Hello Jean-Pierre, and thank you for the quick response. On Thu, May 11, 2017 at 7:38 PM, Jean-Pierre André <jean-pierre.an...@wanadoo.fr> wrote: > > Gil Barash wrote: > > Hello, > > > > I'm trying to use the ntfsrecover tool to recover the partition. > > I have a data disk (~500MB) on a Windows machine. I wrote to it some > > files while powering off the machine (pulling the cable). The resulting > > filesystem has some corrupt files - doing "ls" gives me stuff like: > > ? -????????? ? ? ? ? ? file_20K_24385 > > So, I tried to use the ntfsrecover tool in order to fix those file > > entries. However, it never succeed (I did this experiment a few times). > > > > Here, as an example, is the output of "./ntfsrecover -v > > --kill-fast-restart /mnt/data/ntfs_poweroff_fullLogs.partition.raw" (my > > "disk" is a file representing a partition): > > > > Capacity 533724672 bytes (533 MB) > > sectors 1042431 (0xfe7ff), sector size 512 > > clusters 130303 (0x1fcff), cluster size 4096 (12 bits) > > MFT at cluster 43434 (0xa9aa), entry size 1024 > > 4 MFT entries per cluster > > * Using initial restart page, syncing from 0xd2170fb, dirty > > * Block size 4096 bytes > > > > * block 0 at 0xa08c000 > > * RSTR in block 0 0x0 (addr 0xa08c000) > > magic 52545352 > > usa_ofs 001e > > usa_count 0009 > > chkdsk_lsn 0000000000000000 > > system_page_size 00001000 > > log_page_size 00001000 > > restart_area_offset 0030 > > minor_vers 0 > > major_vers 2 > > usn 2666 > > > > current_lsn 000000000d217473 > > log_clients 0001 > > client_free_list ffff > > client_in_use_list 0000 > > flags 0000 > > seq_number_bits 0000002c > > restart_area_length 00e0 > > client_array_offset 0040 > > file_size 000000000048c000 > > last_lsn_data_len 00000070 > > record_length 0030 > > log_page_data_offs 0040 > > restart_log_open_count 761d453f > > > > oldest_lsn 000000000d2170df > > client_restart_lsn 000000000d217473 > > prev_client ffff > > next_client ffff > > seq_number 0000 > > client_name_length 00000008 > > client_name NTFS > > > > * block 1 at 0xa08d000 > > * RSTR in block 1 0x1 (addr 0xa08d000) > > magic 52545352 > > usa_ofs 001e > > usa_count 0009 > > chkdsk_lsn 0000000000000000 > > system_page_size 00001000 > > log_page_size 00001000 > > restart_area_offset 0030 > > minor_vers 0 > > major_vers 2 > > usn 2667 > > > > current_lsn 000000000d2226c2 > > log_clients 0001 > > client_free_list ffff > > client_in_use_list 0000 > > flags 0000 > > seq_number_bits 0000002c > > restart_area_length 00e0 > > client_array_offset 0040 > > file_size 000000000048c000 > > last_lsn_data_len 00000070 > > record_length 0030 > > log_page_data_offs 0040 > > restart_log_open_count 761d453f > > > > oldest_lsn 000000000d2170fb > > client_restart_lsn 000000000d2226c2 > > prev_client ffff > > next_client ffff > > seq_number 0000 > > client_name_length 00000008 > > client_name NTFS > > * Ignored block 2 at 0xa08e000 > > magic 44524352 > > usa_ofs 0028 > > usa_count 0009 > > file_offset 000000000d2281d8 > > flags 00000001 > > page_count 1 > > page_position 1 > > next_record_offset 0f18 > > reserved4 0000 0000 0000 > > last_end_lsn 000000000d2281d8 (synced+69853) > > usn b424 > > > > * Restart page was obsolete > > > > * block 2 at 0xa08e000 > > * RCRD in block 2 0x2 (addr 0xa08e000) > > magic 44524352 > > usa_ofs 0028 > > usa_count 0009 > > file_offset 000000000d2281d8 > > flags 00000001 > > page_count 1 > > page_position 1 > > next_record_offset 0f18 > > reserved4 0000 0000 0000 > > last_end_lsn 000000000d2281d8 (synced+69853) > > usn b424 > > > > ** Bad first record at offset 0x288 > > this_lsn 0001006800380060 (synced-216625307) synced > > client_previous_lsn 0008000005c00000 > > client_undo_next_lsn 0000000000000000 > > client_data_length 0000002c > > seq_number 0 > > client_index 0 > > record_type c282c8ef > > transaction_id 01d2a948 > > log_record_flags ffcf > > reserved1 5d5c adcf 01d2 > > ** Unknown action type > > client_data for record type 3263351023 > > 0000 cfff5c5d cfadd201 cfff5c5d cfadd201 ..