[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NTFS recovery
On 10/19/05, Bryan J. Smith <b.j.smith@ieee.org> wrote:
> On Wed, 2005-10-19 at 09:12 -0500, Gary Smithe wrote:
> > Hello all,
> > I have a HDD from WinXP that has a messed up partition table.
>
> Is it the partition table, filesystem or both?
>
> I understand if it's the partition table, you might not be able to tell
> if the filesystem is dorked up too.
>
> > It causes Windows to lock up, and won't mount, even read-only, under
> > Linux.
>
> If the start of the filesystem cannot be determined due to the partition
> table being messed up, then the filesystem might still be intact. As
> long as Linux knows the start of a filesystem (on a partition boundary),
> it will access the exact filesystem (regardless of where the partition
> boundary ends).
>
> This is why I keep copies of my partition tables. In fact, I purposely
> use exacting off-sets (4000M, 8000M, 16000M, 32000M, 64000M) with fdisk
> to guarantee I can "guess" the partition table with trial'n error. I
> just start creating partitions with 4000M, 8000M, etc... until one
> mounts, then I look at its size, then I figure where the next one is.
> The only issue is when I have an extended, LDM or LVM -- the extended I
> can do something about (it's just a 512B sector off-set), but LDM or LVM
> I can do little.
>
> > Anything I do in windows gives me problems with this drive, so
> > I'm hoping to find a Linux tool.
>
> The best bet is to create a single partition starting with cylinder 1 to
> the last. Then try to mount it. The first filesystem should start on
> cylinder 1, and Linux will mount it if it does, regardless of where it
> ends. Once you mount it, you can find out its size and interpolate what
> cylinder/head/sector the next partition starts, etc...
>
> [ BTW, be sure to use the "-o ro" option to mount read-only. ]
>
> > I decided to use dd_rhelp to make an image file. The problem is, when
> > I try to mount it, it complains about the FS.
>
> You need to find where those partitions start so you know where the
> filesystem starts. Otherwise you're getting arbitrary disk sectors.
>
> > I've seen where people making a DD from an ext2 FS have been able to
> > do a fsck on the image file,
>
> Again, you need to dd from the start of a partition, and therefore, a
> filesystem before you even get to that point.
>
> > but I don't think I can do that with NTFS.
>
> *NEVER*, *EVER* CHKDSK a NTFS filesystem *EXCEPT* with the _exact_ NTFS
> installation that created it. There are links from the filesystem to
> the Security/System Accounts Manager (SAM) which is part of the
> registry, and that is NT installation _specific_. Even on a dynamic
> disk (LDM disk label, BIOS type 42h), which stores some SID info in
> hidden parts of the disk, it does _not_ have enough to do a CHKDSK.
>
> I'm not sure if the "Captive" user-space driver for Linux can safely
> read the registry/SAM and recover. But since it's a user-space driver,
> it would be dog slow anyway. It's best to try to define the NTFS
> filesystem's boundaries, and then get a dd image of that. Then put it
> on another disk and attempt to see it boot and run CHKDSK.
>
> If you get your data, then you can go back to the original disk and do a
> sector-by-sector test with CHKDSK to see if it's failing.
>
> > Does anyone have a thought of how I can get my files off this drive?
> > The drive isn't making any death noises, it just seems to have bad
> > clusters, that have messed up the partition table and/or formatting
> > information.
>
> If you can find out where the filesystem begins and ends, you can let
> NTFS'
>
>
> --
<Signature SNIPed>
It looks like your last sentence ran off the page :-).
I appreciate the response. I'm nowhere near an expert, so my
terminology may veer off the correct path at times.
I'm guessing the primary problem I'm having is bad blocks, and that
the partition table is intact, but there is something wrong with the
filesystem. I say this because fdisk -l shows an NTFS partition, and
when I try to mount the failed drive, it fails because of hardware
problems (I'm guessing here, it just times out). That is, it doesn't
say that the filesystem is wrong, just that it can't mount it.
Will creating a new partition help in this situation? Is there
anything I can do about the failed mount? I'm guessing that there is
some type of file system "header" information stored right where some
blocks are bad.
So to be more correct, I'm thinking the partition is OK, but something
about the FS is messed up, which won't allow mounting.
I tried doing the dd on /dev/hdc1, which is the only partition shown
on the drive. I decided to rm the first dd image and use dd_rhelp to
start a new one. It's a 40GB drive, and this morning when I left the
house, the image size was ~38GB, apparently paused on more bad blocks.
Is there a different way I can mount the partition, so whatever block
error is ignored? Are there any steps I can do with this new image
file (that hopefully will complete today)?
Thanks a bunch.
GS
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.