Gil Barash wrote: > Hello, > > I'm trying to use the ntfsrecover tool to recover the partition. > I have a data disk (~500MB) on a Windows machine. I wrote to it some > files while powering off the machine (pulling the cable). The resulting > filesystem has some corrupt files - doing "ls" gives me stuff like: > ? -????????? ? ? ? ? ? file_20K_24385 > So, I tried to use the ntfsrecover tool in order to fix those file > entries. However, it never succeed (I did this experiment a few times). > > Here, as an example, is the output of "./ntfsrecover -v > --kill-fast-restart /mnt/data/ntfs_poweroff_fullLogs.partition.raw" (my > "disk" is a file representing a partition): > > Capacity 533724672 bytes (533 MB) > sectors 1042431 (0xfe7ff), sector size 512 > clusters 130303 (0x1fcff), cluster size 4096 (12 bits) > MFT at cluster 43434 (0xa9aa), entry size 1024 > 4 MFT entries per cluster > * Using initial restart page, syncing from 0xd2170fb, dirty > * Block size 4096 bytes > > * block 0 at 0xa08c000 > * RSTR in block 0 0x0 (addr 0xa08c000) > magic 52545352 > usa_ofs 001e > usa_count 0009 > chkdsk_lsn 0000000000000000 > system_page_size 00001000 > log_page_size 00001000 > restart_area_offset 0030 > minor_vers 0 > major_vers 2 > usn 2666 > > current_lsn 000000000d217473 > log_clients 0001 > client_free_list ffff > client_in_use_list 0000 > flags 0000 > seq_number_bits 0000002c > restart_area_length 00e0 > client_array_offset 0040 > file_size 000000000048c000 > last_lsn_data_len 00000070 > record_length 0030 > log_page_data_offs 0040 > restart_log_open_count 761d453f > > oldest_lsn 000000000d2170df > client_restart_lsn 000000000d217473 > prev_client ffff > next_client ffff > seq_number 0000 > client_name_length 00000008 > client_name NTFS > > * block 1 at 0xa08d000 > * RSTR in block 1 0x1 (addr 0xa08d000) > magic 52545352 > usa_ofs 001e > usa_count 0009 > chkdsk_lsn 0000000000000000 > system_page_size 00001000 > log_page_size 00001000 > restart_area_offset 0030 > minor_vers 0 > major_vers 2 > usn 2667 > > current_lsn 000000000d2226c2 > log_clients 0001 > client_free_list ffff > client_in_use_list 0000 > flags 0000 > seq_number_bits 0000002c > restart_area_length 00e0 > client_array_offset 0040 > file_size 000000000048c000 > last_lsn_data_len 00000070 > record_length 0030 > log_page_data_offs 0040 > restart_log_open_count 761d453f > > oldest_lsn 000000000d2170fb > client_restart_lsn 000000000d2226c2 > prev_client ffff > next_client ffff > seq_number 0000 > client_name_length 00000008 > client_name NTFS > * Ignored block 2 at 0xa08e000 > magic 44524352 > usa_ofs 0028 > usa_count 0009 > file_offset 000000000d2281d8 > flags 00000001 > page_count 1 > page_position 1 > next_record_offset 0f18 > reserved4 0000 0000 0000 > last_end_lsn 000000000d2281d8 (synced+69853) > usn b424 > > * Restart page was obsolete > > * block 2 at 0xa08e000 > * RCRD in block 2 0x2 (addr 0xa08e000) > magic 44524352 > usa_ofs 0028 > usa_count 0009 > file_offset 000000000d2281d8 > flags 00000001 > page_count 1 > page_position 1 > next_record_offset 0f18 > reserved4 0000 0000 0000 > last_end_lsn 000000000d2281d8 (synced+69853) > usn b424 > > ** Bad first record at offset 0x288 > this_lsn 0001006800380060 (synced-216625307) synced > client_previous_lsn 0008000005c00000 > client_undo_next_lsn 0000000000000000 > client_data_length 0000002c > seq_number 0 > client_index 0 > record_type c282c8ef > transaction_id 01d2a948 > log_record_flags ffcf > reserved1 5d5c adcf 01d2 > ** Unknown action type > client_data for record type 3263351023 > 0000 cfff5c5d cfadd201 cfff5c5d cfadd201 ..\]......\].... > 0010 00000000 00000000 00000000 00000000 ................ > 0020 00000010 00000000 efc882c2 ............ > ** Error : searchlikely() used for syncing > * Syncing failed after playing 0 actions > > I trying debugging it a bit, but couldn't find any solid lead. > > Do you have any idea why this happens? I would be happy to provide any > addition information (I can provide the entire disk, if that would help).
The last log record could not be located. Which was the Windows version used ? You were trying to recover with option --kill-fast-restart which probably means this was from Windows 8 or 10. Some information may be kept in Windows cache. Locating the first record may also be buggy in ntfsrecover. To investigate it, I need the first 16K bytes from the log file : dd if='/mntpnt/$LogFile' of=temp bs=4096 count=4 (important : mount as readonly, replace mntpnt be the actual mount point). Jean-Pierre > > Thanks, > Gil ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
