User:Skierpage/Disk recovery

    From KDE UserBase Wiki

    Disaster!

    I followed instructions to create a bootable SD card,

     zcat blah.bootable.gz > /dev/sdX
    

    This is dangerous because it overwrites the partition, but I had done it before, I knew there was nothing on my SD card and /dev/sda is my SD card.

    But /dev/sda is my hard drive. The whole thing.

    I checked with df and the size looked wrong, then I read my notes (should have done that first) and I was overwriting the wrong disk. Ctrl-C!

    Then I tested the .gz file and it was corrupt, so I thought nothing had been written. My computer worked fine.

    The next day I got an error coming out of standby about not reading C:\$MFT or something. So I decided to reboot. Big mistake, I should have read partition tables, backed up some key files, and prepared for disaster.

    Rule 1: do what you can while it's working.

    Errors shutting down, then could not reboot, bad disk.

    Failed recovery

    I couldn't find my Windows XP CD-ROM, even though Falcon Northwest make a big deal. Of course my Windows XP is so dramatically different thanks to all the updates and service packs that the original disk has been useless for System File Checking and file recovery and such. I had always meant to follow instructions to slipstream a new boot CD-ROM, where you make a fresh Windows CD-ROM that contains the latest files, but never did.

    Rule 2 You need a boot disk around.

    Falcon Northwest provided me a personalized Recovery Disk, I inserted this and nothing happened. Zero feedback.

    Into Kubuntu Live CD

    I had built a Kubuntu Live CD. That booted fine.

    The Kubuntu Live CD startup menu has "check disk" menu choice is useless, it just checks the CD-ROM. BUG: it is badly named.

    So I ran the Live CD environment, and that worked fine. I'm updating this web page from the Live CD. Hooray for free software that is happy for the world to make bootable CDs.

    Create a recovery disk/USB?

    There are lots of dedicated "recovery CD" distributions. Distrowatch lists dozens, and the search leaves out the GParted distribution.

    The problem is, I'm running from my only CD drive, so I can't burn another CD. Besides, I don't want to waste another CD blank. I have gigabytes of space on my USB flash drive and SD memory card.

    BUG: All the distributions I checked have crap guides to creating a bootable USB. Some even talk about making a floppy. The functionality and documentation for making a bootable USB needs to be separated from all these distributions.

    Use what I have

    But I'm already running Linux. Kubuntu has the parted partition editor and the NTFS tools.

    BUG: all the online web recovery instructions are crap. They tell you how to make a recovery CD or floppy or whatever, tell you to stick it in the machine and reboot, but fail to tell you what to do next. I guess they assume you'll walk through their beautiful menu system. It is stupid and short-sighted not to mirror help and guidelines on a web site. You should never have to create physical media and boot from it just to read documentation.

    The first four pages of Google results for "linux partition recovery tutorial" are either sites trying to sell me something or yet another guide to creating a recovery CD. I gave up finding any explanation of what to do.

    Find your hard drive

    You have to find the UNIX device name for your disk, like hdb ("hard disk B") or sda ("SCSCI disk A" but also "Secure Digital" memory card). Then tools can access your disk using its entry in the special /dev directory. That's how I was able to scribble all over my hard drive in the first place.

    Unfortunately, the /dev directory has lots of devices in it.

    Another approach is to look for boot messages where the Linux kernel finds hardware devices. In a Linux console, enter

     dmesg | grep disk
     dmesg | grep drive
    

    one of those should identify promising disk devices, or enter

     dmesg | less
    

    to read the whole boot thing (which might have hints about the state of the drive).

    The best approach I've found is the somewhat undocumented one of looking in the special file /proc/partitions:

     cat /proc/partitions
    

    This identifies the partitions on the various devices, and their blocks. I guess if your hard drive was really badly trashed, it wouldn't have any partitions.

    All these confirmed my hunch that /dev/sda is my poor hard drive. The good news is /proc/partitions showed my sda1 and sda2

    Run parted

    Now start parted. I should probably start this as the root user, using sudo

    $ parted
    Using /dev/sdb
    

    that's wrong, I need to select /dev/sda.

     (parted) help
     ...  lots of commands
     (parted) select /dev/sda
     Error: Error opening /dev/sda: Permission denied
    

    so I do have to be root.

    $ parted
    GNU Parted 1.8.8
    Using /dev/sda   (good, now I'm root it picks sda as I can write to it)
    Welcome to GNU Parted! Type 'help' to view a list of commands.
     
    (parted) check
    Partition number? 1
    Error: \8. is 512k, but it has 15994 clusters (63976k).
    Ignore/Cancel? i
    Fatal: Bad FAT: cluster 12 is cross-linked for \0.8.  You should run dosfsck or scandisk.
    

    there you go! Let's see if the Linux partition is OK at least.

    (parted) check
    Partition number? 1
     Error: Partition doesn't exist.
    

    Damn.

     (parted) print
    Model: ATA ST3120026AS (scsi)
    Disk /dev/sda: 120GB
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos
     
    Number  Start   End     Size    Type     File system  Flags
     1      17.4kB  2031MB  2031MB  primary  fat32        boot, lba
    

    damn. That's completely wrong, I should have an enormous Windows partition. My original destructive zcat bootable scribbled a new partition table on the front of my disk that's completely wrong.

    How bad is it

    So as a result of scribbling over the front of the disk I have

    1. probably trashed the special loader (called grub? maybe) that let me boot from Windows or Linux
    2. probably trashed the Windows boot code, I'm not sure if it's in the first partition or somewhere else (the MBR "Master Boot Record" ?)
    3. probably trashed a big chunk of my NTFS Windows partition
    4. somehow completely messed up my Linux setup. With firefishe's advice I had set up the second half of the disk with root, swap, and home, now it's nowhere to be seen :-(

    parted has a rescue command that will try to locate and revive partitions, but I thought there's a backup somewhere on the disk with partition information. The "MBR" again?? But since the first partition table looks OK, the program trusts it.

    Recovering partitions

    So now I'm back to trying to find out more about disk repair.

    Fortunately I made notes when I created the partition setup.

    /dev/sda1  ntfs  Size 90025 MB (83.8 GB) hopefully untouched
    /dev/sda2 ext3 Mount / Format? checked  Size 20003 MB Used 495 MB
    /dev/sda3 ext4 Mount /home Format? checked  Size 8003 MB Used unknown
    /dev/sda4 swap Mount [blank] Format? [blank] Size 1998 MB Used unknown
    


    Rather than guess at partitions with parted's rescue, testdisk sounded promising. But it's not on the Kubuntu live CD.

    I tried using aptitude to install it, but that didn't work on the LiveCD. So I downloaded it. There's a Ubuntu package available, navigate to the Jaunty version, get the URL of the amd64-bit version. I have no idea how you can install new software to a read-only CD-ROM, so I did this in the temporary directory

    cd /tmp
    wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/t/testdisk/testdisk_6.10-1_amd64.deb
    

    then

    sudo dpkg -i testdisk_6.10-1_amd64.deb
    

    to install.

    testdisk to the rescue!

    Praise be, this has a pretty good intro, so I walked through that while running

    sudo testdisk
    

    and then turned on its expert mode and went slowly.

    Like every other tool testdisk initially found only the bad small partition:

    Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
    Current partition structure:
         Partition                  Start        End    Size in sectors
     
    Warning: Incorrect number of heads/cylinder 63 (FAT) != 255 (HD)
    Warning: Incorrect number of sectors per track 62 (FAT) != 63 (HD)
     1 * FAT32 LBA                0   0 35   246 237 22    3966909 [LIVE]
    

    But then its quick analyze command found my various Linux partitions!

    And then, I pressed Enter then chose [Deep analyze], which went back through my disk slowly. Glory be, this found evidence of the bigger partition!

    Disk /dev/sda - 120 GB / 111 GiB - CHS 14593 255 63
         Partition               Start        End    Size in sectors
    D FAT32                    0   0 35   246 254 63    3968021 [LIVE]
    P HPFS - NTFS              0   1  1 10944 254 63  175831362 [Windows XP]
    D Linux                 1902   0  1  4419 254 63   40451670
     * Linux                10945   0  1 13376 254 63   39070080
    D Linux                12139   2  1 14571 254 63   39086019</span
     P Linux                13377   0  1 14349 254 63   15631245
     P Linux Swap           14350   0  1 14592 254 63    3903795
    

    wahoo! There's my Windows XP partition! It also found two extra bogus partitions, but by matching the size ("sector" is 1/2 kB) and using the info testdisk prints as you choose each partition, I figured out the proper partitions whose Start follows the End of the previous, and used the left and right arrow keys to enable the good partitions as shown, and delete the bad ones.

    Press Enter, confirm writing the new thing. I'm not sure about the geometry errors.

    Then it immediately displayed information about my NTFS partition:

    Boot sector
    Status: Bad
     
    Backup boot sector
    Status: OK
     
    Sectors are not identical.
     
