I'm sorry if this has been posted. I searched back a while, and didn't find any answers. I'm new to Linux and have never used knoppix before (obviously) My Windows crashed, and won't boot, so that's why I'm using knoppix. I'm trying to recover files before I reinstall Windows. The hard drive is fine. I'm just totally lost trying to find the files. The knoppix desktop has Hard Disk[ sda], which I can't get into. When I try to open it I get an error could not mount device could not determine the filesystem type and none was specified. There is Hard Disk [sr0], which I can open, and assume is the cd rom drive where Knoppix booted from, and Hard Disk [sr1], which I guess is the DVD RW drive.
Is the first one Hard Disk [sda] my hard drive? And how do get into it? From what I've read I need to mount it, then open it? But how do I do this, because as I said ever time I try to mount it I get the errror message. Any help is appreciated. Thank you

First need to know if you have Norton's GoBack installed , use a third party boot manager or have a DDO (disk drive overly) ? What Windows version does it have and if it is NTFS file system ? Error when trying to boot windows ? What happened before windows crashed ? The info is useful so bad advise is not given.

Very likely TESTDISK (program in knoppix, also dos version available ) will need ran, google program and read the how to use, if you answer yes to first question , do not run testdisk yet.

I don't have GoBack, but I do have Fix It Utilities Recovery Commander installed. I don't know if that will help. I don't use a third party boot mgr, or have a DDO. It is Windows XP Media Center, which is an NTFS file system. I'm not sure exactly what happened to make Windows crash. All I know is I live in an apartment complex, with an ethernet connection, and two computers connected to it. Both crashed at roughly the same time, so I don't know if a virus that symantec didn't catch, or something like that came through.
The error when I try to boot is: Boot device not available press F1 to try again F2 to go to set up. I get the same message when I try to boot with the Windows CD. I already called Dell, and we tried everything to fix Windows. They say my only option is to re-install, so I'd like to try to get my files back first. Thanks

The error when I try to boot is: Boot device not available press F1 to try again F2 to go to set up That could change every thing. The problem is the bios can not find a hdd or the MBR (Master Boot Record) is bad. First thing is to enter bios (likely F2) and see if the hdd is listed correctly, then check the boot order, my preference is to have the CD first and hdd 2nd.

Is your hdd an IDE or SATA ? (SDA on Knoppix desktop does indicate a SATA hdd and the problem is with the MBR )

In Knoppix - in a root console run FDISK -L post what is displayed.

No, run fdisk, not FDISK, Linux is very case sensitive. I don't know if the option should be -L or -l - read the man page for fdisk to be sure.

I'm sorry if this has been posted. I searched back a while, and didn't find any answers. I'm new to Linux and have never used knoppix before (obviously) My Windows crashed, and won't boot, so that's why I'm using knoppix. I'm trying to recover files before I reinstall Windows. The hard drive is fine. I'm just totally lost trying to find the files. The knoppix desktop has Hard Disk[ sda], which I can't get into. When I try to open it I get an error could not mount device could not determine the filesystem type and none was specified. There is Hard Disk [sr0], which I can open, and assume is the cd rom drive where Knoppix booted from, and Hard Disk [sr1], which I guess is the DVD RW drive.
Is the first one Hard Disk [sda] my hard drive? And how do get into it? From what I've read I need to mount it, then open it? But how do I do this, because as I said ever time I try to mount it I get the errror message. Any help is appreciated. Thank you

Detailed computer hardware information please.

sda is probably your entire hard drive, assuming you have an SATA hard drive. Normally, the individual partitions appear with numbers at the end of the name. For example:

sda1 39MB Dell diagnostic utility partition
sda2 39.96GB Windows NTFS

and you would click on the "sda2" icon in order to mount your MSWindows "C:\" drive and get the files.

