Recovering an NTFS backup boot sector

Software

1. Download ZAR here.
2. Download Windows Support Tools at
   http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38

Note: When installing Windows Support Tools, select "Complete", rather than "Typical" installation. The DiskProbe tool is only installed as a part of complete installation. We will need it later on.

Note: The older than current versions of ZAR might have been used to create the screenshots in this tutorial. We did not update the screenshots if there is no significant difference between older and current versions. If you see some option in the program which is not described in the tutorial, just leave it at its default setting.

Confirming the problem

1. Launch ZAR
2. In "Advanced configuration", verify that disk access mode is set to "Disk access using physical drives"

3. Click "OK" to  close options, then "Next" for the mode selection.
4. Select "Simple volume recovery mode", click "Next".
5. When prompted to select a physical drive, right click the problem drive and select "Open in disk viewer" from the context menu

The Disk Viewer will open and display the partition table of the appropriate drive, like this

1. Note two numbers, Relative Sectors and Size (32 and 506848 in this example).
2. Double click the partition table entry - ZAR will follow the reference and bring you to the volume boot sector.

The boot sector appears broken, as illustrated below

Take note of what is recorded at the start of the sector for later cross-checking.

If the sector data format is not automatically detected (shown as RAW instead), we can be certain that a boot sector is significantly damaged.

Manually set a view mode to "NTFS boot sector" via the appropriate menu and here is what we get - a damaged boot sector

Verifying the backup boot sector

Corresponding sector numbers (LBAs) are computed from the partition table information as follows

• Primary boot sector: LBA_Primary = Base + RelativeSectors
• Backup boot sector: LBA_Backup = Base + RelativeSectors + Size - 1

where Base is either

• 0 for a primary volume (whose partition entry is recorded in MBR) (as in this example)
• LBA of the first Extended Partition Table in the Extended Partition Chain for a logical drive

For our example, addresses are

• LBA_Primary = 0 + 32 = 32
• LBA_Backup = 0 + 32 + 506848  - 1 = 506879

We now need to look at the backup boot sector to see if it is valid.

Press Ctrl+G, type in LBA_Backup value (506879), then press Enter. Looking at the backup boot sector, we see that it is reasonably good.

Here is a side-by-side comparison of the broken (primary) and the valid (backup) boot sectors

Restoring the boot sector

Note: it is not possible to run both ZAR and DiskProbe simultaneously. You must close the one currently running before opening the other. Otherwise the second program to start will not be able to access disks properly because of exclusive locking issues.

From this point on, EXERCISE EXTREME CAUTION. Whenever in a slightest doubt, do not continue making changes. In case you do something wrong, the added damage is not necessarily confined to the volume already damaged. You may damage another volume if you mess something up.

In brief, we need to copy the sector at address LBA_Backup over the sector at address LBA_Primary on the disk which ZAR identifies as ID 0101 (in this example).

Device 010X in ZAR corresponds to PhysicalDriveX in DiskProbe (only valid for X from 0 to 9 inclusive). For our example, we thus need PhysicalDrive1.

Run the Disk Probe (C:\Program Files\Support Tools\dskprobe.exe on a typical installation).

From the menu, select -- Drives -- Physical Drive. In there,

1. Double click "PhysicalDrive1"
2. Untick the corresponding "Read only" box.
3. Click the corresponding "Set Active" button.
4. Click "OK" to close the window.

We now need to verify that we're going to overwrite the correct sector. From the menu, select -- Sectors -- Read. Into the Starting Sector field, type in LBA_Primary value (32 in our example), then click Read. Verify that data in the sector matches what we've seen in ZAR (see above).

If the data does not match, DISCONTINUE IMMEDIATELY. Otherwise, we're safe to go ahead.

Read the good sector. Once again, select --Sectors -- Read from the menu. This time, enter LBA_Backup value (506879 in this example) into the Starting Sector field, then click Read. It should look like a good boot sector. Verify it has "NTFS" in capital letters near the top. If it is not there, DISCONTINUE IMMEDIATELY.

From the menu, select -- Sectors -- Write. In there

1. Make sure Handle 0 is selected, and it reads the correct PhysicalDrive ID (PhysicalDrive1 in our example).
2. Make sure it reads "write 1 sectors" at the top of the window.
3. Type in LBA_Primary value (32 in our example) into the "Starting sector to write data" field.
4. Click WriteIt, then acknowledge the warning.
5. Close DiskProbe.

Final checks and cleanup

• Restart the machine.
• The CHKDSK may or may not run upon restart, depending on the condition of the volume.
• When the system starts up, evaluate the condition of the volume. If it fails to mount, the boot sector recovery did not help (there were more damage than expected). If it is readable, backup critical data off it, because next stage is potentially unsafe.
• Once done with backups,  run CHKDSK against the affected volume. On the start menu, click Run, then type in "CHKDSK X: /F" and press Enter, where X: is a drive letter of the affected volume.
• We're done when it finishes.