    A valid NTFS Boot sector must be present in order to access
    any data; even if the partition is not bootable.
    

    so I chose its [Backup BS] to copy the backup boot sector.

    I tried [Repair MFT] to check the NTFS Master File Table, but that requires rebooting.

    One last check of the format (using the Advanced menu, confusing), and I exited and prepared to reboot!

    Testdisk glitches

    Quit for previous menu is odd

    [Quit] everywhere to return to previous menu is very confusing. It should support [Esc]ape key, and the command should be [Back]

    Analyze forces a Quick search

    Also, if you choose analyze, you have a [Quick search] option, so there's no way to return to the main menu. You have to start a quick search. If you stop that, it'll be half-way through finding the partitions, so it looks as if it's lost all the information I've carefully brought back.

    It's crazy that the only way I can see the current MBR is by choosing "Advanced".

    So the main menu should have a "Current status" that shows

    1. what's on the disk MBR and partition info
    2. indicator if what testdisk has in memory is different (because you haven't written it yet)
    3. if not, show what's in its idea of the MBR and partitions is
    4. any other info it has or hasn't written to disk.

    Ctrl-C

    I tried to copy some text to here with Shift+Ctrl+C, and accidentally pressed Ctrl+C and testdisk immediately exited. Please trap Ctrl+C and ask "Are you sure?"

    give user-friendly MB/KB size

    When people are looking for partitions, they probably know the size in kB or kibibytes, but not in sectors. So maybe in parentheses give a user-friendly size like 5,203 KB or 12,304 MB.

    Add partition is confusing

    This is weird. First, I thought this would add the partition that testdisk had found that I've highlighted with the cursor keys, since D(eleted) is the opposite of Add.

    Then, when I really did want to add a partition, the information line has no explanation

      D No partition             0   0  1  1020 251 62   15952104
    

    and I can't choose a particular partition type with the cursor, it highlights a row of three at a time!!

    List under [Analyze] > [Boot] is confusing

    I re-entered TestDisk to view some files on my corrupted partition. I remembered this feature was called [List], but I had trouble finding it. I finally found it under [Analyze] > [Boot] , but the help for [Boot] is "Boot sector recovery". There's no indication that the [Boot] screen also has a "[List] directories and files, copy data from NTFS" feature.

    Back to booting

    I told TestDisk that Linux was my boot partition, however booting from the hard drive was still a complete failure, it just hangs forever. I have my partitions, but I've lost any knowledge of booting. So I had to boot the Kubuntu LiveCD again.

    Kubuntu had installed the grub boot menu that gives me a choice of whether to boot Windows or Kubuntu, so all I need to do is create another one of those.

    As usual there are tons of guides to restoring grub, and they're all crap out-of-date stuff that mostly explain nothing. E.g. my hard drive is /dev/sda, but grub turns this into hd0. And unlike TestDisk there's no way to know what the heck you just did or verify what you put on the disk. It's a shot in the dark.

    https://help.ubuntu.com/community/RecoveringUbuntuAfterInstallingWindows is probably the best instructions, so I followed that.

    Linux boot back

    Now my hard drive boots into Kubuntu, but seems to ignore windows.

    grub woes

    The grub command is very poorly explained. I want a program to tell me what the current boot menu in my MBR looks like without rebooting. Does grub do this? Who knows. It seems to show a typical boot menu, but maybe that's coming from my Linux drive. Who knows?

    Windows partition corrupt

    Kubuntu automatically mounted my NTFS partition as it did before using the NTFS-3G driver:

     /dev/sda1 on /media/WindowsCdrive type fuseblk (rw,nosuid,nodev,allow_other,blksize=4096)
    

    but that was giving me tons of

    ls: cannot access /media/WindowsCdrive/AUTOEXEC.BAT: No such file or directory
    ls: cannot access /media/WindowsCdrive/boot.ini: No such file or directory
    

    as well as a directory listing. Strange, since I was able to navigate in TestDisk to some of these files in "My Documents".

    • fsck doesn't work yet for ntfs-3g mounts.
    • Can I run Windows' chkdsk command under Wine?
    • I found my Windows XP CD-ROM and booted into its Recovery Console, but that doesn't acknowledge I have a hard drive at all. It's supposed to ask what Windows installation I want to work with, but doesn't.

    I asked about my problems on the NTFS-3G forum.

    Back up the partition

    I bought a Toshiba 400GB External USB 2.0 Hard Drive Model: HDDR400E03X , so I can just dump the entire NTFS partition onto it, insert it into a Windows laptop, and run chkdsk on it.

