Home
  
Download
 
Buy now
 
Tech support
     
Tools
Tutorials
Unformat and undelete
RAID recovery
Partition recovery
Digital image recovery
Email recovery
Physical flash failures
Physical HDD failures
Recovering an NTFS backup boot sector
Extras
Contacts

Home / Tutorials / Recovering an NTFS backup boot sector

Recovering an NTFS backup boot sector

Software
  1. Download ZAR
  2. Download Windows Support Tools at
    http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38

Note: When installing Windows Support Tools, select "Complete", rather than "Typical" installation. The DiskProbe tool is only installed as a part of complete installation. We will need it later on.

Confirming the problem
The Disk Management applet will look like this

  1. Launch ZAR
  2. In "Advanced configuration", verify that disk access mode is set to "Disk access using physical drives"

  1. Click "OK" to  close options, then "Next" for the mode selection.
  2. Select "Simple volume recovery mode", click "Next".
  3. When prompted to select a physical drive, right click the problem drive and select "Open in disk viewer" from the context menu

The Disk Viewer will open and display the partition table of the appropriate drive, like this

  1. Note two numbers, Relative Sectors and Size (32 and 506848 in this example).
  2. Double click the partition table entry - ZAR will follow the reference and bring you to the volume boot sector.

The boot sector appears broken, as illustrated below

Take note of what is recorded at the start of the sector for later cross-checking.

If the sector data format is not automatically detected (shown as RAW instead), we can be certain that a boot sector is significantly damaged.

Manually set a view mode to "NTFS boot sector" via the appropriate menu and here is what we get - a damaged boot sector

 

Verifying the backup boot sector
NTFS volume stores the backup copy of the boot sector in the last sector of a volume.

Corresponding sector numbers (LBAs) are computed from the partition table information as follows

  • Primary boot sector: LBAPrimary = Base + RelativeSectors
  • Backup boot sector: LBABackup = Base + RelativeSectors + Size - 1

where Base is either

  • 0 for a primary volume (whose partition entry is recorded in MBR) (as in this example)
  • LBA of the first Extended Partition Table in the Extended Partition Chain for a logical drive

For our example, addresses are

  • LBAPrimary = 0 + 32 = 32
  • LBABackup = 0 + 32 + 506848  - 1 = 506879

We now need to look at the backup boot sector to see if it is valid.

Press Ctrl+G, type in LBABackup value (506879), then press Enter. Looking at the backup boot sector, we see that it is reasonably good.

Here is a side-by-side comparison of the broken (primary) and the valid (backup) boot sectors

Restoring the boot sector
ZAR does not support writes to the disk. This is where the Microsoft DiskProbe comes into play.

Note: it is not possible to run both ZAR and DiskProbe simultaneously. You must close the one currently running before opening the other. Otherwise the second program to start will not be able to access disks properly because of exclusive locking issues.

From this point on, EXERCISE EXTREME CAUTION. Whenever in a slightest doubt, do not continue making changes. In case you do something wrong, the added damage is not necessarily confined to the volume already damaged. You may damage another volume if you mess something up.

In brief, we need to copy the sector at address LBABackup over the sector at address LBAPrimary on the disk which ZAR identifies as ID 0101 (in this example).

Device 010X in ZAR corresponds to PhysicalDriveX in DiskProbe (only valid for X from 0 to 9 inclusive). For our example, we thus need PhysicalDrive1.

Run the Disk Probe (C:\Program Files\Support Tools\dskprobe.exe on a typical installation).

From the menu, select -- Drives -- Physical Drive. In there,

  1. Double click "PhysicalDrive1"
  2. Untick the corresponding "Read only" box.
  3. Click the corresponding "Set Active" button.
  4. Click "OK" to close the window.

We now need to verify that we're going to overwrite the correct sector. From the menu, select -- Sectors -- Read. Into the Starting Sector field, type in LBAPrimary value (32 in our example), then click Read. Verify that data in the sector matches what we've seen in ZAR (see above).

If the data does not match, DISCONTINUE IMMEDIATELY. Otherwise, we're safe to go ahead.

 

Read the good sector. Once again, select --Sectors -- Read from the menu. This time, enter LBABackup value (506879 in this example) into the Starting Sector field, then click Read. It should look like a good boot sector. Verify it has "NTFS" in capital letters near the top. If it is not there, DISCONTINUE IMMEDIATELY.

From the menu, select -- Sectors -- Write. In there

  1. Make sure Handle 0 is selected, and it reads the correct PhysicalDrive ID (PhysicalDrive1 in our example).
  2. Make sure it reads "write 1 sectors" at the top of the window.
  3. Type in LBAPrimary value (32 in our example) into the "Starting sector to write data" field.
  4. Click WriteIt, then acknowledge the warning.
  5. Close DiskProbe.

Final checks and cleanup
  • Restart the machine.
  • The CHKDSK may or may not run upon restart, depending on the condition of the volume.
  • When the system starts up, evaluate the condition of the volume. If it fails to mount, the boot sector recovery did not help (there were more damage than expected). If it is readable, backup critical data off it, because next stage is potentially unsafe.
  • Once done with backups,  run CHKDSK against the affected volume. On the start menu, click Run, then type in "CHKDSK X: /F" and press Enter, where X: is a drive letter of the affected volume.
  • We're done when it finishes.

Copyright © 2001 - 2012 ZAR data recovery.