be OK, but the end address (from which the data has been extracted) is well within the [OS] partition, the fact that the found bootsector is using a mismatched bytes per sector value could mean that the found bootsector is actually an around 5 Gb "raw" image (or a residual of it, since the main BPB has not been found).
The latest "standard" is to have (at least on 512 bytes/sector media) the first partition starting at LBA 2048, i.e. at 0/32/33 or with 2048*512=1048576 bytes before.
IF the same is used on a 4 kb/sector device, that would mean LBA 256 or CHS 0/4/5 (which would be "perfectly in line" with the start of the missing partition found by Testdisk.

So, if we take for granted that the start is ok at 0/4/5, we cannot "extend it" beyond 10/168/30 (i.e. immediately before the [WINRETOOLS] partition.
The partition would then be around 700 Mb in size, an uncommon size.

On the other hand, if we take for good the data found by Testdisk about first missing partition, it would be a 40 Gb partition that would "obliterate" the [WINRETOOLS] partition and overlap on the [OS] one.

The specs for the WD5000LPVT tell us that the disk has 976,773,168 available sectors, but that of course relate to 512 bytres/sectors:
976,773,168*512=500,107,862,016 which is OK with the other specs of havibg a capacity (using million bytes) of 500,107 MB
500,107,862,016/4096=122,096,646 sectors
Which means CHS 7600/41/63.
Since last partition the [PBR Image] ends on 7600/41/63 there are 6 sectors unindexed in the partition table, that seems to me another "queer" thing.

Any way to know how it was partitioned originally?
Right now (set apart the 6 sectors at the end) it seems that the only way the disk can be in this situation is that *somehow*:
  • first partition was deleted
  • a new smallish first partition was created (around 700 Mb in size)
  • a new second partition was created ( the [WINRETOOLS] one)
  • the (currently third) partition [OS] was expanded until the end of the [WINRETOOLS] one
  • the 700 Mb in size partition was deleted
of these only last action may be connected to a power failure or to a hardware issue. :unsure:
If this is the case, someone must have "voluntarily" carried the first 4 actions (no matter if recently of some time ago - exampled used disk not wiped), and we cannot use the data relative to the "first partition" that TESTDISK found.

Now, if you access "normally" the disk hat happens?

I mean all the data in those partitions should be normally accessible, and if the disk does not boot may be related to a numebr of other things like a missing or ciorrupted file.
From what Testdisk says, the Active partition is the [WINRETOOLS] one:
Current partition structure:
1 * HPFS - NTFS 10 168 31 18 160 14 128000 [WINRETOOLS]
2 P HPFS - NTFS 18 160 15 7402 197 27 118626304 [OS]
3 P HPFS - NTFS 7402 197 28 7600 41 57 3171072 [PBR Image]
It is possible (check the partitions contents) that the BOOTMGR and \boot\BCD is instead in one of the other two, then all is needed is to set that partition to Active status.

What happens if you try booting the laptop from that disk?

jaclaz

#11
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
If you try boot it just says bad sector press any key.

I believe its just dell standard or out the box configuration I've read that it is meant to have 6 partitions. http://en.community....1/20312796.aspx

That is a while lot of info you have posted I am having difficulty reading on my mobiles screen and will have to have a proper read throughout the post when I am home late tonight.

I think it looks like 2 fat partitions are missing?

#12
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

If you try boot it just says bad sector press any key.

Yes, but that, as said, would be "compatible" with just the wrong partition being set as active in the MBR.


I believe its just dell standard or out the box configuration I've read that it is meant to have 6 partitions. http://en.community....1/20312796.aspx

Well, that post is about a 1 Tb disk (and NOT a 500 Mb one) partitioned as UEFI/GPT. (yours seems like using the MBR allright)
Testdisk says:

Partition table type: Intel

which means MBR (and NOT GPT)

Which EXACT model is the laptop you have?
If this is accurate:

A total of six partitions were shown: Partition 1 ("ESP", System), partition 2 ("DIAGS", OEM (reserved)), partition 3 (MSR (reserved)), partition 4 ("WINRETOOLS", recovery), partition 5 ("OS", primary), and partition 6 ("PBR Image", recovery).

Then my hypothesis that the disk has been extensively fiddled with appear more probable :whistle:

I think it looks like 2 fat partitions are missing?

No, either three of them are missing (6-3=3 ;)) or more likely only one (of course also two is possible, but while an additional partition for "DIAGS" would make some sense there cannot be more than 4 (Primary) partitions in a MBR partitioned disk, so if more than one is missing, then they were volumes inside an Extended partition, of which there are NO traces found by Testdisk).

That is a while lot of info you have posted I am having difficulty reading on my mobiles screen and will have to have a proper read throughout the post when I am home late tonight.

Sure, and there are a lot of questions/doubts in them, take your time. :)

jaclaz

#13
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
Ok I have managed to read through I see what your saying. I think we are just missing that one partition.

Laptop is a Inspiron 3520

I read what you said about boot/ boot\BCD and upon browsing the forth partition in Active@ found them (see attachments)

I do apologise if I am missing some of what you are saying or being dumb and not reading properly.

Attached Files


Edited by blackillusion, 15 March 2013 - 05:01 PM.


#14
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Yep, that's probably the one.
It is strange however that Testdisk didn't find it. :unsure:
The start of the partition is OK (0/4/5 does equal 256) :thumbup

The size is seemingly not, for two reasons:
  • the number of sectors 1,024,000 does correspond to the given size 500 Mb, but only if sectors are counted as being 512 byte each.
  • the "hole" between 0/4/5 and 10/168/30 is larger than 500Mb, it is 171,008 sectors by 4,096=700,448,768, i.e. roughly 700 Mib (counted in millions)

The 500 Mb volume is "possible" but still it doesn't make much sense that the good Dell guys have left some 175 Mb "empty".

