Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Windows7 C: partition shows as RAW in diskpart?

- - - - -

  • Please log in to reply
20 replies to this topic

#1
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Hi,

I was wondering if anyone knew how to fix this issue?

I have a Windows7 Home Premium Toshiba laptop that all of a sudden won't boot into Windows.

The HDD has passed SMART test so it seems ok physically.

On bootup it goes straight into automatic windows recovery, spends 5 minutes at the progress bar then says it can't be fixed automatically.
In the log it says "Boot sector for system disk partition is corrupt"

I put in the Windows7 dvd and go into repair mode, it prompts for the partition, but shows the C: drive as 0 MB.

In command prompt I do "bootrec /scanos", it finds no operating system.

I tried "bootsect.exe /nt60 all /force" to write a new bootsector from the Windows dvd, it completes successfully, I reboot, but same problem.

"bootrec /fixmbr" and "bootrec /fixboot" also completes successfully but still the same problem.

I try "attrib -h -s C:\boot\BCD" & "del C:\boot\BCD" & "bootrec.exe /rebuildbcd" as per http://neosmart.net/...er from the DVD but this fails, because I have no accessible C: drive.

In diskpart it shows the C: partition as RAW.

I have tried livecd of Minitool Partition Wizard and it scans the entire drive for about 2 hours, it says no partition it can recover. The D: drive (Toshiba's recovery partition) is still there and accessible.

Can anyone advise what to do from here? I'm guessing all the files from C: partition are still there but there is an MFT problem?

I would be very gratefu to get this partition back the way it was. Thanks for any help!


How to remove advertisement from MSFN

#2
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
you should try testdisk from a bootable media (my favorite livecd with testdisk is systemrescuecd ). Be sure to run it without writing anything and create a log file as it will help other people here (most likely Jaclaz) to help you.
You should also create full raw disk image as it was explained there.

#3
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Thanks. I just ran testdisk without writing. Unfortunately it doesn't look like an easy fix. I did the regular analyze and then deeper analyze and tried to list files with "P" but it says filesystem is damaged, I also tried rebuild bootsector. I hope I didn't make it worse by writing the bootsect.exe operation earlier.

Here is the log and what testdisk shows. I hope there is still a way to fix.

Attached File  bs.PNG   20.15KB   8 downloads
Attached File  deep scan.PNG   24.42KB   9 downloads
Attached File  testdisk.log.txt   26.5KB   7 downloads

#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Can you post some details on how you remembered the disk was partitioned?
How many partitions, which size (approximated) they were, which filesystem they used, etc.?
For the offset of the first partition it sems like it was partitioned orginally under VIsta :ph34r: or Windows 7, the first partition seems OK:
1 P HPFS - NTFS 0 32 33 191 89 26 3072000 [System]
though it is "unusually" large for being just the "system" partition" (the good MS guys call "system" the "boot" partition and "boot" the "syastem" one, in order to make things easier :w00t: ) and as well "last one":
3 P hid. HPFS/NTFS 59508 132 17 60801 80 15 20768768 [HDDRECOVERY]
looks fine.

What was before "between them"?
A single partition?
DId the 1st partition get a drive letter (I presume C:\) and the other partition get another letter (like D:\), and the [HDDRECOVERY] was hidden?

jaclaz

#5
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Hi Jaclaz. I think the disk was just two partitions or maybe three, the C:\ was like 450GB and the D:\ was the [HDDRECOVERY] of like 10-15GB. Its possible there was also 1.4GB WinRE parition. Is that the [System]? I don't think that one was visible inside windows but I guess it was always there.

Its laptop that came already with Windows 7 on it but I'm not sure how they made the partitions at the factory, I think probably in Windows 7 not in Vista but I'm not sure.

I tried to do NTFS scan in DMDE but I think it finds a mess :(

Attached File  dmde.PNG   85.04KB   16 downloads

Edited by rcll, 19 May 2013 - 07:36 AM.


#6
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
The DMDE screenshot clears enough how the disk was before, most probably:
  • First partition was a type 27 , i.e. the "boot" (read as MS system partition) ad got NO drive letter when booted [System] that WIndows 7 creates in some cases (but normally this partition is 100 Mb in size)
  • second partition was a large "normal" 07 type one that got C:\ drive letter
  • third partition was a hidden partition (recovery partition) that got no drive letter (because of it's 17 hidden type) [HDDRECOVERY]

Now, from the combined results of the TESTDISK log and of the DMDE screenshot, it seems like the "middle partition" structures have been *all* corrupted/overwritten.
This is very unusual :w00t: , as commony *some* structures can still be identified.

