Any way of rebuilding a corrupt MFT?

[bizzybody]

I have a hp compaq slimline box in the shop with XP Pro SP3. Had a malware infestation which I cleaned up then updated Windows, Norton etc. Did my usual three reboots and other tests to ensure it was all working 100%.

Customer takes it home and shortly calls back saying it's not working so I go out there and sure 'nuff it's a BSOD no mountable volume. Back at the shop it won't even do that much. (Oh joy, worse than the time a fresh 2000 setup decided to blow up its User Hive on the first boot for a customer after behaving perfectly in the shop, and never another problem again after reinstalling everything. Ran perfectly for years.)

TestDisk says both boot sectors are OK but both MFTs are corrupt. Fortunately it's only a partly full 40 gig so I can use a utility to find all the files and folders to copy to another drive. It looks like 100% of everything is still there, folders and files. There appears to be one spot with some error I have to tell it to ignore so it'll go ahead with copying. It's not able to make an image of the drive because of that.

Is there a way to just rebuild the MFT *in place* so the box can be booted with some other utility disc to run scans, repair etc? Or alternatively, do a full format then copy everything back and get it to boot? Of course being an hp compaq d530s there ain't a recovery disc, which if there was would wipe all the user files and software.

If the bad spot doesn't contain critical files, then the *easiest* thing to do would be to reconstruct the MFT then set the dirty bit so XP will do a chkdsk at boot, zorch the corrupt file(s) and get on with things, assuming there's a recovery utility which can do that. THEN I could connect an external drive and do a full backup which can be restored to a fresh XP install, possibly on a new drive if the original is failing.

[allen2]

First, i'd try a disk image with acronis true image (it can skip bad sectors) with the Acronis True image CD. If it works, you'll only need to restore it on another drive.

If this doesn't work, i'd check the drive with the hard drive manufacturer tool (seatools if it's a seagate, dalifeguard for western digital ...). If there aren't any error, boot to XP recovery console (using an xp cd) then do chkdsk /p /r and it should fix the problem and might wipe some files along so be sure to have backed uo everything you could before.

If it stil doesn't work, you might try to resize the volume a little with a linux repair CD called systemrescueCD, it helped me in the past.

If there are errors when using the hard drive manufacturer tool, you'll need to follow the excellent Jaclaz posts on how to recover data from faulty drives then replace the drive.

[bizzybody]

boot to XP recovery console (using an xp cd) then do chkdsk /p /r and it should fix the problem

Will that work with both MFT copies corrupted? When I connected the drive to a working system it tried to run chkdsk on it during boot but couldn't.

[allen2]

Of course you can't be sure that chkdsk won't remove some files or even all files.

[bizzybody]

Or if it will even be able to do anything at all.

Making things worse is the CD-ROM drive is apparently dead in it. Spins but never detects a disc, so I'd have to scrounge up a drive just to try booting with an XP CD to run chkdsk. I don't have any spares laying about. Perhaps I'll see if the customer wants to buy a somewhat newer Dell I have with a DVD-ROM, CD-RW, larger hard drive and better video. Save me the time of a full install and I can copy over her files I salvaged.

[bizzybody]

Here's an analogy. Getting both copies of the MFT trashed is like taking a library card catalog and knocking it over.

The way all the recovery apps work would be like having to burn the existing card catalog, take all the books out of the library (copy off the files), re-arrange all the shelves (reformat the drive) then re-catalog the books as they're put back on the new shelves (copy the files back).

Would be so much simpler to have the option to *try* and put the cards back in the drawers by locating all the books where they are on the existing shelves. If some of the files are *really* trashed or cannot be found at all, or if there's a hard error on the drive, well, nothing lost but the time and convenience saved by being able to do an in-place restoration (picking up the cards and re-filing) - just go the route of copying off the files that can be saved.

[jaclaz]

Disambiguation:

1. there are NOT two copies of the $MFT.
   
2. there is ONE copy of the $MFT and the $MFT mirror, which is a copy of first 4 (four) records of the $MFT.
   

http://technet.microsoft.com/en-us/library/cc938949.aspx

You can use this app:

http://www.datarescue.com/photorescue/v3/drdd.htm

allright to make a copy of the defective disk, by doing partial copies and joining them together (and filling "gaps" with wiped sectors, also in some cases iomaging "backwards" helps.

To rebuild the $MFT is something that is NOT "easy-peasy", it needs some knowledge of the NTFS and how it works, though there are apps that do help.

See this:

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6543925

AND given links.

jaclaz