If you do not have icons for each data partition, then it probably means one of three things:

1) Your hard drive controller and driver is not being detected/loaded properly.
2) Your hard drive has suffered a catastrophic failure due to stuck head crash / motor bearing failure / controller card failure.
3) Your drive is physically O.K., but your master boot record and partition table has been corrupted.

For #1, particularly if it is an Intel ICH5/6 SATA hard drive controller, the solution is to reboot multiple times and eventually your drive icon will appear. A better solution is to download the previous (bug free) version of KNOPPIX at version 5.01

You could also try a different rescue tool like the "Ultimate Boot CD" for example.

For #2, you can usually tell by going into your computer BIOS. If the drive does not appear on your BIOS device list, then it is probably cooked.

For #3, you can use the Linux partition recovery tool called "Gpart":

http://www.stud.uni-hannover.de/user/76201/gpart/

This tool can scan your hard drive and figure out where each of your partitions are located and help you to rebuild a partition table.

And as a last resort, you can use a program called photorec to find many files even if your filesystem is corrupted. See for example:

http://servers.linux.com/servers/06/08/21/1558230.shtml?tid=119&tid=13

Harry Kuhman- Thanks for the correction and I must remember the commands are case sensitive, the switch should also be a small -l.

When I run fdisk Here is what I get:
Disk /dev/sda:250Gb 250,000,000,000 bytes
255 heads, 63 sectors/track/30394 cylinders
Units=cylinders of 16055 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System

This is the drive I'm trying to get into, and you're right it is a SATA hard drive
Also, when I look under QtParted, the hard drive is listed. On the bottom under drive info the status is available, but on the right under status it's listed as hidden.
I already went through the BIOS with the DELL tech before . We made sure it was listed in the right order and everything. Also, we did a Drive Diagnostic from the boot menu, and the drive passed. I'm 99% sure the drive is physically OK, because as I said I had 2 computers crash at the same time with the same problem, same error message. The other one didn't have anything important on it, so I re-installed Windows, and it is fine now. Thanks

When I run fdisk Here is what I get:
Disk /dev/sda:250Gb 250,000,000,000 bytes
255 heads, 63 sectors/track/30394 cylinders
Units=cylinders of 16055 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System

This is the drive I'm trying to get into, and you're right it is a SATA hard drive
Also, when I look under QtParted, the hard drive is listed. On the bottom under drive info the status is available, but on the right under status it's listed as hidden.
I already went through the BIOS with the DELL tech before . We made sure it was listed in the right order and everything. Also, we did a Drive Diagnostic from the boot menu, and the drive passed. I'm 99% sure the drive is physically OK, because as I said I had 2 computers crash at the same time with the same problem, same error message. The other one didn't have anything important on it, so I re-installed Windows, and it is fine now. Thanks

If there is nothing listed underneath the

Device Boot Start End Blocks Id System

line then it appears that you have lost your partition table and probably also your entire master boot record. If so, the "Gpart" partition recovery tool is your best bet to rebuild your partition table.

Ok, here is what gpart says:

Ok.

Guessed Primary Partition Table:
Primary partition(1)
type: 006(0x06)(Primary 'big' DOS (>32MB))
size: 47mb #s (96327) s(63-96389)
chs: (0/1/1)-(5/254/63)d (0/1/1-(5/254/63)r

Primary partition(2)
type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
size: 233609mb #s(478431760) s(96390-478528149)
chs: (6/0/1)-(1023/254/63)d (6/0/1)-(29786/254/58)r

Primary partition(3)
type: 012(0x0C)(DOS or Windows 95 with 32 bit FAT,
LBA)
size: 4753mb #s(9735390) s(478528155-488263544)
chs: (1023/254/63)-(1023/254/63)d
(29787/0/1)-(30392/254/63)r

Primary partition(4)
type: 000(0x00)(unused)
size: 0mb #s(0) s(0-0)
chs: (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Now, where do I go from here?
Thanks again

Ok, here is what gpart says:

Ok.