I see a couple references for "Kaspersky Rescue Disk 10.0" recently downloaded, which you didn't mentions among the attempts you made. :unsure:

The $MFT for any NTFS volume bigger than 5 or 6 Gb is on cluster 786432, i.e. 786432*8=sector 6291456 from start of the volume.
If the first partition was originally the "normal" 100 Mb or if it was the current (roughly) 1.5 Gb, it doesn't make mucd difference, the $MFT of the second volume would anyway be between 2048+204800+6291456=6498304 and 2048+3072000+6291456=9365504

DMDE didn't find any fragment of the $MFT around that area, which is very, very unusual, and not easily explained (in the sense that right now I have no idea of something that can produce the effect of wiping so effectively all $MFT traces :ph34r: ).

Was - by any chance - the volume encrypted?

jaclaz

#7
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Oh all $MFT traces wiped out sounds bad for any files recovery :(

I did try Kaspersky rescue disk but I thought it was just livecd for virus check, I didn't think it would write anything to HDD :( Do you think it already overwrites important parts of the disk?

It is possible there was encryption I will try to find out from the user. Is there any way to recover from that with the password?

#8
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Oh all $MFT traces wiped out sounds bad for any files recovery :(

I did try Kaspersky rescue disk but I thought it was just livecd for virus check, I didn't think it would write anything to HDD :( Do you think it already overwrites important parts of the disk?

It is possible there was encryption I will try to find out from the user. Is there any way to recover from that with the password?

Hard to say.

Try quickly run Photorec (the file based recovery tool "companion" of TESTDISK) if files can be found with ti, i it, it wasn't encrypted.

jaclaz

Edited by jaclaz, 19 May 2013 - 11:31 AM.


#9
Ponch

Ponch

    MSFN Junkie

  • Patrons
  • 3,287 posts
  • Joined 23-November 05
  • OS:none specified
  • Country: Country Flag

i wasn't encrypted.

jaclaz

Are you now ? :ph34r: :D

#10
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag


i wasn't encrypted.

jaclaz

Are you now ? :ph34r: :D

Picky today? :unsure:, actually, to be in-line with the previous typo: Picky oday?

jaclaz

#11
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Hehe ;) You can not be encrypted because you help people so clearly :)

So I'm trying photorec like you said and this is what it shows.
Attached File  rec.PNG   20.79KB   5 downloads

Its trying to find files now but I think you're right that its whole disk encrypted.
Attached File  rec2.PNG   18.93KB   4 downloads


I have password from the user now. Is there a way to fix HDD enough so laptop can boot to the login screen so I can put in the encryption password for this "RAW" windows partition?

I am worried the Kaspersky rescuecd virus scan overwrites some files on HDD, I dont know why it did that. Also worried about the "bootsect.exe /nt60 all /force" overwrite and bootrec /fixmbr & /fixboot that I attempted :(

#12
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I have password from the user now. Is there a way to fix HDD enough so laptop can boot to the login screen so I can put in the encryption password for this "RAW" windows partition?

BUT how exactly /which tool was used to encrypt the volume/drive? :unsure:
Bitlocker?

I am worried the Kaspersky rescuecd virus scan overwrites some files on HDD, I dont know why it did that. Also worried about the "bootsect.exe /nt60 all /force" overwrite and bootrec /fixmbr & /fixboot that I attempted :(

Those would only change the "code" part of the MBR and of the PBR's, since it was originally Windows 7 made, the result would be again Windows 7, but I have no idea if bitlocker (if it is that that was used) actually encrypts the PBR also and or if it stores any further back up copy.
BUT, yes, the combined effect of all the tools you ran could well have made things worse, though the issue (since start) was an issue with the bootsector.

I personally find encryption (generally speaking) "totally unneeded, utterly foolish and a perfect way to lose data", but of course opinions may vary on it :whistle:.

Besides being of no actual use (just so you know, "they" are not after you, if they were, they would have already got you :ph34r: ) to the "common user" it implies a far more accurate management of data (and backup strategies), something that the "common user" will never be able to do, being by definition also not capable of implementing a "plain" data backup strategy.

And of course doing *any* of the things you did to a failed disk without first imaging it has been - let's say - a most uncommon procedure :angel (if you need I can be much more explicit than that).

IF it was bitlocker, there are a few tools to recover those, but whether they will work (at all or in this case) cannot say.
See:
http://answers.micro...57-ffb5a750dfcb

jaclaz

Edited by jaclaz, 19 May 2013 - 01:21 PM.


#13
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
I know you hate encryption and I don't use it either but this computer has it :(

I thought it was simple bootsector problem from virus so I make the mistake of doing image after the Kaspersky livecd scan(why this write stuff to HDD?:angry:)

He says now he doesn't think its bitlocker but he had to enter boot password before windows password, its some kind of disk encryption so I guess thats why C:\ is RAW.

