May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Windows Filesystems Recovery

News Introduction Recommended Links Recommended Papers Strategy for hard drive Click of Death crash recovery Undeleting files Direct Disk Editing   FAT32 Partitions Data Recovery
Filesystems Internals Unix dd command Recovery of lost files using DD Working with disk images ddrescue Disk Repartitioning and Resizing of NTFS Using dual boot for recovery  
Norton Ghost Alternatives to Norton Ghost Acronis True Image Restricted free versions of Acronis True Image Macrium Reflect FREE Edition R-Drive Image Active Boot Disk DriveImage XML  
Using disk images to fight spyware Antispyware Tools Spyware Removal Disk Backup Tips History Humor Etc

An ounce of prevention is worth a pound of cure.

An ounce of prevention is worth a pound of cure. I remember strong feelings that I experienced each time my hardrives died. Sometimes it was accidentally dropped. Sometimes it just goes south due to the age. But feeling that all your precious data are lost is unforgettable. It is a mixture of despair and anger about what an idiot you are. Here I can frankly say that a typical characterization of such situations a case when "jaw dropped" acquire quite different more realistic and more menacing sense ;-). 

So the first advice is never to have a need to browse this page. Among steps that help to prevent this situation are

Another useful strategy helpful in preventing filesystem disasters is to use multiple partitions. First of all is shrink the size of back and makes performing backups of your data much simpler and faster.  If also increases recovery chances, especially if you save your MBR and boot sectors on a recovery DVD.

I am strongly against one partition windows systems installations that are prevalent today. Splitting this partition into two and having a sizable second partition or the primary drive (or secondary drive for desktop or laptops with mediabay like Dell E6320) where you can store Ghost images on the first partition and your data significantly simplify recovery and helps to avoid the fees that are charges by specialists for restoration of your harddrive.

This page is updated when I experience problems with my systems and the frequency of updating should serve as a warning to everybody that you need continues highly disciplined efforts to preserve your data (and that means not only backup but a proactive replacement of critical harddrive after two-three years of service)  or at one moment you will be pulling hairs from your skull...

There are several issues that are of tremendous important for Windows users

On low level there are few tools that are really helpful.

Again let's talk about prophylactics. I strongly recommend to create a sizable (let's say 40GB-60GB ) FAT32 partition explicitly for recovery purposes when installing Windows. Here you can store Ghost or Acronis images and other stuff that is important to recover too.

Much depends on your level of understanding of assembler and FAT32 internals. If we are talking about serious problem that involves valuable data, then before practicing with Norton Disk Editor on real data I strongly recommend to create an image of the partition, install it on the second harddrive and try you ideas on it.

With NTFS everything is 10 times harder but general principles remain the same. After all you can always read and search the disk sector by sector and write some scripts to extract relevant portions of the disk based on heuristics that are pertinent to your data. But it is preferable to operate on a higher level. NTFS can be mounted as readable partition from Linux which creates some interesting possibilities in case Windows is damaged to the extent is unable to boot and there is no recovery disk. I have very little experi4nce with recovering NTFS volumes so I can not go father then rather generic recommendations.

Top Visited
Past week
Past month


Old News ;-)

[Dec 12, 2011] My Seagate Free Agent GoFlex 1TB External USB HDD has got erased ...

10-17-2011 |


I was having two Seagate hard disks. One is 8GB USB Hard disk and another one is 1TB USB Free Agent GoFlex Ultra-Portable Drive For PC & Mac.

My problem till yesterday was that first one (8GB) hard disk was not working properly. Even when it connect to system, it was not recognized in any system. One of my friend suggest me to visit seagates websites and find the solution for that. Yesterday I visit seagate's website and I download "SeaTools For Windows " software. When I start to use this software, my both hard disks was connected to my system and I wrongly select the good one (1TB) hard disk and select advanced tests and then select USB Erase Tasks and then Full Disk Erase option. It was running for around 9 hours and suddenly I came to know that I have select wrong website but till that time all my data was lost. I just wanted to know that can I recover that data which got erased by mistake?

For data recovery, I have already purchased seagate's software "File Recovery For Windows". Can I get all my data from that software? It was important data in that hard disk but due to my mistake, it got erased. Do you have any solution for that? I will be thankfull to you if you have any solution. Kindly reply me urgently.

copnas 10-17-2011 at 08:40:16 PM

Hi Pritish,

I would recomend you getdataback it makes realy miracles.
If you are not statisfied with seagates file-recovery program give it a try,
you will be surprised.
As for :if you can get all of your data back, it depends on how "damaged" your files are.
I experienced that I got almost all of my data back after one or two formats.
I realy hope you will prove me wrong but after the Full erase of your hdd it will be inpossible
to get all of your data back.

Message edited by copnas on 10-17-2011 at 08:47:13 PM

Reply to copnas

pritish 10-24-2011 at 11:34:51 AM

Hi Copnas,
Thanks for your reply. Are you talking about getdataback - ? If not, then please provide me its web address.

copnas 10-26-2011 at 07:52:03 AM

Actually I was talking about this:

pritish 11-03-2011 at 01:15:51 PM

Thanks Copnas for your answer. But this software also not giving all data back.

hang-the-9 11-03-2011 at 03:16:38 PM

Best answer

There is no software that will restore everything.

Recuva is a good one to try also, but the issue is that you ran more than just a simple format on the drive. The option you picked sounds like it actually wipes the data off the disk, or it would not be running for 9 hours. The only type of erase that runs that long is one that makes the data almost impossible to recover. And when I say "almost", I don't mean you'd be able to do it yourself. You'd have to bring it in to a data recovery specialist to work on, which would be pretty pricy.

pritish 11-05-2011 at 09:45:00 AM

Hi hang-the-9,
Thanks a lot for your suggestion. Yes, I also feel the same. Can you please give me few names of data recovery specialists? Also give me rough idea about the price. I'll be thank full to you for that.

hang-the-9 11-08-2011 at 03:45:04 AM

pritish wrote :

Hi hang-the-9,
Thanks a lot for your suggestion. Yes, I also feel the same. Can you please give me few names of data recovery specialists? Also give me rough idea about the price. I'll be thank full to you for that.

Need to find something in your area, I'm guessing you're not in the US based on your username.

Prices can get high depending on what needs to get done, would be a few hundred dollars to start with and can head up from there.

Where I work we spent about over $4,500 recovering data from 2 500gig drives, but that was mechanical failure. Your disk wipe could be more expensive, they'd have to read the old magnetic signature of the files, if anything remains on the disk after the wipe, bit by bit.

[Mar 15, 2010] ms-sys 2.1.5

ms-sys is a Linux program for writing Microsoft compatible boot records. The program does the same as Microsoft's "fdisk /mbr" to a hard disk or "sys d:" to a floppy or FAT32 partition, except that it... does not copy any system files (only the boot record is written)(more)

[Feb 16, 2010] NTFS Disk Recovery HowtoForge - Linux Howtos and Tutorials

The idea is to create image using ddrescue, then mount it on a virtual XP machine and try to fix it.

Normally, dd takes a while to make a disk image but we get a disk error almost immediately and dd aborts. Fortunately there is ddrescue, actually there are two ddrescue programs, we are using the GNU ddrescue program. ddrescue works almost exactly like dd, except that it is intended to work on faulty drives and can compensate for disk errors. ddrescue does not come on the live CD and is not available in the APT repository, but we can download it from the web, place it in the already mounted nfs share and install it from there.

LiveCD$ sudo dpkg -i gddrescue_1.11-1_i386.deb
LiveCD$ sudo ddrescue -v /dev/sda mary_inspiron_6000.img mary_inspiron_6000.log

ddrescue successfully images the disk. The next task is to make a copy of the disk image so that, in the event that an attempt to fix the disk image goes bad we can, at least, get back to this point with a minimum of effort. We will do all our work on the image (mary_inspiron_6000.img), and keep the original (mary_inspiron_6000.img.orig) untouched as an archive and reference.

LiveCD$ cp -p mary_inspiron_6000.img mary_inspiron_6000.img.orig

Now comes the fun part, looking to see what we can save.

Recovery goes surprisingly well, with one exception that I'll detail later. I mount the working image (mary_inspiron_6000.img) as the d drive on a virtual Windows XP machine I have set up for disk recovery and run a variety of tools against it.

diskpart gives information on the disks and their partitions on Windows XP

... ... ...


Setting Up An NFS Server And Client On Debian Lenny
Ddrescue - Data recovery tool
Virtualization With KVM On Ubuntu 9.10
Troubleshooting Disks and File Systems
USB 2.0 to SATA/IDE Hard Drive HDD CD-Rom 3.5/2.5 Converter Adapter Cable
Selected Comments

Why don't use SRC?

Submitted by FErArg (not registered) on Sat, 2010-02-13 20:15.
Why do you didn't use System Rescue CD?

This live distribuiton has everything you need to rescue Linux or Windows disk/partitions, recover/cretae disk/partition images, etc.

- NFS Client/Server
- PartImage
- GParted
- and a VERY LONG etc.


ddrescue in the APT repository?

Submitted by Hans Bausewein (not registered) on Sat, 2010-02-13 19:28.
ddrescue not available in the APT repository? Maybe not on Ubuntu, but Debian definitely has it:

A Comment on your 3rd step:

Submitted by PĂ©tur Ingi (not registered) on Fri, 2010-02-12 23:39.
A Comment on your 3rd step: I've managed to recover data from _extremely_ corrupted drives by running GetDataBack NTFS (A Windows application) on the .img file created by dd/ddrescue.