\]......\].... > > 0010 00000000 00000000 00000000 00000000 ................ > > 0020 00000010 00000000 efc882c2 ............ > > ** Error : searchlikely() used for syncing > > * Syncing failed after playing 0 actions > > > > I trying debugging it a bit, but couldn't find any solid lead. > > > > Do you have any idea why this happens? I would be happy to provide any > > addition information (I can provide the entire disk, if that would help). > > The last log record could not be located. > > Which was the Windows version used ? You were trying to > recover with option --kill-fast-restart which probably > means this was from Windows 8 or 10. Some information > may be kept in Windows cache.
Indeed, I am using Windows 8 (Windows Server 2012R2). I don't mind deleting the hibernation file since I'm not going to boot from this disk - I just want to extract some files out of it. To the best of my understanding, the filesystem should be consistent without the hibernation file (i.e. everything written in the hibernation file is also written to, or can be extracted from, the filesystem itself). Also note that I tried mounting this disk (or actually, a copy of it) on a different Windows machine, as a data disk (so the hibernation file is not used), and Windows was able to show me a consistent list of files (all of the files were readable), which was a bit different from the one I got from ntfs-3g. > > Locating the first record may also be buggy in ntfsrecover. > To investigate it, I need the first 16K bytes from the > log file : > dd if='/mntpnt/$LogFile' of=temp bs=4096 count=4 > (important : mount as readonly, replace mntpnt be the > actual mount point). Note that running "ntfsrecover -t --kill-fast-restart ntfs_poweroff_fullLogs.partition.raw" does seem to work, as a lot of entries are listed and the print does not end with any kind of error message (leading me to believe that the last entry printed is indeed the last valid entry). I hope I'm not causing any confusion, but I would like to share two disks which show different symptoms: --- 1 --- ntfsrecover --kill-fast-restart /mnt/data/ntfs_poweroff_fullLogs.partition.raw ** Bad first record at offset 0x288 ** Error : searchlikely() used for syncing * Syncing failed after playing 0 actions LogFIle: https://s3-eu-west-1.amazonaws.com/gilbucket1/ntfs-disks/ntfs_poweroff_fullLogs.LogFile Entire partition: https://s3-eu-west-1.amazonaws.com/gilbucket1/ntfs-disks/ntfs_poweroff_fullLogs.partition.raw --- 2 --- ntfsrecover --kill-fast-restart /mnt/data/ntfs_poweroff_2.raw * Reaching free space at end of block 2 * Syncing failed after playing 0 actions LogFile: https://s3-eu-west-1.amazonaws.com/gilbucket1/ntfs-disks/ntntfs_poweroff_2.LogFile Entire partition: https://s3-eu-west-1.amazonaws.com/gilbucket1/ntfs-disks/ntfs_poweroff_2.raw.bak Gil > > Jean-Pierre > > > > > Thanks, > > Gil > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > ntfs-3g-devel mailing list > ntfs-3g-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ ntfs-3g-devel mailing list ntfs-3g-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel
