Sign in to follow this  
Followers 0
rcll

Windows7 C: partition shows as RAW in diskpart?

21 posts in this topic

Hi,

I was wondering if anyone knew how to fix this issue?

I have a Windows7 Home Premium Toshiba laptop that all of a sudden won't boot into Windows.

The HDD has passed SMART test so it seems ok physically.

On bootup it goes straight into automatic windows recovery, spends 5 minutes at the progress bar then says it can't be fixed automatically.

In the log it says "Boot sector for system disk partition is corrupt"

I put in the Windows7 dvd and go into repair mode, it prompts for the partition, but shows the C: drive as 0 MB.

In command prompt I do "bootrec /scanos", it finds no operating system.

I tried "bootsect.exe /nt60 all /force" to write a new bootsector from the Windows dvd, it completes successfully, I reboot, but same problem.

"bootrec /fixmbr" and "bootrec /fixboot" also completes successfully but still the same problem.

I try "attrib -h -s C:\boot\BCD" & "del C:\boot\BCD" & "bootrec.exe /rebuildbcd" as per http://neosmart.net/wiki/display/EBCD/Recovering+the+Windows+Bootloader+from+the+DVD but this fails, because I have no accessible C: drive.

In diskpart it shows the C: partition as RAW.

I have tried livecd of Minitool Partition Wizard and it scans the entire drive for about 2 hours, it says no partition it can recover. The D: drive (Toshiba's recovery partition) is still there and accessible.

Can anyone advise what to do from here? I'm guessing all the files from C: partition are still there but there is an MFT problem?

I would be very gratefu to get this partition back the way it was. Thanks for any help!

0

Share this post


Link to post
Share on other sites

you should try testdisk from a bootable media (my favorite livecd with testdisk is systemrescuecd ). Be sure to run it without writing anything and create a log file as it will help other people here (most likely Jaclaz) to help you.

You should also create full raw disk image as it was explained there.

0

Share this post


Link to post
Share on other sites

Thanks. I just ran testdisk without writing. Unfortunately it doesn't look like an easy fix. I did the regular analyze and then deeper analyze and tried to list files with "P" but it says filesystem is damaged, I also tried rebuild bootsector. I hope I didn't make it worse by writing the bootsect.exe operation earlier.

Here is the log and what testdisk shows. I hope there is still a way to fix.

post-86056-0-66297200-1368942523_thumb.p

post-86056-0-65259600-1368942536_thumb.p

testdisk.log.txt

0

Share this post


Link to post
Share on other sites

Can you post some details on how you remembered the disk was partitioned?

How many partitions, which size (approximated) they were, which filesystem they used, etc.?

For the offset of the first partition it sems like it was partitioned orginally under VIsta :ph34r: or Windows 7, the first partition seems OK:

1 P HPFS - NTFS 0 32 33 191 89 26 3072000 [system]

though it is "unusually" large for being just the "system" partition" (the good MS guys call "system" the "boot" partition and "boot" the "syastem" one, in order to make things easier :w00t: ) and as well "last one":

3 P hid. HPFS/NTFS 59508 132 17 60801 80 15 20768768 [HDDRECOVERY]

looks fine.

What was before "between them"?

A single partition?

DId the 1st partition get a drive letter (I presume C:\) and the other partition get another letter (like D:\), and the [HDDRECOVERY] was hidden?

jaclaz

0

Share this post


Link to post
Share on other sites

Hi Jaclaz. I think the disk was just two partitions or maybe three, the C:\ was like 450GB and the D:\ was the [HDDRECOVERY] of like 10-15GB. Its possible there was also 1.4GB WinRE parition. Is that the [system]? I don't think that one was visible inside windows but I guess it was always there.

Its laptop that came already with Windows 7 on it but I'm not sure how they made the partitions at the factory, I think probably in Windows 7 not in Vista but I'm not sure.

I tried to do NTFS scan in DMDE but I think it finds a mess :(

post-86056-0-76317500-1368970257_thumb.p

Edited by rcll
0

Share this post


Link to post
Share on other sites

The DMDE screenshot clears enough how the disk was before, most probably:

  1. First partition was a type 27 , i.e. the "boot" (read as MS system partition) ad got NO drive letter when booted [system] that WIndows 7 creates in some cases (but normally this partition is 100 Mb in size)
  2. second partition was a large "normal" 07 type one that got C:\ drive letter
  3. third partition was a hidden partition (recovery partition) that got no drive letter (because of it's 17 hidden type) [HDDRECOVERY]

Now, from the combined results of the TESTDISK log and of the DMDE screenshot, it seems like the "middle partition" structures have been *all* corrupted/overwritten.

This is very unusual :w00t: , as commony *some* structures can still be identified.

I see a couple references for "Kaspersky Rescue Disk 10.0" recently downloaded, which you didn't mentions among the attempts you made. :unsure:

The $MFT for any NTFS volume bigger than 5 or 6 Gb is on cluster 786432, i.e. 786432*8=sector 6291456 from start of the volume.

If the first partition was originally the "normal" 100 Mb or if it was the current (roughly) 1.5 Gb, it doesn't make mucd difference, the $MFT of the second volume would anyway be between 2048+204800+6291456=6498304 and 2048+3072000+6291456=9365504

DMDE didn't find any fragment of the $MFT around that area, which is very, very unusual, and not easily explained (in the sense that right now I have no idea of something that can produce the effect of wiping so effectively all $MFT traces :ph34r: ).

Was - by any chance - the volume encrypted?

jaclaz

0

Share this post


Link to post
Share on other sites

Oh all $MFT traces wiped out sounds bad for any files recovery :(

I did try Kaspersky rescue disk but I thought it was just livecd for virus check, I didn't think it would write anything to HDD :( Do you think it already overwrites important parts of the disk?