Why not mention testdisk?

Submitted by Anonymous (not registered) on Fri, 2010-02-12 19:22.
Why not mention testdisk? It has the ability to recover files from an unmountable drive (or even a formatted one)

NTFS Disk Recovery

Submitted by Anonymous (not registered) on Fri, 2010-02-12 18:46.
When you say:

"...I mount the working image (mary_inspiron_6000.img) as the d drive on a virtual Windows XP machine..."

What do you mean exactly? The IMG file created by ddrescue is mounted under Windows XP using a virtual drive emulator, and which is that? What virtualization software did you use (Virtualbox...)?

NTFSresize and Parted

Submitted by Yochai (not registered) on Fri, 2010-02-12 17:19.
I do professional data recovery using linux. GNU ddrescue is a godsend. One thing I would like to mention though: rather than using diskpart to grow the partition, I suggest using parted/gparted or ntfsresize (part of ntfsprogs). they both work very well and can be run on images or disks.

[Jul 15, 2009] safecopy 1.4

safecopy is a data recovery tool which tries to extract as much data as possible from a seekable but problematic (i.e., damaged sectors) source like floppy drives, hard disk partitions, CDs, etc., where other tools like dd would fail due to I/O errors.

[Aug 11, 08] The Blog of Ben Rockwood/Drive Recovery 101

About 6 years ago or so I got tired of fixing problem with Tamarah Windows/Linux box and decided to pay the money for a 15" PowerBook. It was an excellent investment, she could work on the couch, no more lockups and reboots in Windows or mysterious "Bennnnnnn!" problems in Linux. Since then she's upgraded to a black MacBook, and when I joined Joyent they provided me with a MacBook Pro (which I'm typing on now). So far each of these 3 laptops has lost at least one drive. Since we've fallen in love with iTunes and iPhoto these drive failures have been a major blow, and prior to Leopard's TimeMachine we didn't do regular backups.

This post will refer solely to drives for personal use. In the datacenter you should be using RAID and/or backup or redundancy method in which case a single drive failure isn't something you waste time trying to analyze or fix.

I've run into 3 major types of drive failure:

  1. PCB Failure: A case in which the PCB has been "fried". This happened dramtically once when connected an IDE drive to a system and let the disk rest, upside down, ontop of the case. It ran fine for aminute and then pop/spark there was a hole burned in a chip on the PCB. In this case the only solution is to go to eBay and buy an identical drive and swap the PCB.
  2. Click of Death: This means catastrophic damage to a drive. The head is unable to position itself or read data and sweeps the platters in a sort of seizure. This is the sort of problem that likely requires you to open the drive or spend big bucks.
  3. Damaged Cylinders: This is the kind of problem where the drive seems fine, mounts up and you can read for a bit and then hits some area of the platters where it freaks out and eventually spins up and down. This is most clearly seen when you image the drive with dd and it hits some point and exits on max retries.

Information on drive forensics and recovery is sparse. You tend to get one of three answers:

  1. "d00d, totally put it in the freezer and then try it!" Variations come based on how you should protect against condensation, the best I've heard is to pack the drive in minute-rice.
  2. "Send it to DriveSavers" (or other) This is super expensive, anywhere from $600 up beyond $2,000. You send them the failed disk and optionally a new drive to restore to. This can take weeks and is only for super extreme cases.
  3. "Just download tool xyz.." There are lots of various software solutions for do-it-yourself drive recovery, most are old DOS based programs recommended on forums populated largely by Windows users.

In my most recent failure, the drive died one day for seemingly no reason. There was no impact or horror story, the OS just locked up, I rebooted and the OS would start to load and then just drift into an infinite slumber. I went through the painstaking process of replacing the drive in my MacBook Pro and re-installed everything from scratch. Once back up and running I put the old drive in a USB enclosure and attempted to image it using dd. Every attempt it would get 19GB into the drive and then give up.

This kind of problem is the easiest to deal with. There are special versions of dd, namely GNU ddrescue, which is just like dd, but instead of failing on bad blocks will track forward after a number of retries untill its read the whole disk, for better or worse.

In the case of my MacBook Pro drive I attached the USB enclosure to my OpenSolaris box, installed ddrescue, and imaged the drive to a file. Of the 80GB drive the tool reported that I lost about 250MB. I then created a ZFS ZVol of 80GB, used traditional dd to copy the image file into the volume, and then exported as an iSCSI target using iscsitadm. Using the globalSAN iSCSI Initiator for OS X I mounted the iSCSI Target, and used OS X "DiskUtility" to verify and repair the HFS+ Volume. All went well and I could then mount the volume and extract data. w00t!!! iSCSI Rules!

The tale of Tamarah's MacBook drive didn't end so happily. I had a backup of her laptop but it was really old. Glenn, our son, grabbed the laptop on the table sending it crashing to the tile floor below, hitting on the corner where the drive sits. The laptop was fine, but the drive was toast. After a Mac Genious showed us how to replace the drive I bought a new disk at Fry's and got things installed and running again, but the drive contained a lot of projects she wanted, and is commonly the case, when I showed her the data from the old backup she was uncertain as to whether it was enough. This is a big problem of the "unknown", when all your stuff is in one place you commonly forget what exactly is there.

I tried the USB enclosure trick but the drive wouldn't even spin up... click of death. Given the sensativity of the data I didn't want to go Rambo on the disk and so we sat down and had a serious discussion about whether or not it was worth having sent to a drive recovery company. The look on her face was enough to tell me what to do, and despite her guilt over the cost I sent it in. After a week and a half, the answer came back "nothing we can do". The tech was friendly and we had a good discussion about drive recovery, but long story short there was no hope and we were out $800. Frankly, for a lot of people that money is well spent because at least you exhausted all avenues, morn and get on with it.

When it comes to hardcore "swap the platters" style repair things get dicey. As simplistic as hard drives seem there are a lot of gotchas that you won't be aware of until its too late. This is where Scott Moulton of comes in. Scott has done two presentations, both found on YouTube that provide a solid background for the black-art of hardcore drive recovery used by most of the big bucks recovery companies.

[Sep 9, 2008] GNU ddrescue 1.9-pre1 (Development) by Antonio Diaz Diaz

About: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. GNU ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps. The basic operation of GNU ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc. If you use the logfile feature of GNU ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.

Changes: The new option "--domain-logfile" has been added. This release is also available in lzip format. To download the lzip version, just replace ".bz2" with ".lz" in the tar.bz2 package name.

[Sep 9, 2008] safe-rm 0.3 by Francois Marier

About: safe-rm is intended to prevent the accidental deletion of important files by replacing /bin/rm with a wrapper which checks the given arguments against a configurable blacklist of files and directories that should never be removed. Users who attempt to delete one of these protected files or directories will not be able to do so and will be shown a warning message instead. Protected paths can be set both at the site and user levels.

Changes: This release fixes a bug which caused safe-rm to skip the full blacklist checks when dealing with certain files and directories in the working directory. Previously, unless the argument you passed to safe-rm contained a slash, it would not get the real (absolute) path of the file before checking against the blacklist.

[Aug 3, 2008] How to recover lost files after you accidentally wipe your hard drive By Shawn Hermans

Aug 28, 2006 |

After the overwhelming feeling of dread passed, I started to look into file recovery options. I demoed a variety of commercial products to see if any of them could find my lost files or partitions. Nothing seemed to work. Finally, I discovered TestDisk and PhotoRec, and was able to use the latter to recover my lost files.

TestDisk can recover lost partitions of virtually any filesystem. PhotoRec can recover files of most types, including most picture and video formats. PhotoRec can be used on existing partitions, or can be used to recover files on deleted partitions without having to recover the underlying partitions. Both PhotoRec and TestDisk can be run on DOS, Windows (9x, NT, 2000, XP, 2003), Linux, FreeBSD, NetBSD, OpenBSD, Sun Solaris, and Mac OS X, and, their developers claim, can be compiled and run on most Unix systems.

The recovery

I began my attempt at recovery by using TestDisk run from a Knoppix CD. Unfortunately, I had already overwritten the partition table, and an exhaustive search of the hard drive for lost partitions yielded too many results. I decided to use PhotoRec instead to recover my lost files.

PhotoRec recovers files by finding deleted files and copying them to disk. This means that files should not be recovered to the same disk partition on which the deleted files reside (unless you're recovering from a disk image file), because that could lead to the deleted data being permanently overwritten.

Another important thing to remember is that PhotoRec will most likely recover a lot of files. This means that the partition on which the recovered files are to be stored should have at least as much free space as the size of the partition on which PhotoRec is searching for recovered files.

Possible setups for recovery include:

  1. Recover the files to a separate hard drive.
  2. Recover the files to a networked storage drive.
  3. Recover the files to a separate partition on the same hard drive.
  4. Image the hard drive using a tool like ddrescue and recover files using only one partition.

As I had completed erased my partitions, I could not use the third option. The second option introduces problems associated with network speed and latency. The fourth option is worth considering in the case of an incident response where the image of the hard drive is used as evidence.

I chose the first option, and installed two hard drives in a single computer. I divided the hard drive used to recover files into two major partitions; the first partition held the operating system (CentOS 4), while the second partition was set up to hold the recovered files. Partitioning in this manner is an extra precaution to prevent PhotoRec from halting the system by writing more files than the storage space allows. Another option is to run the operating system off a live CD such as Knoppix, which contains the TestDisk and PhotoRec utilities.