Let's have a "second" opinion.

Get DMDE:
http://softdm.com/
and try scanning the disk with it.

Open the Physical disk, and run a "FAT search".
The re-open it and run a "NTFS search"
Post screenshots/results

jaclaz

#15
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
Here is the initial scans as I wait for the fat and ntfs scans:

Capture9 is drive itself

Capture10 is the image of the disk I took before anything ran on it.

Attached Files



#16
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Here is the initial scans as I wait for the fat and ntfs scans:

Capture9 is drive itself

Capture10 is the image of the disk I took before anything ran on it.

Then definitely there is a glitch in the TESTDISK (or in the way you used it :whistle: ) :ph34r:

DMDE sees the *same* partitions as the referenced post AND it sees a GPT :yes: disk (and not a MBR one :no: ).

Maybe it is a "hybrid" partitioning. :unsure:

Can you try running again testdisk this time selecting the GPT partitioning scheme here:
http://www.cgsecurit..._table_type.gif
(and post the log)

Seemingly that @Active tool you are using is also thinking that the thingy is MBR (and possibly has actually no support whatever for GPT).

jaclaz

#17
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag

Then definitely there is a glitch in the TESTDISK (or in the way you used it :whistle: ) :ph34r:

Most likely user error lol

DMDE sees the *same* partitions as the referenced post AND it sees a GPT :yes: disk (and not a MBR one :no: ).

Maybe it is a "hybrid" partitioning. :unsure:

Can you try running again testdisk this time selecting the GPT partitioning scheme here:
http://www.cgsecurit..._table_type.gif
(and post the log)

Seemingly that @Active tool you are using is also thinking that the thingy is MBR (and possibly has actually no support whatever for GPT).

jaclaz

Posted Image

As far as it will let me go. Clicking quick search does nothing. Seems like it freezes.

edit: Apologies it just took forever to change to searching.

Edited by blackillusion, 16 March 2013 - 11:46 AM.


#18
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Hmmm. :unsure:

Even if DMDE can see the partition structure correctly I seem to remember that it doesn't operate (or doesn't operate fully) on GPT disks.

Time to try gdisk:
http://www.rodsbooks.../repairing.html

I have no experience with it, so I will be of very little help about it's use. :blushing:

jaclaz

Edited by jaclaz, 16 March 2013 - 11:49 AM.


#19
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag

Hmmm. :unsure:

Even if DMDE can see the partition structure correctly I seem to remember that it doesn't operate (or doesn't operate fully) on GPT disks.

Time to try gdisk:
http://www.rodsbooks.../repairing.html

I have no experience with it, so I will be of very little help about it's use. :blushing:

jaclaz



I must apologise I did edit my post but probably too slow: It did read and here we are:
Posted Image

Edited by blackillusion, 16 March 2013 - 11:51 AM.


#20
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I must apologise I did edit my post but probably too slow: It did read and here we are:

NO need to apologize at all, but still we have "only" 4 partitions in this view AND we do have now a "new"[BOOT] partition that has however an "improbable" size.
Try pressing Enter and doing a Deeper scan...

In any case running gdisk seems like a good idea.

jaclaz

#21
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag

NO need to apologize at all, but still we have "only" 4 partitions in this view AND we do have now a "new"[BOOT] partition that has however an "improbable" size.
Try pressing Enter and doing a Deeper scan...

In any case running gdisk seems like a good idea.

jaclaz

Running Testdisk deeper search was taking forever I would have leave it tonight if you think that testdisk will help.

Im a bit clueless on gdisk :

Posted Image

#22
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Im a bit clueless on gdisk :

Which makes a nice, round, TWO of us! :ph34r:

However it shows the exact same partitions TESTDISK showed once in GPT mode.
The only tool (till now) that "sees" something more (or better) is DMDE.

Ysing the "r" and then the "v" option in gdisk should only provide additional info (and not change the disk contents):
http://www.rodsbooks.../repairing.html

jaclaz

Edited by jaclaz, 17 March 2013 - 01:48 PM.


#23
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,913 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

If this is Windows 8 on a GPT disk, that MSR partition is required. I'm not sure what it does exactly or how the OS would react without it, but it is a requirement for deployment. I wonder if you can add it back in with that unallocated space. :unsure:
http://technet.micro...y/hh825686.aspx

I should try it out, see how Win8 reacts to that partition suddenly disappearing. :ph34r:
edit: will have to wait until monday... :}
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#24
blackillusion

blackillusion

    Newbie

  • Member
  • 13 posts
  • Joined 13-March 13
  • OS:Windows 8 x64
  • Country: Country Flag
Well here is one for you. I changed sector size on testdisk to 512 ran a quick search it found the partitionas like dmde. I then decided to put in in the laptop and try the recovery disk "automatically repair" and it found the boot and os partitions and repaired them. I am able to boot to windows now no problems.

#25
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,579 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Well here is one for you. I changed sector size on testdisk to 512 ran a quick search it found the partitionas like dmde. I then decided to put in in the laptop and try the recovery disk "automatically repair" and it found the boot and os partitions and repaired them. I am able to boot to windows now no problems.

That's good news :) though of course we don't really know what actually was the issue, nor what could have been the actual fix :(.
Maybe the actual issue was the originally presumed one (some kind of mismatch between 512 and 4096 bytes sectors) but I wonder how it can happen (unless the original laptop BIOS *somehow* sees the disk as being 512 byts/sector while when you mount it "externally" to your "work PC" it is seen - correctly - as 4096 bytes/sector :unsure: ).

However, the only important thing is that you are now among the happy bunnies in the basket. :thumbup

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users