The system was already not asking for boot password when I got it, and just going straight to Windows startup repair with no solution, but the bootsect overwrite probably didn't help :rolleyes:

Is there any way to get again the original bootsector with the encryption password prompt so it can access the RAW C:\ once more? What do you think can be done now?

#14
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I know you hate encryption and I don't use it either but this computer has it :(

Sure, not at all negating the fact, only highlighting it's foolishness ;).

I thought it was simple bootsector problem from virus so I make the mistake of doing image after the Kaspersky livecd scan(why this write stuff to HDD?:angry:)

Then you have an image of the disk before the various Windows recovery attempts?
No, the Kaspersky live CD scan (which - again - seems a lot like NOT having been on a LiveCD since data about it are written to the hard disk) would have NOT done *any* harm, rest assured.

He says now he doesn't think its bitlocker but he had to enter boot password before windows password, its some kind of disk encryption so I guess thats why C:\ is RAW.

Yep, the whole point is to understand WHICH EXACT form of encryption is it and if there are tools (from the manufacturer of the encryption tool or by third parties) capable of recovering a disk in that situation.
In theory it could be something trifling, like the need to re-write some MBR (or hidden sectors) code, or something that has no way to recover.

The system was already not asking for boot password when I got it, and just going straight to Windows startup repair with no solution, but the bootsect overwrite probably didn't help :rolleyes:

Is there any way to get again the original bootsector with the encryption password prompt so it can access the RAW C:\ once more? What do you think can be done now?

Your next step is to understand *somehow* which specific encryption was it.

jaclaz

#15
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Thanks Jaclaz.

I am waiting to find out from him the name of the encryption now.

The Kaspersky was a livecd but I think it downloaded updates automatically, its crazy that it writes these files to HDD not to ramdisk or something.

Do you think it wrote Kaspersky files to the main RAW partition? or maybe only write over the [HDDRECOVERY] partition which has no important data?

The Windows recovery attempts was also not smart before imaging :(

#16
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Thanks Jaclaz.

I am waiting to find out from him the name of the encryption now.

The Kaspersky was a livecd but I think it downloaded updates automatically, its crazy that it writes these files to HDD not to ramdisk or something.


Do you think it wrote Kaspersky files to the main RAW partition? or maybe only write over the [HDDRECOVERY] partition which has no important data?

The Windows recovery attempts was also not smart before imaging :(

No, the encrypted partition was simply "not mountable" (either due to the encryption or to the corruption) the Kaspersly, besides having stupidly written on the [System] partition (NOT on the [HDDRECOVERY] one) is innocent.

The "stupidly" may be referred BOTH to the good Kaspersky guys and to the good guy that attempted running an Antivirus on a disk where there was an encryption/partition issue AND having that machine connected to the Internet :w00t: .

It is more likely that the "bootsect.exe /nt60 all /force" has made some damages. :unsure:

Rule of the thumb (for next time :rolleyes: ) is to NEVER (and when I say NEVER, I do mean NEVER) write anything before having made an image (at least of what you are going to overwrite, like the MBR and the PBR's).

Consider how - particularly Notebooks with "recovery partition" and or with hard disk encryption connected to the motherboard - may use non-standard MBR code (less likely non-standard PBR code) and possibly also use some of the hidden sectors, but what the heck, we are talking here of saving a bunch of sectors, not necessarily image the whole disk (for which one may be unable to provide a big enough storage space).
JFYI ;) :
http://en.wikipedia....imum_non_nocere

jaclaz

Edited by jaclaz, 20 May 2013 - 10:39 AM.


#17
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
You're right of course Jaclaz.

I found finally the encryption is Mcafee. I have password now and was able to use 'Mcafee emergency disk' to write the bootsector. Now there is encryption password prompt when booting up like it used to be, I enter password and it accepts it, but then it says 'cant load OS'.

Do you think there is a way to restore the HDD so the encryption software can recognize it as encrypted? so it can then decrypt it?

Here is how the HDD looks after Mcafee emergency disk repair:
Attached File  diskmanagement.png   23.58KB   7 downloads

It is Disk 1 with 126GB partition and the rest unallocated, which is not correct.

Compared to Disk 3 which is image file of same HDD before emergency disk repair, showing 3 partitions, but probably those are not right either. Usually system is 100MB not 1.46GB right?

What do you think can be done to see some files of this disk?

Edited by rcll, 21 May 2013 - 02:27 PM.


#18
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
After the emergency disk wrote its repair I did another testdisk analyze, deep analyze and rebuildbs. Also dmde scan but it looks very similar to before emergency disk.

Should i try chkdsk or some other tool for corruption?

Is there anything that can be done with disk editor?