You can download both PhotoRec and TestDisk in a single archive file. The files photorec_static and testdisk_static are the executable files, and can be executed from the command line.

Make sure that the recovery partition is mounted (I mounted it at /var/recovery). Don't mount the hard drive that contains the deleted files; if the partition remains unmounted, you can't overwrite the data it contains.

Recovery steps

PhotoRec recovers files to the directory from which it is run. Therefore, I changed into the /var/recovery directory and ran photorec_static. If the PhotoRec executable does not run with this command, make sure that you either copy the executable to the /usr/bin directory or type in the full path where the program resides.

The PhotoRec interface is easy to understand. At the initial screen, you select the hard drive you wish to recover. In my case, it was /dev/hdb.

Select a media (use Arrow keys, then press Enter):
Disk /dev/hda - 200 GB / 186 GiB (RO)
Disk /dev/hdb - 160 GB / 149 GiB (RO)
Disk /dev/hdc - 120 GB / 111 GiB (RO)
Disk /dev/hdd - 296 MB / 282 MiB (RO)

[Proceed ]  [  Quit  ]

Next, you select the partition type. In my case, I selected an Intel/PC partition.

Disk /dev/hdb - 160 GB / 149 GiB (RO)

Please select the partition table type, press Enter when done.
[Intel  ]  Intel/PC partition
[Mac    ]  Apple partition map
[None   ]  Non partitioned media
[Sun    ]  Sun Solaris partition
[XBox   ]  XBox partition
[Return ]  Return to disk selection

Note: Do NOT select 'None' for media with only a single partition. It's very
rare for a drive to be 'Non-partitioned'.

The next screen listed the partitions on the hard drive. I wanted to recover partitions on the whole hard drive, so I selected the first option. However, before selecting this option, I needed to go to the [File Opt] menu to select which type of files I wanted to recover.

Disk /dev/hdb - 160 GB / 149 GiB (RO)

     Partition                  Start        End    Size in sectors
   D empty                    0   0  1 19456 254 63  312576705 [Whole disk]
 1 * Linux LVM                0   0  2 19457  80 63  312581807

[ Search ]  [Options ]  [File Opt]  [  Quit  ]
                              Start file recovery

PhotoRec can recover a variety of files, but I only wanted to recovery Word documents, AVI video files, JPG picture files, and MPEG video files. I selected the appropriate boxes.

PhotoRec will try to locate the following files

[ ] dbf  DBase 3, prone to false positive
[X]      FAT subdirectory
[X] doc  Microsoft Office Document (doc/xls/ppt/vis/...)
[X] dsc  Nikon dsc
[X] eps  Encapsulated PostScript
[ ] exe  MS executable
[X]      EXT2/EXT3 Superblock
[X] gif  Graphic Interchange Format
[X] gz   gzip compressed data
[X] jpg  JPG picture
[X] mdb  Access Data Base
[X] mov  MOV video
[X] mp3  MP3 audio (MPEG ADTS, layer III, v1)
[X] mpg  Moving Picture Experts Group video
[X] mrw  Minolta Raw picture

[  Quit  ]
                              Return to main menu

After you select the file types, go back to the previous screen and begin the scan of the hard drive. The scanning process is automated; on my machine it took a few hours to complete. Once PhotoRec is finished, the recovered files will be in multiple directories of the form recup_dir.x where x is the number of the directory. The files within these directories will not contain the names of the original files; instead, they are numbered to indicate the order in which the file was recovered, and an extension that indicates the file type. For example, f89.avi is the 89th file recovered and is an AVI file.

Post-recovery cleanup

While all of my files were recovered, I had many files on my hard drive. Manually examining each file would be time-consuming and tiresome. I created three folders within the /var/recovery directory named VID/, DOC/, and JPG/, into which I sorted the files using the commands:

find /var/recovery/ -name "*.avi" | xargs -i mv {} /var/recovery/VID/

find /var/recovery/ -name "*.mpg" | xargs -i mv {} /var/recovery/VID/

find /var/recovery/ -name "*.jpg" | xargs -i mv {} /var/recovery/JPG/

Although all the files are sorted into folders of the same type, the sorting was far from over. Before my accident, my hard drive contained more than 10,000 pictures, each around 2MB in size. During the recovery process, PhotoRec recovered all the pictures it could find -- including picture files from the Web browser cache. This meant it brought back a lot of unwanted files. To eliminate most of the picture files from miscellaneous sources, I moved files smaller than 1MB to a folder called SMALL, which I kept until I was satisfied that none were of interest. I moved the files to the folder using the command:

find /var/recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} /var/recovery/SMALL/

PhotoRec does not recover the file names of recovered files, but luckily my recovered picture files contained EXIF metadata such as the time and date the picture was taken and the camera make and model. I used the Jhead command-line utility to extract this metadata. In the JPG folder I ran the command:

jhead -n%Y%m%d-%H%M%S *.jpg

This command renames all files with the jpg extension with its time/date stamp in the format YYYYMMDD-HHMMSS.jpg. Any files with the same time and date stamp are named in the format of YYYYMMDD-HHMMSSx.jpg, where x is a lower-case letter that increments for each duplicate time/date stamp found. Given that these pictures were all taken on the same digital camera, any pictures with the same time/date stamp should be the same picture. I moved duplicates to a folder called DUPS using the command:

find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/

Once I had the files labeled with the time/date stamp, I could sort them into folders according to their year and month.

If I had included keywords or comments in the picture files, I could have used libextractor to extract keywords from the JPEG files and sort the files into folders using those keywords. Alas, this was not the case, so I had to spend hours sorting the pictures manually into folders after the recovery. I did however use libextractor on my AVI files to determine information regarding the codec, frame-rate, and resolution of those videos.

[Jul 22, 2008] UNDELETED by Ralf Spenneberg

Linux Magazine Online

Modern filesystems make forensic file recovery much more difficult. Tools like Foremost and Scalpel identify data structures and carve files from a hard disk image.

IT experts and investigators have many reasons for reconstructing deleted files. Whether an intruder has deleted a log to conceal an attack or a user has destroyed a digital photo collection with an accidental rm ‑rf, you might someday face the need to recover deleted data. In the past, recovery experts could easily retrieve a lost file because an earlier generation of filesystems simply deleted the directory entry. The meta information that described the physical location of the data on the disk was preserved, and tools like The Coroner's Toolkit (TCT [1]) and The Sleuth Kit (TSK [2]) could uncover the information necessary for restoring the file. Today, many filesystems delete the full set of meta information, leaving the data blocks. Putting these pieces together correctly is called file carving – forensic experts carve the raw data off the disk and reconstruct the files from it. The more fragmented the filesystem, the harder this task become.

[Aug 26, 2007] How To Use NTFS Write Support (ntfs-3g) On Fedora 7

Write access to NTFS permits some using it virtual machines

"Normally Linux systems can only read from Windows NTFS partitions, but not write to them which can be very annoying if you have to work with Linux and Windows systems. This is where ntfs-3g comes into play. ntfs-3g is an open source, freely available NTFS driver for Linux with read and write support. This tutorial shows how to use ntfs-3g on a Fedora 7 desktop to read from and write to Windows NTFS drives and partitions.

See also:

How To Use NTFS Drives/Partitions Under Ubuntu Edgy Eft
Our-Picks: Access Your Linux Partitions Under Windows(Mar 05, 2007)

[Jan 26, 2007] Help! I can't retrieve my honeymoon photos from my memory card!by Lee Koo (ADMIN)

CNET Community Newsletter Q&A Forums


I need your help desperately. I have an xD-Picture Card (memory card) that I'm trying to retrieve my photos from. Normally I just insert the card into my card reader and transfer the photos to my computer. However, this time when I inserted the card into the card reader, it froze my PC so I had to do a cold reboot to get it going again. Once rebooted, I tried numerous times trying to get the PC to read the card, but was unsuccessful. So I tried it on another computer and it also failed to be recognize the reader and the content on the card also. My last attempt was connecting the camera to the computer and retrieving using that method, but every time I insert the memory card into the camera, the camera would display "Card error" and proceed to ask if I want to format. Reformatting is not an option. All I want is to be able retrieve my precious photos from my honeymoon in the Caribbean. Are there any other methods--software or hardware that I use to try to retrieve these photos safely? Please help, any recommendations or advice will be appreciated!

Submitted by: Irene D.



Hi Irene, you have my sympathies--this is my worst nightmare. There are a couple of techniques I use to mitigate these kind of disasters. I tend to use several smaller capacity memory cards, rather than one big one - at least that way, if the worst happens, I only lose a small portion of my pictures. Also, whenever possible, I take a laptop with me and download my images at the end of each day. Of course, none of this helps with your current problem.

Health warning! I've never had to recover a memory card in anger personally, so I can't give a definitive answer; only suggest actions you might want to try.

Be VERY careful from here on in; you don't want to compound the problem. This is especially important, because xD memory cards (I use them) don't have a write-protect switch like some SD cards do, so you must double-check that any method you use to try to access the card is READ ONLY.