It is possible there was encryption I will try to find out from the user. Is there any way to recover from that with the password?

0

Share this post


Link to post
Share on other sites

Oh all $MFT traces wiped out sounds bad for any files recovery :(

I did try Kaspersky rescue disk but I thought it was just livecd for virus check, I didn't think it would write anything to HDD :( Do you think it already overwrites important parts of the disk?

It is possible there was encryption I will try to find out from the user. Is there any way to recover from that with the password?

Hard to say.

Try quickly run Photorec (the file based recovery tool "companion" of TESTDISK) if files can be found with ti, i it, it wasn't encrypted.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

i wasn't encrypted.

jaclaz

Are you now ? :ph34r::D

0

Share this post


Link to post
Share on other sites

i wasn't encrypted.

jaclaz

Are you now ? :ph34r::D

Picky today? :unsure:, actually, to be in-line with the previous typo: Picky oday?

jaclaz

0

Share this post


Link to post
Share on other sites

Hehe ;) You can not be encrypted because you help people so clearly :)

So I'm trying photorec like you said and this is what it shows.

post-86056-0-96264300-1368986995_thumb.p

Its trying to find files now but I think you're right that its whole disk encrypted.

post-86056-0-14155200-1368987019_thumb.p

I have password from the user now. Is there a way to fix HDD enough so laptop can boot to the login screen so I can put in the encryption password for this "RAW" windows partition?

I am worried the Kaspersky rescuecd virus scan overwrites some files on HDD, I dont know why it did that. Also worried about the "bootsect.exe /nt60 all /force" overwrite and bootrec /fixmbr & /fixboot that I attempted :(

0

Share this post


Link to post
Share on other sites

I have password from the user now. Is there a way to fix HDD enough so laptop can boot to the login screen so I can put in the encryption password for this "RAW" windows partition?

BUT how exactly /which tool was used to encrypt the volume/drive? :unsure:

Bitlocker?

I am worried the Kaspersky rescuecd virus scan overwrites some files on HDD, I dont know why it did that. Also worried about the "bootsect.exe /nt60 all /force" overwrite and bootrec /fixmbr & /fixboot that I attempted :(

Those would only change the "code" part of the MBR and of the PBR's, since it was originally Windows 7 made, the result would be again Windows 7, but I have no idea if bitlocker (if it is that that was used) actually encrypts the PBR also and or if it stores any further back up copy.

BUT, yes, the combined effect of all the tools you ran could well have made things worse, though the issue (since start) was an issue with the bootsector.

I personally find encryption (generally speaking) "totally unneeded, utterly foolish and a perfect way to lose data", but of course opinions may vary on it :whistle:.

Besides being of no actual use (just so you know, "they" are not after you, if they were, they would have already got you :ph34r: ) to the "common user" it implies a far more accurate management of data (and backup strategies), something that the "common user" will never be able to do, being by definition also not capable of implementing a "plain" data backup strategy.

And of course doing *any* of the things you did to a failed disk without first imaging it has been - let's say - a most uncommon procedure :angel (if you need I can be much more explicit than that).

IF it was bitlocker, there are a few tools to recover those, but whether they will work (at all or in this case) cannot say.

See:

http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/bitlocker-corrupted-drive/f2d6addf-5e9d-427e-9857-ffb5a750dfcb

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

I know you hate encryption and I don't use it either but this computer has it :(

I thought it was simple bootsector problem from virus so I make the mistake of doing image after the Kaspersky livecd scan(why this write stuff to HDD?:angry:)

He says now he doesn't think its bitlocker but he had to enter boot password before windows password, its some kind of disk encryption so I guess thats why C:\ is RAW.

The system was already not asking for boot password when I got it, and just going straight to Windows startup repair with no solution, but the bootsect overwrite probably didn't help :rolleyes:

Is there any way to get again the original bootsector with the encryption password prompt so it can access the RAW C:\ once more? What do you think can be done now?

0

Share this post


Link to post
Share on other sites

I know you hate encryption and I don't use it either but this computer has it :(

Sure, not at all negating the fact, only highlighting it's foolishness ;).

I thought it was simple bootsector problem from virus so I make the mistake of doing image after the Kaspersky livecd scan(why this write stuff to HDD?:angry:)

Then you have an image of the disk before the various Windows recovery attempts?

No, the Kaspersky live CD scan (which - again - seems a lot like NOT having been on a LiveCD since data about it are written to the hard disk) would have NOT done *any* harm, rest assured.

He says now he doesn't think its bitlocker but he had to enter boot password before windows password, its some kind of disk encryption so I guess thats why C:\ is RAW.

Yep, the whole point is to understand WHICH EXACT form of encryption is it and if there are tools (from the manufacturer of the encryption tool or by third parties) capable of recovering a disk in that situation.

In theory it could be something trifling, like the need to re-write some MBR (or hidden sectors) code, or something that has no way to recover.

The system was already not asking for boot password when I got it, and just going straight to Windows startup repair with no solution, but the bootsect overwrite probably didn't help :rolleyes:

Is there any way to get again the original bootsector with the encryption password prompt so it can access the RAW C:\ once more? What do you think can be done now?

Your next step is to understand *somehow* which specific encryption was it.

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks Jaclaz.

I am waiting to find out from him the name of the encryption now.

The Kaspersky was a livecd but I think it downloaded updates automatically, its crazy that it writes these files to HDD not to ramdisk or something.

Do you think it wrote Kaspersky files to the main RAW partition? or maybe only write over the [HDDRECOVERY] partition which has no important data?

The Windows recovery attempts was also not smart before imaging :(

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.