Attached File  testdisk.log.txt   15.54KB   2 downloads
Attached File  dmde after erd.PNG   72.9KB   7 downloads

#19
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

It is Disk 1 with 126GB partition and the rest unallocated, which is not correct.

Yes, but usually (cannot say specifically) there is an option in the encryption software to "convert" the encrypted disk to non-encrypted without booting it.
I am not familiar with McAfee encryption software, and there are more versions of it than stars in the sky, if I recall correctly, how exactly did you write the bootsector?

Maybe the emergency disk "unencrypted" the existing bootsector (which was altered before) instead of replacing it with the original one.
But the partitioning would never be affected by any change to the PBR or VBR or bootsector, if the partitioning layout changed it means that the McAfee Emergency disk changed the MBR! :w00t: :ph34r:

Still following - no offence intended towards the guy that encrypted that disk, that surely did that in perfect good faith :) - my theory that on average users of encryption solution don't know enough about data preservation, it could be that what was given to you was the recovery disk generated on another machine.

I mean, a "normal" MBR (and/or PBR/VBR/bootsector) is made of two parts, code and data.
It is possible that the *whatever* the emmrgency disk wrote was the "right" code (generic) but the "wrong" data (belonging to another machine). :unsure:

Compared to Disk 3 which is image file of same HDD before emergency disk repair, showing 3 partitions, but probably those are not right either. Usually system is 100MB not 1.46GB right?

Yes, but 100 Mb is the "default" for Windows 7, an OEM (like Toshiba) might well have decided that a larger one was needed/smart/whatever.
Out of the three partitions 1st and 3rd were OK, so I doubt that

What do you think can be done to see some files of this disk?

You need to check if Mcafee (or a third party) provides a solution to "convert the disk" to unencrypted (without changing/restoring/whatever) the MBR or the bootsector.

jaclaz

#20
rcll

rcll

    Newbie

  • Member
  • 27 posts
  • Joined 23-January 06
Thanks Jaclaz.

I talked to their support and you are right. They said that the emergency disk is special for the machine and has a copy of the mbr and partition table and it just overwrites the old one. They said if it was from the wrong machine it would give an error.

They have a Mcafee program to decrypt the disk, but when I try to decrypt it won't recognize the disk as encrypted, but we know it is encrypted.

They think its something about the encryption headers being corrupted and they cant do more on the phone.

Do you think the encryption headers can be fixed with a disk editor?

I have the keyfiles and password, maybe I can encrypt the whole disk again and it will write the same headers? Then it will recognize as encrypted and decrypt it?

#21
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,572 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Well, you are back to #1, so seemingly the (put here any adjective heavily offending your customer's mental capabilities) guy provided you with the wrong disk? :realmad:

However, nothing prevents you from re-writing ONLY the (good) DATA of the MBR you had before on the current MBR (which has now the McAfee CODE).

Of course IF part of the CODE contains a form of checksum, it won't work, but trying doesn't harm anyone.
In a MBR offsets:
0-445 Code (including Disk Signature on Windows NT OS at bytes 440-443)
446-509 DATA partition table, 4 parttiion table entries, each 16 bytes
510-511 Magic bytes 55AA
So basically you have to copy bytes at offsets 440-443 (4 bytes, the disk signature) and bytes 446-509 (48 bytes, the partition table) from the "old" MBR and replace the corresponding bytes on the "new" McAfee one.

Next step would be to create THREE :w00t: copies (images) of the disk, wipe (write with 00's) the area where the "middle missing partition" is, then format with the same OS originally used (I believe 7) the "missing partition in the middle" as NTFS, then attempt installing the encryption using the same keys.
Then compare the three of them, two at a time.
If they result (at least the first few sectors) substantially similar, then you may have a chance.
Explanation:
When you format two filesystems you do it (obviously) one after the other, the result is that the freshly formatted filesystem will never be identical, because the volume serial (which is misteriously created by the OS on a semi-random base) will be different and expecially on NTFS filesystem structures will have different timestamps.

The point is if the encryption algorithm (the "initial loading part") uses just the provided keyfiles and/or password or it uses a "salt" based on "specific data":
What you can reproduce is:
  • size of the volume
  • position of the volume of disk
  • contents of it's first few sectors (but not the volume serial)
if anything else (like the volume serial or current date/time or date/time of any filesystem structure) has a role in the encryption algorithm yu will have different results (and thus you won't be able to recreate the original "headers").

There is a possibility, still, (again it may depend on the exact version of the software used), at least in older releases there was the possibility of accessing a ("sound") encrypted volume without original key and password by using a "tech access" and a "daily code" (or something like that).

Such an approach may work even with the headers of a "different" volume, but it is really hard to say. :unsure:
JFYI ;):
http://reboot.pro/to...gin-for-bartpe/


jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users