Looking at your post, there are a number of possibilities for the error. When you download images from the card, do you copy them to your PC or move them? I would always recommend copy, and delete them from the card when you have a verified copy on your hard disk. If you move them, you are effectively writing to the card and if you get an error, the card's Partition Table or File Allocation Table may be corrupted. This can happen if you are copying and get a hardware error but it is much less likely.

Anyway, since your camera is detecting an error and suggesting a reformat, it sounds as if the FAT is damaged. It may be possible to overcome this if you can access the card on a PC - the embedded operating systems in digital cameras are less forgiving because they don't have as much space for error recovery routines. You are absolutely right not to reformat the card. Your strategy at this stage is not to modify the card in any way while you try to get the images off it.

The other point in your post that is of concern is "So I tried it on another computer and it also failed to be recognize the reader and the content on the card also."

The piece that concerns me is that the other computer "failed to recognise the reader". That would suggest that maybe the card reader has developed a fault - this could explain why your original PC hung up and how the card came to be damaged. Do you have a spare card (with nothing on it) to try in your reader or do you know anyone who also has an xD compatible card reader? If so, try to read the card in their reader. You might be lucky and be able to copy the pictures off but likely not. Success here would be for the card to be recognised on the computer, albeit with the errors.

If you can access the card, then there is a plethora of software tools that may be able to recover the data - Some work by ignoring the errors in the FAT etc., and do a low level scan of the card for readable logical sectors and try to reassemble the images. They then allow the successful ones to be copied to the hard disk. Others attempt to dump the whole memory card on to the hard disk and then carry out a similar process there. There are Freeware programs available and a lot of commercial ones, most of which have a free or trial download available so you can see if they will be able to recover the images before you buy them. I've included a few links here but you can Google many more:
Download and Free Trial
Free Demo USD 27 to buy
German site, English text

I would also recommend you take a look at which is a discussion forum for this topic. Some of the links on the site are dead but there are some useful ones, e.g.

that are helpful. The site helps to understand the problems you may encounter as well as suggesting possible approaches to recovery.

Let me repeat, though, make sure that any of the tools you try are READ ONLY - the descriptions say if they are - if it doesn't say, assume they are not.

OK, so what if that doesn't work? Your next recourse would be to one of the specialist companies that attempt data recovery. Again, there are a lot around, I've included a couple of links but these are for UK companies which may or may not be of use, depending where you live. (Mail in Service)

Be aware that these companies cannot guarantee success but if they can't retrieve the data, probably nobody can. Also be aware that they can be expensive - always get a quote from 2 or 3 before you buy. For irreplaceable pictures, such as yours, of course, you may consider the cost well worth it. Many of these companies offer a phone-in diagnostic chat, where you can discuss the specifics of your problem and they can give a more informed opinion.

Finally, you could try your local photolab, where they may be able to print your pictures - you'd need to scan them in again but better than a total loss. Chances are that the print machine will have the same problem reading your card, though, that your camera has.

A note of caution. Many of the recovery products claim to be able to recover images from reformatted cards. Theoretically, it might work with some cards and cameras but I have done a few tests with my camera (a Fujifilm Finepix S304) with three of the recovery programs. In all cases, if the files were deleted, they were able to recover them. BUT and it is a BIG BUT, NONE of them were able to recover the images from a reformatted card. Now this may be because my Fuji camera creates a three level directory structure when it reformats a card and the recovery programs can't interpret this correctly but obviously, I can't recommend this method. Olympus cameras, that also use xD cards, may be different.

If everything else has failed and you are facing a total loss, you might want to consider risking it. If you do, I'd definitely recommend you experiment with a spare card before you even think about touching your damaged card.

Good luck and I do hope you are able to recover at least the majority of your precious photographs.

Submitted by: Sav. M. of the United Kingdom

Failing Disk Imagers

The first step to carry out for an obviously or suspected failing disk is to copy the whole contents before it fails completely. The freeware below is probably all you need for this purpose. Commercial Solutions won't be much better. Especially try PC INSPECTOR

LISA 2001 Paper LISA 2001 Paper about RUF

This paper describes a utility named ruf that reads files from an unmounted file system. The files are accessed by reading disk structures directly so the program is peculiar to the specific file system employed. The current implementation supports the *BSD FFS, SunOS/Solaris UFS, HP-UX HFS, and Linux ext2fs file systems. All these file systems derive from the original FFS, but have peculiar differences in their specific implementations.

The utility can read files from a damaged file system. Since the utility attempts to read only those structures it requires, damaged areas of the disk can be avoided. Files can be accessed by their inode number alone, bypassing damage to structures above it in the directory hierarchy.

The functions of the utility is available in a library named libruf. The utility and library is available under the BSD license.


There are many important reasons for being able to access unmounted file systems, the prime example being a damaged disk. This paper describes a utility that can be used to read a disk file without mounting the file system. The utility behaves similar to the regular cat utility, and was originally named dog, but was renamed to ruf for reading unmounted filesystems to avoid a name conflict with an older utility.

In order to access an unmounted file system, the utility must read the disk structures directly and perform all the tasks normally performed by the operating system; this requires a detailed understanding of how the file system is implemented. Implementing this utility for a particular file system is an interesting academic exercise and a good way to learn about the file system. The original work on this utility was in fact done in Evi Nemeth's system administration class.

Crash Recovery Kit for Linux


Linux Today - NewsForge Linux to the Rescue A Review of Three System Rescue Cds

[Nov 8, 2005] Linux Journal/How a Linux Distro Saved Hard Disk Data Linux Journal

Rather strange article that still contains useful info. especially in user comments section. Actually there are several partition boundary finders. so dd is not necessary, but the idea of using a universal tool is not without its merits.
My friend's e-mail went on to explain:

The original configuration was Windows 98SE with GoBack installed. GoBack is a utility that is supposed to help disaster recovery by rolling back to earlier checkpoints. I disabled GoBack and set up a dual boot of Windows98 and XP on her PC since my daughter wanted to run a school program that only works on XP. Unfortunately, the school program did not work. So I deleted the XP partition with Partition Magic 7 and disabled the BootMagic. Then I re-enabled GoBack. Everything seemed to work fine for a couple of weeks.

Murphy's law dictates that disaster would strike while I was in Toronto. Norton SystemWorks was scheduled to run on Friday nights. No problem during the first couple of weeks. But when I was visiting my brother last week in Toronto, Norton reported a lost cluster. My daughter OKed the fix and, from that time on, the system would not boot.

In particular, when booting from the hard disk drive (HDD), the NT Loader (NTLDR) wasn't found. Trying to boot win98 from floppy produced a message about no FAT or FAT32 partition being found. Diagnostic programs pronounced the hardware healthy. My friend continued:

To my horror, I found that GoBack wrote on the MBR (Master Boot Record) using its proprietary format. The disk was originally divided into 4 partitions. But GoBack made the whole disk appear as a single partition of 40GB now since the software cannot access the partition tables in the MBR.

As sometimes happens, the vendor's recovery instructions didn't work. My friend was a little desperate, and I thought I could help, so I accepted the challenge. He told me that if we could recover only the files in the "data" partition, that would be enough: "I told her to back up her data every week, but...". You know the rest. Anyway, my friend handed over the disk drive, and I considered how to make use of tools I had on hand to help him out.

Can My Extra Linux PC Read the Drive?

I was lucky enough to have a "spare" desktop PC, which had been rescued from the dumpster a few months before. From loading SuSE 8.0 on it, I remembered that the hard drive was on /dev/hda (IDE0 "master") and a CD-writer was at /dev/hdc (IDE1 "master"). (See Sidebar 1 below for a brief review of IDE addressing.) This setup was good, because it meant two IDE ribbon cables were in the box--one for IDE0 and one for IDE1--and one might have a spare connector in a convenient physical location.

... .... ....

So, what did fdisk think of my friend's HDD?

 % sudo fdisk -l /dev/hdd Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdd1 * 1 5005 40202631 44 Unknown % 

Sure enough, it found a single partition of type 0x44. I was unable to find any reference that explained this type of partition. I then examined the partition table directly.

 % dd if=/dev/hdd bs=512 count=1 | od -x ... 0180 0000700 0001 fe44 ffff 003f 0000 e30e 04ca 0000 0000720 0000 0000 0000 0000 0000 0000 0000 0000 * 0000760 0000 0000 0000 0000 0000 0000 0000 aa55 

The infamous od program prints 16-bit quantities as big-endian "short" ints. Because x86 architecture is little-endian, I should not have used od. I would have done better to issue hexdump -C. Then, the offsets would have been in hex rather than octal, and the bytes would have been printed one at a time.

That said, let's dissect this partition table. It has only one entry, at bytes 0676-0715 (0x1be-0x1cd), with contents

 80 01 01 00 44 fe ff ff 3f 00 00 00 0e e3 ca 04

Looking at a site that describes the partition table, such as this one, we see the breakdown is:

 80: bootable flag (YES) 01,01,00: starting C/H/S 44: filesystem descriptor fe,ff,ff: ending C/H/S 3f,00,00,00: starting logical sector (32-bit) 0e,e3,ca,04: ending logical sector (32-bit)

where the starting C/H/S is head 1, sector 1, cylinder 0, and the ending C/H/S is head 0xfe (254), sector 0x3f (63), cylinder 0x3ff (1023). The cylinder number is suspicious, because all available bits are set to 1. I guess that's what happens when you try to represent cylinder number 5004 in ten bits. (Sidebar 2 contains a brief refresher on C/H/S addressing; Wikipedia probably has a better one.)

