[Pc_Support] NTFS Hard Drive Recovery -- using Linux to backup unbootable NTFS systems

Tue Sep 5 15:05:36 EDT 2006

Bruce Metcalf wrote:
> There I was, minding my own business, uninstalling Norton Antivirus
> 2005 from my Win2k system. It required a reboot, and when the system
> came back up, my second hard drive was inaccessable. Much cussing and
> reconfiguring later, I get a message that the drive is unformatted. WTF?

It's called McAfee and Norton are _liabilities_ today.  I _refuse_ to
install _either_ now on consumer systems (I'll install them in
enterprises where I clone from a _known_good_ enterprise release
image).

> [Insert obligatory remarks about the natural superiority of Linux,
> etc. etc. here.]

Huh?  This has _0_ to do with comparison to Linux.  Linux has its
security shortcomings too, although Linux has a _supportable_
boot/init process, whereas NT has _never_ (even OS/2 did, which NT's
own init is largely based on).  That was a 100% Gates decision and
resulting clusterfsck.

That's why _major_ Fortune 100 companies I've worked at _never_
install NT Server "raw."  They install VMWare ESX instead, so you can
recover easily.  But for consumer users, yes, this sucks.  ;->

Again, the major TCO PITA with NT has been, and will continue to be,
the _utter_lack_ of a way to _recover_ the system during the boot/init
process -- unlike not only UNIX/Linux systems, but even OS/2, which
NT's init is almost entirely based on but "hidden".  Booting into
"recovery" mode with the CD with a "recovery" floppy is _not_ the same
at all.

Then add in the inherit _design_flaws_ of NTFS and you _never_ want to
install a new version of NT atop of an existing NTFS filesystem anyway
(long story).  So the best thing is to use Linux to read all the data
off of a NTFS volume and install new afterwards.  The major PITA of
this is that you will lose _all_ of your ACE and meta-data on the
files from the NTFS filesystem.

But you'd end up doing that (or worse) if you re-installed a new NT
installation on an existing NTFS filesystem anyway -- because ACE and
meta-data is tied to the registry/SAM of a _specific_ NT installation
(even if you use Dynamic Disc and its hidden meta-data areas).

> Does anyone have an idea about how to rescue the data short of
> sending the drive out for major salvage? Cost me $135 last time.

Boot a Linux rescue disk.  Mount NTFS read-only using the kernel
driver.  Pull all the data off.

> And if it matters, it's a Maxtor 6Y060L0, 60G ATA.

This doesn't sound like a disk issue, it sounds like a NT init issue.

I ran into this myself this past weekend when I moved my wife's
FRAID-1 volume from a nForce 410 back to an older nForce 4 chipset.
The BIOS and Linux had _0_ problem with it, but Windows XP totally
blue screened after self-reconfiguring (re-self-fsck'ing ;-) itself
(and asking for re-activation while it was at it).

But I had _smartly_ done a backup before I even tried to mess with it.
 After some coaxing of XP, I was able to get it to use the nForce 4
RAID driver, even though it largely matched the nForce 410 FRAID
driver (version 6.66 -- yeah, what a coincidence in version!)

> [Insert obligatory reference to Bryan's commentaries on the use of
> enterprise-rated hard drives here.]

Huh?  This has _0_ to do with the disk AFAICT.  It has to do with XP
self-fsck'ing itself, thanx to 3rd party software.  There is virtually
_no_way_ to recover the boot/init process with NT, especially when the
"system/boot" is on NTFS.

Where I'm going to bitch-smack you is on why you didn't have a backup
_before_ messing with Norton!  ;->

> Any help will be most sincerely appreciated, either by email or at
> Saturday's Installfest.

I won't be there, but you can boot a Linux rescue disk, connect to
your network, mount the NTFS volume read-only, and do something like
...

  # mkdir /mnt/c
  # mount -o ro -t ntfs /dev/hda1 /mnt/c
  # cd /mnt/c
  # ssh user at server "mkdir backup"
  # tar cvO ./ | ssh user at server "cd backup; tar xvf -"

That will dump the entire tree into a directory called "backup" under
the home directory of "user" on SSH "server".