    But how to "dump"? I think the command is

     dd if=/dev/sda1 of=/dev/sdc2 conv=noerror,sync
    

    but I'm unclear how to create the NTFS partition.

    Repartition USB hard drive

    My hard drive according to TestDisk is

    CHS 14593 255 63
    1 * HPFS - NTFS              0   1  1 10944 254 63  175831362 [Windows XP]
    

    TestDisk thinks the Toshiba has the same heads/sectors, so each "cylinder" is the same. fdisk -l thinks the Toshiba is

       Device Boot      Start         End      Blocks   Id  System
    /dev/sdc1               1       48641   390708801    c  W95 FAT32 (LBA)
    
    • Clonezilla can clone partitions, but it's yet another boot CD to burn and a layer of software above.
    • ntfsclone from
    • parted has a cp command, but the features page indicates that this doesn't work to create or copy NTFS partitions.

    So I guess I'll create an NTFS partition on windows. I used parted to resize the FAT32 partition smaller to make room:

    (parte d) unit cyl
    (parted) resize 1 0 20000
    (parted) print
    Model: Toshiba External USB HDD (scsi)
    Disk /dev/sdc: 48641cyl
    
    Number  Start  End       Size      Type     File system  Flags
     1      0cyl   19999cyl  19999cyl  primary  fat32        lba
    

    (parted seems to count from 0, not from 1.)

    Now to create an NTFS partition like

    1      32256B         90025689599B   90025657344B  primary  ntfs         boot
    

    on Windows, I called it partition X:. 90025657344 bytes is 87915681 kiB. I guess I'll round up to 86GiB for safety. That was a stupid idea because it makes it hard to copy back

    Backing up

    From Kubuntu,

    dd if=/dev/sda1 of=/dev/sdc2 options blah blah
    

    worked fine.

    Then reinserted disk in Windows. Explorer convinced the drive is broken; but from the command line I was able to run

    chkdsk /f X:
    

    lots of errors but it all looked pretty good.

    Reinserted in Kubuntu, realized it was too big to copy back plus I want to make yet another backup for safety.

    Permissions messed up

    Reinserted in Windows to reduce file size. But first, a weird problem. Computer Management > Disk Management shows X: drive "86.00GB, Healthy (Active, Primary Partition)", 20GB free.

    But Windows Explorer thinks X:\ is not accessible, access denied. Finally figured out that the ACL for it only allows administrator access!!

    Compared with C security

    Authenticated Users
    Special permissions Allow grayed out
    SYSTEM
    Full Control, Modify, Read & Execute, List folder contents, Read, Write all Allow
    Administrators (Machine Name\Administrators)
    same as SYSTEM
    Users
    Read & execute, List folder contents, Read

    C: Advanced security

    Administrators (Machine Name\Administrators)
    Full Control apply to this folder, subfolders, and fileto
    SYSTEM
    same as Administrators
    Users (Machine Name\Users)
    Read & execute apply to this folder, subfolders, and files
    Authenticated Users
    Special apply to Subfolders and files only
    Authenticated Users
    Create folders/append data, apply to This folder only.


    Compared with new NTFS partition' security

    Authenticated Users
    Modify, Read & execute, List folder contents, Read, Write
    SYSTEM
    Full Control, Modify, Read & Execute, List folder contents, Read, Write
    Administrators (Machine Name\Administrators)
    same as SYSTEM

    new empty NTFS partition's Advanced security:

    Administrators (Machine Name\Administrators)
    Full Control
    SYSTEM
    Full Control
    Authenticated Users
    Modify
    Users (Machine Name\Users)
    Read & execute

    all applying to this folder and subfolders.


    Started applying permissions to X: but got errors as it trundled through sub-folders setting permissions for SYSTEM:

    cygwin\bin\get , \cygwin\etc\passwd , \cygwin\etc\profile.mytemp, \cygwin\etc\sshd_config, \cygwin\etc\ssh_host_dsa_key, more ssh, \cygwin\home;
    \cygwin\lib\perl5\5.8\CPAN\Config.pm{,~}, \cygwin\lib\perl5\5.8\{Auto, Bundle, \cygwin\auto, \cygwin\file, \cygwin\HTML}, site_perl\Date blah blah more 5.8 perl stuff
    \cygwin\usr\local\bin\mergebox.pl, \cygwin\usr\local\src

    Reset it to make Advanced security match "empty NTFS partition" (i.e. not quite the same settings for Authenticated Users as on the laptop C: drive. Same errors.

    This is probably why I can't access the drive from Recovery Console.