Looking at the 32-bit logical sector numbers shows that the disk should have 0x04cae30e (80405262) sectors, which exactly matches the 40202631 blocks of "1K" or 1024 bytes each that are shown above.

Sure enough, this partition table was useless. It should have been simple enough to fix using fdisk or cfdisk or sfdisk. The old fdisk is my favorite, but that's only because I'm a dinosaur; you don't have to follow my example. All I needed was the original cylinder numbers, and I could just plug them in.

Do you remember this bit of advice your distro's installation manual: "Keep a hardcopy of your output from fdisk -l"? This situation is exactly why you're advised to save that printout. If that information had been available, a few commands could have restored everything on my friend's HDD.

When No Cylinder Numbers Are Available

But, of course, the cylinder number information wasn't available, as I soon found out from my friend:

Windows does not give you the cylinder and block numbers. The original first partition C was 8G. I think I shrank it to 6G (or 4GB) and created an XP partition of 2G (or 4GB). Then I deleted the XP partition but did not expand the C partition back to original due to lack of time (I had to leave her apartment). The second partition D (for applications) is 8G. The third one E (for data) is 2G. Then the rest 20G for drive F (for multimedia).

What to do? Should I add up the amount of space my friend told me and pray that the partition began right there? This option didn't seem safe to me. Although the data partition probably began about 16GB from the start of the disk, I didn't know if a GB here was 1000MB or 1024MB? For that matter, what's an MB--1000KB or 1024KB? Worse, my friend's memory of partition sizes didn't seem to be 100% rock solid either.

I was hoping that there might be a telltale sign at the beginning of each FAT partition. I wasn't sure what exactly to look for, although I knew each partition had a "boot sector" containing the filesystem parameters, such as the super block of ext2 and other filesystems. But what did it look like?

Figuring that I'd have to look at a lot of sectors, I hacked together a script, which would print out the contents of

 * head 0, sector 0 * head 0, sector 1 * head 1, sector 0 

I chose these because the partition's boot sector probably would be in one of those positions in some cylinder or another. At this point, I must apologize because I refer to the first sector as 0, whereas traditionally it's referred to as 1.

The first 3,000 cylinders would cover over 20GB, which ought to include completely the desired data partition. The script deduces the size of each track and cylinder by looking at the fdisk output. I stored the results in a rather large disk file, where I was hoping to find some commonalities regarding where each partition was likely to begin. Then, I hoped, it would be obvious exactly where partition E began, as that was the important one. Anyway, here's the script:

 #!/bin/bash cyl=0 # let's start at the very beginning disk=/dev/hdd climit=3000 # about 3/5 of the disk # I am gonna take it for granted that the disk sector size is "1b" or 512. SECTS=`fdisk -l $disk | sed -n '/^Disk/s/^.* \([1-9][0-9]*\) *sector.*$/\1/p'` CYLSIZE=`fdisk -l $disk | sed -n '/^Units/s/^.*cylinders of *\([1-9][0-9]*\) *\*.*$/\1/p'` ((count=SECTS+1)) echo on disk $disk, cylinder size is $CYLSIZE blocks echo I am going to make $climit passes, each time reading $count sectors echo and printing sectors 0, 1, and $SECTS echo 'Is this OK? Hit ctrl-C if not.' read X echo -n 'OK, abandon hope all ye who proceed. Start in five seconds.' sleep 5 echo Done. while [[ $cyl -lt $climit ]] ; do ((skip=cyl*CYLSIZE)) dd if=$disk of=/tmp/x bs=1b skip=$skip count=$count 2>/dev/null echo Cylinder $cyl sector 0: dd if=/tmp/x bs=1b count=1 conv=swab 2>/dev/null | od -Ax -x dd if=/tmp/x bs=1b count=1 2>/dev/null | od -Ax -c echo Cylinder $cyl sector 1: dd if=/tmp/x bs=1b skip=1 count=1 conv=swab 2>/dev/null | od -Ax -x dd if=/tmp/x bs=1b skip=1 count=1 2>/dev/null | od -Ax -c echo Cylinder $cyl sector $SECTS: dd if=/tmp/x bs=1b skip=$SECTS count=1 conv=swab 2>/dev/null | od -Ax -x dd if=/tmp/x bs=1b skip=$SECTS count=1 2>/dev/null | od -Ax -c ((cyl=cyl+1)) done > out 
Looking at the potential boot sectors on my friend's disk, I found out that I was very lucky. Not only was there a boot sector at each partition, there was another partition table at each partition. These partition tables announced their presence by the tell-tale byte pattern 55,AA at the end of the sector. The swab in the script means I could search for 55AA *$ in the file and see exactly where this nice pattern was located.

According to Werner Almesberger's excellent LILO User's Guide, this is what happens when all partitions are logical partitions. His guide, which contains a detailed description of the disk layout, is located at /usr/doc/packages/lilo/ on my distribution. Or you can Google on "lilo user guide", without the quotes, of course.

If the disk had been repartitioned many times, I might have found a bunch of residual 55AAs lying around. Instead, I found only one extra occurrence--where my friend had deleted the XP partition.

The partition table closest to 16GB from the beginning of the disk happened to be 2073 cylinders in. From the fdisk output above, a cylinder is 16065 * 512 bytes. So 2073 cylinders is fairly close to 17GB, if a GB is 1000*1000*1000 bytes:

 % dc 2073 512* 16065*p 17051005440 

But if a GB is 1024MB, and if an MB is 1024KB, then 16GB would be

 16 1024*1024*1024*p 17179869184 

This seemed about right. Looking at the partition table, I discovered that the partition began 33302808 sectors from the start of the disk. This works out to 63 sectors from the beginning of cylinder 2073, or cylinder 2074 if you start counting with cylinder 1.

The size of the partition, translated into decimal, was 2040192 sectors. This works out to be 63 sectors shy of 127 cylinders. That is, 127 * 16065 - 63 = 2040192. So it looked like my friend's E drive occupied 127 cylinders. But I wasn't 100% sure this was true, and I didn't want to write on his disk until I was 100% sure.

Another thing: as alert readers may have noticed, 2040192 sectors works out to about 1GB for the size of the E partition, rather than the 2GB my friend remembered.

Performing a Sanity Check

From here, I copied out a subset of the disk onto a spare area on my disk, something like this:

 # dd if=/dev/hdd of=/extra/diskimage bs=512 skip=33302808 count=2040192 # mount -t vfat -o ro,loop /extra/diskimage /mnt # ls /mnt 

And it worked! This step provided me with a sanity check without actually writing on the disk drive. I even ran a du and sent the results to my friend. He was very encouraged that I was able to get to this point.

Burning a Windows-Visible CD

I burned a Windows-visible CD from the data on the partition, but I had trouble with one file. It had a very long name, well beyond the 64-character limit on the Joliet extension.

At the time, I don't think I knew about the -joliet-long option to mkisofs. Anyway, I told mkisofs to hide that file from the Joliet directory and then e-mailed the file to my friend separately, using mpack(1).

Exactly how did I burn the Windows-visible CD? True confession: I don't remember. But the process probably was similar to the way I described in this earlier article.

Not being completely confident in my ability to burn a Windows-visible CD, I took the CD with me to the office, where the corporate Windows laptop was able to read it just fine. I e-mailed my friend a Windows Explorer screenshot and told myself that even if I later trashed the disk drive, at least I had the CD to give him.

Fixing the Partition Table on the Hard Drive

My friend was delighted that his daughter would soon have her data back. He told me that if I was short on time--and I was--that it would be enough simply to get the data partition back. So I contented myself with only partitioning the drive that far.

Remembering that fdisk numbers the cylinders starting at 1 rather than 0, I told the HDD to

  1. delete the old 0x44 partition
  2. create a primary partition of about 16GB (2073 cylinders)
  3. create an extended partition starting at cylinder 2074
  4. create a FAT32 partition starting at cylinder 2074, occupying 127 cylinders and ending at the end of cylinder 2200

like this:

 Command (m for help): m Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) Command (m for help): p Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdd1 * 1 5005 40202631 44 Unknown Command (m for help): d Partition number (1-4): 1 Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-5005, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-5005, default 5005): 2073 Command (m for help): n Command action e extended p primary partition (1-4) e Partition number (1-4): 2 First cylinder (2074-5005, default 2074): Using default value 2074 Last cylinder or +size or +sizeM or +sizeK (2074-5005, default 5005): Using default value 5005 Command (m for help): n Command action l logical (5 or over) p primary partition (1-4) l First cylinder (2074-5005, default 2074): Using default value 2074 Last cylinder or +size or +sizeM or +sizeK (2074-5005, default 5005): 2200 Command (m for help): p Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdd1 1 2073 16651341 83 Linux /dev/hdd2 2074 5005 23551290 5 Extended /dev/hdd5 2074 2200 1020096 83 Linux Command (m for help): t Partition number (1-5): 5 Hex code (type L to list codes): L 0 Empty 1c Hidden Win95 FA 65 Novell Netware bb Boot Wizard hid 1 FAT12 1e Hidden Win95 FA 70 DiskSecure Mult c1 DRDOS/sec (FAT- 2 XENIX root 24 NEC DOS 75 PC/IX c4 DRDOS/sec (FAT- 3 XENIX usr 39 Plan 9 80 Old Minix c6 DRDOS/sec (FAT- 4 FAT16 <32M 3c PartitionMagic 81 Minix / old Lin c7 Syrinx 5 Extended 40 Venix 80286 82 Linux swap da Non-FS data 6 FAT16 41 PPC PReP Boot 83 Linux db CP/M / CTOS / . 7 HPFS/NTFS 42 SFS 84 OS/2 hidden C: de Dell Utility 8 AIX 4d QNX4.x 85 Linux extended df BootIt 9 AIX bootable 4e QNX4.x 2nd part 86 NTFS volume set e1 DOS access a OS/2 Boot Manag 4f QNX4.x 3rd part 87 NTFS volume set e3 DOS R/O b Win95 FAT32 50 OnTrack DM 8e Linux LVM e4 SpeedStor c Win95 FAT32 (LB 51 OnTrack DM6 Aux 93 Amoeba eb BeOS fs e Win95 FAT16 (LB 52 CP/M 94 Amoeba BBT ee EFI GPT f Win95 Ext'd (LB 53 OnTrack DM6 Aux 9f BSD/OS ef EFI (FAT-12/16/ 10 OPUS 54 OnTrackDM6 a0 IBM Thinkpad hi f0 Linux/PA-RISC b 11 Hidden FAT12 55 EZ-Drive a5 FreeBSD f1 SpeedStor 12 Compaq diagnost 56 Golden Bow a6 OpenBSD f4 SpeedStor 14 Hidden FAT16 <3 5c Priam Edisk a7 NeXTSTEP f2 DOS secondary 16 Hidden FAT16 61 SpeedStor a9 NetBSD fd Linux raid auto 17 Hidden HPFS/NTF 63 GNU HURD or Sys b7 BSDI fs fe LANstep 18 AST SmartSleep 64 Novell Netware b8 BSDI swap ff BBT 1b Hidden Win95 FA Hex code (type L to list codes): b Changed system type of partition 5 to b (Win95 FAT32) Command (m for help): p Disk /dev/hdd: 255 heads, 63 sectors, 5005 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdd1 1 2073 16651341 83 Linux /dev/hdd2 2074 5005 23551290 5 Extended /dev/hdd5 2074 2200 1020096 b Win95 FAT32 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: If you have created or modified any DOS 6.x partitions, please see the fdisk manual page for additional information. Syncing disks. pav23:/home/collin # mount -t vfat -o ro /dev/hdd5 /mnt pav23:/home/collin # ls /mnt [[DELETED... it worked]] pav23:/home/collin # 

I congratulated myself, disconnected the drive from the ribbon cable, put my spare desktop back together and cleaned up the den. I then returned the disk drive to my friend, along with the CD I had burned.

Sidebar 1. Review of IDE/ATA Nomenclature

A typical PC has two IDE buses, allowing four separate disk or CD drives to be connected:

 IDE bus 0 +-------- "master" = /dev/hda +-------- "slave" = /dev/hdb IDE bus 1 +-------- "master" = /dev/hda +-------- "slave" = /dev/hdb 

Note that one drive on a given IDE bus is the so-called "master" and one is the "slave." These are traditional misnomers, but the thing to remember is that conflicts must be avoided. For example, two masters on a single bus equals bad medicine.

If you have only one disk or CD drive on a given IDE bus, it used to be important to make sure this one drive was configured as master. It may or may not be necessary for your particular controller. I've violated this rule at times and nothing bad has happened. But, if you have a slave-without-master configuration and things are flaky or don't work at all, it might be worth a try to make the slave into the master.

What determines whether a particular drive is a master or a slave on the bus? Every ATA drive I've seen answers this question with one word: jumper. Depending on the position of the jumper(s), a drive can declare itself to be master, declare itself to be slave or say cable select. Cable select means the drive's orientation depends on which connector on the cable it's plugged into. Apparently there is a wiring trick on the cable that allows the drive to know which connector it's plugged into and, hence, whether it should respond to commands directed at the master or the slave drive. I don't recommend the cable select (CS) setting, because of past reports of flaky behavior.

Sidebar 2. Review of Disk Addressing

Here is a brief tutorial for those unfamiliar with C/H/S addressing. More elegant explanations probably are available elsewhere on the Web, but here's my take on the topic.

Imagine your disk drive as a set of platters stacked one above the other and spinning in unison. The platters are divided into concentric tracks, with track 0 typically nearest the outer rim. One point in the platters' rotation is arbitrarily defined as "sector 0".

Each platter is coated on both sides with magnetic material. Just micro-inches from each surface is a head that can read or write data. The heads can move toward the outer rim or toward the center of the platters, but they do not spin. To read and write data on a particular sector on a particular track, the heads must "seek" to the appropriate track, settle into place and then wait for the desired sector to pass under the heads so that the data can be read or written.

In the old days, disk drives could be accessed in "surface mode" or "cylinder mode". In surface mode, head 0 track 0 is followed by head 0 track 1, then head 0 track 2, and so on. At the end of each track, you have to move the head to the next track. This makes surface mode slow, but it was useful for disk drives with one fixed and one removable platter.

In cylinder mode, head 0 track 0 is followed by head 1 track 0 and so on. That is, once sector 0 is under the heads, you don't have to move the heads right away. Instead, you switch to using the next read/write head. Only when you've read track 0 with all heads do you need to move the heads to track 1. This group, track 0 on all heads, collectively is referred to as cylinder zero.

The BIOS on most PCs and utilities such as fdisk refer to blocks on the disk in terms of cylinder, head and sector numbers. For historical reasons, the heads are numbered starting at 0, and the number is represented in 8 bits. Sectors are numbered starting at 1, and the numbers are represented in 6 bits. Cylinders are numbered from 0 and are represented in 10 bits. Older BIOSes could address the disk using only this C/H/S method; thus, they could address only the first 1024 cylinders on a drive. This is why it used to be important to put your Linux kernel on a partition that was contained entirely within the first 1024 cylinders.

When you buy a disk drive today, you likely will see "255 heads, 63 sectors, N cylinders" written on it. There are not really 255 heads in such a disk drive, but the drive identifies itself that way to the BIOS to allow C/H/S addressing to get at the largest possible area on the disk.

Although the cylinders are fictional nowadays, the BIOS and the partitioning utilities still want disk partitions to begin at cylinder boundaries.

By the way, newer BIOSes aren't restricted to C/H/S addressing, in particular to the old 1024-cylinder limit. Instead, every 512-byte block on the disk drive can be addressed using a 32-bit linear address space. This is what "lba32" in lilo.conf means. Newer BIOSes thus can access over a terabyte (1000 gigabytes), which ought to be enough for at least a few more months.

gnu parted

Submitted by Anonymous (not verified) on Wed, 2005-11-09 01:09.

Numerous times I've had to recover lost partition tables for windows machines.

I usually boot from a Knoppix live cd and then take it from there.

I once even wrote a script to search for the start of the NTFS partition based on the NTFS signature (which worked, but took few moments to do.)

The I learned there's the same functionality in GNU Parted:

info parted
2.4.12 rescue

-- Command: rescue START END
rescue a lost partition that used to be located approximately between START and END. If such a partition is found, Parted will ask you if you want to create a partition for it. This is usefulif you accidently deleted a partition with parted's rm command, for example.


(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags
1 0.031 8056.032 primary ext3
(parted) rm
Partition number? 1
(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags

OUCH! We deleted our ext3 partition!!! Parted comes to the

(parted) rescue
Start? 0
End? 8056
Information: A ext3 primary partition was found at 0.031MB ->
8056.030MB. Do you want to add it to the partition table?
Yes/No/Cancel? y
(parted) print
Disk geometry for /dev/hdc: 0.000-8063.507 megabytes
Disk label type: msdos
Minor Start End Type Filesystem Flags
1 0.031 8056.032 primary ext3

It's back! :)

It even recognizes way more file system types.

od -t x1

Submitted by Anonymous (not verified) on Tue, 2005-11-08 19:46.

You can use od -t x1 to print bytes in hex.


Submitted by sq5bpf (not verified) on Tue, 2005-11-08 14:55.

you could just use gpart to find the lost partitions ( ). this would shorten the article to:
- connect the disk
- make an image (just in case)
- make gpart guess the partition table
- fdisk -l /dev/hdd - and voila - the xp partition is back
- mount the partition, burn a cd etc...

sorry to spoil your fun :)

re: gpart

Submitted by collin (not verified) on Tue, 2005-11-08 17:10.

Very cool. Thanks for telling us about this; I will definitely remember the next time this kind of problem comes up.

re: re: gpart

Submitted by ray (not verified) on Wed, 2005-11-09 06:24.

a gpart rpm is on the SuSE 8.0 Pro CDs

Should the IDE Bus diagram

Submitted by Anonymous (not verified) on Tue, 2005-11-08 10:44.

Should the IDE Bus diagram under "Sidebar 1. Review of IDE/ATA Nomenclature" read:

IDE bus 1
+-------- "master" = /dev/hdc
+-------- "slave" = /dev/hdd

re: Should the IDE Bus diagram

Submitted by collin (not verified) on Tue, 2005-11-08 17:04.

Absolutely correct! Thanks for catching that!
IDE1 has "master" hdc and "slave" hdd.

File System Analysis Techniques

Search. In this scenario, we will search the unallocated space of the "wd0e.dd" image for the string "abcdefg". The first step is to extract the unallocated disk units using the "dls" tool (as this is an FFS image, the addressable units are fragments).

# dls -f openbsd images/wd0e.dd > output/wd0e.dls

Next, use the UNIX strings(1) utility to extract all of the ASCII strings in the file of unallocated data. If we are only going to be searching for one string, we may not need to do this. If we are going to be searching for many strings, then this is faster. Use the '-t d' flags with "strings" to print the byte offset that the string was found.

# strings -t d output/wd0e.dls > output/wd0e.dls.str

Use the UNIX grep(1) utility to search the strings file.

# grep "abcdefg" output/wd0e.dls.str | less
10389739: abcdefg

We notice that the string is located at byte 10389739. Next, determine what fragment. To do this, we use the 'fsstat' tool:

# fsstat -f openbsd images/wd0e.dd
Fragment Range: 0 - 266079
Block Size: 8192
Fragment Size: 1024

This shows us that each fragment is 1024 bytes long. Using a calculator, we find that byte 10389739 divided by 1024 is 10146 (and change). This means that the string "abcdefg" is located in fragment 10146 of the "dls" generated file. This does not really help us because the dls image is not a real file system. To view the full fragment from the dls image, we can use dd:

# dd if=images/wd0e.dd bs=1024 skip=10146 count=1 | less

Next, we will identify where this fragment is in the original image. The "dcalc" tool will be used for this. "dcalc" will return the "address" in the original image when given the "address" in the dls generated image. (NOTE, this is currently kind of slow). The '-u' flag shows that we are giving it an dls address. If the '-d' flag is given, then we are giving it a dd address and it will identify the dls address.

# dcalc -f openbsd -u 10146 images/wd0e.dd

Therefore, the string "abcdefg" is located in fragment 59382. To view the contents of this fragment, we can use "dcat".

# dcat -f openbsd images/wd0e.dd 59382 | less

To make more sense of this, let us identify if there is a meta data structure that still has a pointer to this fragment. This is achieved using "ifind". The '-a' argument means to find all occurrences.

# ifind -f openbsd -a images/wd0e.dd 59382

Inode 493 has a pointer to fragment 59382. Let us get more information about inode 493, using "istat".

# istat -f openbsd images/wd0e.dd 493
inode: 493
Not Allocated
uid / gid: 1000 / 1000
mode: rw-------
size: 92
num of links: 1
Modified: 08.10.2001 17:09:49 (GMT+0)
Accessed: 08.10.2001 17:09:58 (GMT+0)
Changed: 08.10.2001 17:09:49 (GMT+0)
Direct Blocks:

Next, let us find out if there is a file that is still associated with this (unallocated) inode. This is done using "ffind".

# ffind -f openbsd -a images/wd0e.dd 493
* /dev/.123456

The leading '*' identifies the file as deleted. Therefore, at one point, the file '/dev/.123456' allocated inode 493, which allocated fragment 59382, which contained the string "abcdefg".

If "ffind" returned with more than file that had allocated inode 493, it means that either both were hard-links to the same file or that one file (chicken) allocated the inode, it was deleted, a second file (egg) allocated it, and then it was deleted. The string belongs to the second file, but it is difficult to determine which came first. On the other hand, if "ffind" returns with two entries where one deleted and one not, then the string belongs to the non-deleted file.

As previously mentioned, Autopsy will do all of this for you when you do a keyword search of unallocated space.

Smart Tip for installing Windows with NTFS

Windows NT, 2000, 2003, and XP with the NTFS (New Technology File System) cannot always be installed using the Repair Console, so creating a third drive is a smart idea. The following only pertains to those people who wish to use NTFS. The following will elimate the need for formatting and losing all your files the next time you install Windows.

Without a FAT or FAT32 drive the DOS Setup program will not be able to copy files to the hard drive, even if you install from the CD-ROM. Windows NT, 2000, and XP need a FAT or FAT32 to copy files to. It cannot see the NTFS partition yet. This is not the case if you install Windows from inside of Windows NT, 2000, 2003, or XP.

Lets say you currently have only the C drive and a CD-ROM, you will need to fdisk and format the C drive into at least two drives, a C and a D. Make a D drive that is NTFS and a C drive in FAT32 that is large enough to hold your I386 folder times 2.5 times the size of the I386 folder. You will need the C drive large enough for the I386 folder and the copying of files for the Windows installation. Just copy the entire I386 folder to the C drive , do not make it a sub folder. You now can make your D drive NTFS for added security. If you only have a Recovery Cd, you can create either a CD with the I386 folder on it or move the I386 to a partition that is FAT ot FAT32 while you are setting up you new partitions. If you are coping the I386 folder that was installed to your hard drive by a recovery CD then read the section How to make a Windows CD.

Now you need only to change the settings in the Registry so Windows can find them when it needs them if you already had Windows installed to a different drive other than the C drive. You will need to go to the Registry Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup and change the location for "SourcePath" to the new Drive letter (E:) Also change the setting at "Installation Sources". You should also change the setting "SourcePath" at the Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

Now when you need to reinstall Windows you can use a Windows 9x or ME startup disk to get to the command prompt, or the XP / 2000 Repair console. If you use a 9x or ME disk you will go to the C drive at the Command prompt. Windows 9x can only see FAT or FAT32, DOS cannot see any NTFS drives. You can go to the C:\I386 folder and type "Winnt" without the quotes. This will start the installation, and all files will be copied to the C drive. When you reboot to finish the installation, setup will then ask you where to install Windows to

Making a Windows Installation CD from a Recovery Disk

I have been asked many times "I have Windows XP, how can I install Windows without having to lose all my files. I only have a Recovery Disk". Well it is really very simple, so long as you have a CD burner; or at least a second hard drive.

If you have a Recovery CD from your computer manufacturer, the Recovery CD will install the Windows installation files to a folder, normally to C:\I386 or C:\Winnt\I386 or C:\Windows\I386 . Open the Windows Explorer and look for them. Make sure you have the file Winnt.exe, Winnt32.exe and EULA.txt. Each version of Windows has a different number of files and almost all the files will be compressed so they will have an underscore at the end of the file extension like "Shell32.dl_"

You can do a search for the folder I386. You will need to copy the entire folder to your CD burner. Do not change the name of the folder and do not make it a sub folder as in E:\Windows\I386 , it must be E:\I386. This folder will contain about 1000 or more files, in some cases nearly 1500 files.

Be sure to review the section A little updated info before making the CD.

Now comes the tough part, getting the Windows CD Key. The NT platform does not store the CD Key in the Registry in plain text as on the Windows 9x platform. It stores only the Product ID, which is different each time you reinstall windows. So you will need to check your computer for it. My laptop has a Windows CD Key pasted to the bottom of it. Your Recovery CD may have it on its label, or your paper work has it written somewhere. If you cannot find the key you can modify the file I386\Setupp.ini

For Windows 9x click here.

To modify the Setupp.ini file, open it in notepad. It will look like this:


Change the OEM to 270 on the Pid Value so it looks like this:


This should work on most CDs. This will allow you to install Windows 2000 without a serial number, this will NOT work on evaluation versions of Windows, or Windows 2003.

For those who do not know how to start the installation of Windows for NT, XP, 2000, and 2003 there are two files available in the I386 folder. The file Winnt.exe will start the installation from a DOS prompt, and Winnt32.exe will start it within Windows. If you have a problem with Winnt32.exe when in Windows you can use the Winnt.exe instead, however it is much slower.

Data Recovery Software - Zero Assumption Recovery

Norton Systemworks 2005

CHKNTFS command

You are probably familiar with the chkdsk command, but you may not know that there is a new command available with Win2000: chkntfs. Here is the usage and syntax:

C:\>chkntfs /?

Displays or modifies the checking of disk at boot time.

CHKNTFS volume [...]
CHKNTFS /T[:time]
CHKNTFS /X volume [...]
CHKNTFS /C volume [...]

volume Specifies the drive letter (followed by a colon), mount point, or volume name.

/D Restores the machine to the default behavior; all drives are checked at boot time and chkdsk is run on those that are

/T:time Changes the AUTOCHK initiation count down time to the specified amount of time in seconds. If time is not specified, displays the current setting.

/X Excludes a drive from the default boot-time check. Excluded drives are not accumulated between command invocations.

/C Schedules a drive to be checked at boot time; chkdsk will run if the drive is dirty.

If no switches are specified, CHKNTFS will display if the specified drive is dirty or scheduled to be checked on next reboot.

How to run disk Error Checking in Windows 2000 Professional WinBook Tech Article For more information visit

NOTE: You, the customer, are solely responsible for data security. WinBook strongly recommends that you perform a backup of all personal data contained on your system prior to performing this procedure. Warning: WinBook will NOT be held responsible for any data loss incurred during this process.

Basic error checking

  1. Double left click on the My Computer icon
  2. Right click on the "C:" drive
  3. Left click on Properties
  4. Left click on the Tools tab
  5. Left click on Check Now … under Error-checking
  6. Left click Start

If you want to do a more in-depth error checking there are 2 other options available:

First option is to Automatically fix file system errors (choosing this option will require a restart of the computer to run). When choosing this option you will see a box pop up that says, "The check disk could not be preformed because exclusive access to the drive could not be obtained. Do you want to schedule this disk check to occur next time you restart the computer?"

When prompted for this you would choose Yes if you want it to run on the next reboot of the system.

The second option for error checking is Scan for and attempt recovery of bad sectors (this will not require a restart of the system)

Recommended Links

Failing Disk Imagers Several disk imagers with the capability of skipping errors. recovery for failed hard drives - dead disk

Partition (computing) - Wikipedia, the free encyclopedia

**** System recovery with Knoppix

*** NewsForge/Linux to the Rescue A Review of Three System Rescue Cds. The author did not mentioned rip (R)ecovery (I)s (P)ossible Linux rescue system. Here is some information from rip-55.readme

The bootable cd image `rip-55.iso.bin' can be written to a cd/dvd disk, using cdrecord/dvdrecord etc.

The kernel has IDE and SCSI support. The kernel also has RAID and Ethernet/cable/dsl networking support.

These are some of the programs it contains (partimage, parted, reiserfsck, cfdisk, sfdisk, mke2fs, e2fsck, tune2fs, debugfs, mkfs.xfs, jfs_mkfs,jfs_fsck, xfs_repair, cdrecord/dvdrecord, mkisofs, growisofs, ntfsresize, mkntfs, convertfs, losetup + AES encryption, lynx, mutt, fetchmail, ncftp,
irc, tin, telnet, wget, zgv).

It also includes the DVD udf filesystem packet writing tools (cdrwtool, mkudffs, pktsetup).

The 'reiserfsck' program is used to check and repair a linux reiserfs filesystem.

The 'xfs_repair' program is used to repair a linux xfs filesystem.

The 'jfs_fsck' program is used to check and repair a linux jfs filesystem.

The 'e2fsck' program is used to check and repair a linux ext2 or ext3 filesystem.

The 'ntfsresize' program non-destructively resizes Windows XP/2000/NT4 or Windows Server 2003 NTFS filesystems. Read /usr/doc/ntfsresize.txt on the rescue system.

The partition image program 'partimage' saves partitions in the ext2, ext3, reiserfs, jfs, xfs, ufs, ntfs, fat16, and fat32 formats to an image file. Only used blocks are copied to save space and increase the speed. The image file can be compressed, in gzip or bzip2 formats.

Google Directory - Computers Software Disk Management Error Checking and Repair

Open Directory - Computers Software Disk Management Error Checking and Repair

***** Sysinternals Freeware The Sysinternals web site provides you with advanced utilities, technical information, and source code related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me internals that you won't find anywhere else. Mark Russinovich and Bryce Cogswell alone write and update everything here. Project Info - Linux Disk Editor

lde is a disk editor for linux, originally written to help recover deleted files. It has a simple curses interface that was supposed to resemble an old version of Norton Disk Edit for DOS. Works well with ext2, minix, xiafs. Not so hot w/fat and iso9660

Norton Systemworks 2003 (Full Product) (Symantec-10025223) - PC Product Finder

Norton System Works review Hard Drive Data Recovery Information

Data Recovery Software - File System Utilities

Partition Recovery Software and NTFS Recovery - NTFS Undelete and FAT Recovery

How I recovered an unbootable NTFS Windows System

Hard Drive Data Recovery Software Tools, Disk Recovery Utilities -Stellar

Easy recovery, Easyrecovery, FAT recovery, NTFS recovery, Undelete fat, Undelete NTFS, Undelete utilities

Free Programs, Useful Tools (If you're a tech at heart or an Assembly programmer, then read my page on The MBR in Detail here. )

Download: PTSDE104.ZIP now!
V.1.04 (30 NOV 1998) [162 kb .zip]

NOTE: Direct disk access is not allowed under Win2k/XP. Therefore you must use a DOS boot diskette! For a Review of PTS-Disk Editor and SCREENSHOTS click here.
PTS Disk Editor: CAUTION: Do NOT attempt to WRITE to (Edit) any portion of your hard drive while MS-Windows ( or any other 'active' Operating System that randomly writes to your disk ) is running! NORTON Disk Edit doesn't have 3 separate detailed WARNING Screens about this for nothing!! They're protecting themselves every way they can! As a matter of fact, Norton tells the Windows-dependent novice who knows nothing of DOS consoles, that it's impossible to run Disk Edit with Windows running (NOT true)! There are NO warning messages at all before the PTS-Disk Editor pops-up ready to go !! But, hey, that's the main reason I like it! If I ever wanted to make a change without having to shut-down the OS, then PTSDE gives me NO hassle. Saving any data DISPLAYED by PTSDE as a binary or text file is, unfortunately, a difficult thing to do! Although you could use a DOS-Window to copy and then paste what you see into a text file, this version of PTS-DiskEditor does NOT allow you to 'dump' sectors to a file like NORTON's DISKEDIT does! ( Note: This is the ONLY free program available from this company, and there are no help files included. SEE my Review of the PTS-Disk Editor for usage instructions! Or, see PTSDE's readme file - PTSde104.txt right now.)

Recommended Articles

FAT32 or NTFS Making the Choice

Choosing the file system to use on a Windows XP system is seldom easy, and frequently it's not just a one time decision.. Different factors can blur the decision process, and some tradeoffs are more than likely. No matter what method you choose to adopt Windows XP, you will have to face the FAT32 versus NTFS decision. Clean and upgrade installs both require you to address the situation early on in the process. Later on, if you add a drive or repartition an existing drive the decision process faces you yet again. Circumstances may dictate the choice for you, but in most cases the options have to be weighed and the tradeoffs of using each method analyzed. Let's look at the available choices.

File System Choices

Most articles discussing file system choices look at FAT32 and NTFS as the two available choices. In reality, there are three systems which could be selected. FAT, FAT32, and NTFS. Granted, FAT32 and NTFS are the primary choices, but on occasion you'll still find the need for a FAT volume. A FAT volume has a maximum size of 2GB and supports MS-DOS as well as being used for some dual boot configurations, but backward compatibility is about the only reason I can think of that FAT should ever be used, other than for the occasional floppy diskette. That said, let's move on to FAT32 and NTFS.

Which File System to Choose?

As much as everyone would like for there to be a stock answer to the selection question, there isn't. Different situations and needs will play a large role in the decision of which file system to adopt. There isn't any argument that NTFS offers better security and reliability. Some also say that NTFS is more flexible, but that can get rather subjective depending on the situation and work habits, whereas NTFS superiority in security and reliability is seldom challenged. Listed below are some of the most common factors to consider when deciding between FAT32 and NTFS.

The Naked PC Newsletter

This article concludes a series on Norton Utilities ("NU"), and covers Rescue Disk, Registry Tracker, Registry Editor, Integrator, and the DOS-based Disk Editor.

(Note: Of these tools, only Integrator is Windows 2000 compatible.)

Rescue Disk can produce two different types of disk sets. A "basic rescue set" is a set of floppies, at least one of which is bootable to a DOS prompt, that also includes tools to help you investigate and repair whatever problem has caused the PC to need rescuing. A "Norton Zip rescue set" writes data to an Iomega Jaz or Zip cartridge, along with one bootable floppy. A Norton Zip rescue set will boot you back to Windows (not MS-DOS), at which point the Rescue Recovery Wizard starts automatically. Personally, although I make a basic rescue set whenever I upgrade NU (that's maybe once a year), I don't take Symantec's advice to keep my rescue set updated. I don't even bother to make a Norton Zip rescue set even though I have a nice Iomega Zip 250 drive.

Why? If a PC is so out of whack that it can't boot, in my opinion it's time for a scorched-earth reformat/reinstall (note that I *do* keep all my data religiously backed up; otherwise of course I'd be inviting misery by not at least trying to do a rescue).

Registry Tracker monitors changes that either programs or you make to your PC's Registry keys, INI files, startup files (like autoexec.bat and config.sys), and data files and folders. (Registry Tracker can't show you the exact changes made to data files but it can keep snapshots of them so you can restore from a previous version.) If you elect to track a folder, the tool takes a snapshot whenever the folder contents change so you can see what files were added or deleted.

I find Registry Tracker's user interface very awkward and confusing. To me, it does not makes sense to tie up system resources with this type of tool constantly monitoring the Registry et al. I don't install suspect applications on my system, and if for some reason I have to, I do that on a test PC (or a test partition on my production PC) that I can quickly and easily delete and recreate. What do I do if a program really wrecks a PC under my care? I roll back to the previously known- good version of the Registry using the free, built-in Windows Registry Checker. For more information on using the Registry Checker to roll back the Registry, see pp. 321-323 of our ebook "The Book That Should Have Come with Your Computer."

Norton Registry Editor offers two conveniences not provided by Windows' own built-in Registry Editor tool (Regedit.exe). First, Norton's version has an interface for making a backup (select File, Backup Entire Registry, enter a filename, Save). Second, Norton's version supports bookmarks so you can mark your most frequently visited Registry keys. Unfortunately this feature is not name-based so you can't assign your own names to Registry bookmarks. Instead there is a tree-style listing of all the bookmarks you've created. It's easy to traverse the list if you only have a few bookmarks but with more than about 10 the list can quickly become overwhelming. I'd prefer that NU offer a name- based system so that I could bookmark the key "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Today" with the name "Outlook_Today_Disable".

Integrator is just a fancy wrapper interface for all of NU's tool. It is a helpful control panel, and that's all there is to say about that.

Disk Editor is a tool for advanced users. It allows you to view and edit a hard disk down at the sector and byte level, from inside a DOS window. You can *really* get yourself into trouble with this tool, but it can occasionally come in handy, say, if you wanted to study the binary file structure of a Word document. Not something any of us are likely to do on a daily basis, but you never know.



Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019