Guessed Primary Partition Table:
Primary partition(1)
type: 006(0x06)(Primary 'big' DOS (>32MB))
size: 47mb #s (96327) s(63-96389)
chs: (0/1/1)-(5/254/63)d (0/1/1-(5/254/63)r

Primary partition(2)
type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
size: 233609mb #s(478431760) s(96390-478528149)
chs: (6/0/1)-(1023/254/63)d (6/0/1)-(29786/254/58)r

Primary partition(3)
type: 012(0x0C)(DOS or Windows 95 with 32 bit FAT,
LBA)
size: 4753mb #s(9735390) s(478528155-488263544)
chs: (1023/254/63)-(1023/254/63)d
(29787/0/1)-(30392/254/63)r

Primary partition(4)
type: 000(0x00)(unused)
size: 0mb #s(0) s(0-0)
chs: (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r

Now, where do I go from here?
Thanks again

Since it appears that your "guessed" partitions are consistent, you can now rebuild your partition table. By consistent, I mean that all of your partitions appear to be in sequential order, so you don't have a partition that spills over into a neighboring partition.

From the data, it appears like you have a small DOS partition at the beginning of the disk (probably a BIOS/utility partition), followed by your main NTFS "C:" drive partition and a small approximately 4GB FAT32 partition (maybe an "E:" drive?) at the end of your disk.

So now you can run the same command again, only this time you can use it to WRITE a new partition table for your drive.

A command like this one should get the job done. The "W" needs to be an UPPERCASE letter:

gpart -W /dev/sda /dev/sda


Then you can reboot KNOPPIX and hopefully some new drive partition icons will appear on your desktop. You should then be able to copy any important files over to a USB drive or to a network shared drive.

Assuming that you now have a good partition table on your drive, you might even be able to save your Windows installation if you own the original CDROM. You will need to boot your Windows CDROM and then go into the "Recovery Console" and type in a command like this:

fixmbr


Here is an example of someone who used gpart to solve a similar problem as yours:

http://enterprise.linux.com/article.pl?sid=06/10/11/1911211


If you get everything back up and running, you should take his advice and make a backup copy of your Master Boot Record including the partition table and store this file somewhere else like on a thumbdrive or a floppy disk.

To make a backup, type this in:

dd if=/dev/sda of=/tmp/mbr_backup.img bs=512 count=1

and the backup file will be called "mbr_backup.img" and it will be stored inside your /tmp directory (Temporary files are commonly stored there). Then copy this file to somewhere safe.

To restore your backup, first copy it back to the /tmp directory and then type:

dd if=/tmp/mbr_backup.img of=/dev/sda bs=512 count=1

Good Luck

I'll give it a shot! One question though. If this doesn't work, can it be tried again, or is this a one shot deal? Also, if it doesn't work, this won't permanently mess up the hard drive will it? I could still re-install Windows and have it go back to the factory settings and everything?
Thanks again for everything!!!!

Ok, I used gpart to write the partition table. I do have more icons on the desktop: sda1, which is the Hidden Dell partition, I'm able to mount and get in to, and sda3 I'm also able to get in to. sda2, which is the one I want to mount and open, I still can't get in to. When I try to mount, I get:
Could not mount device.
The reported error was:
Failed to read last sector (478431764): Invalid argument
Perhaps the volume is a RAID/LDM but it wasn't setup yet, or the
wrong device was used, or the partition table is incorrect.
Failed to startup volume: Invalid argument
Failed to mount '/dev/sda2': Invalid argument
The device '/dev/sda2' doesn't have a valid NTFS.
Maybe you selected the wrong device? Or the whole disk instead of a
partition (e.g. /dev/hda, not /dev/hda1)? Or the other way around?
Is there any thing else I can do?
Thanks

There might be an error in the partition table for the NTFS partition.

Primary partition(2)
type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
size: 233609mb #s(478431760) s(96390-478528149)
chs: (6/0/1)-(29786/254/5)r

If you look at the CHS , the last part (29786/254/5) , the 5 is not normal , it should end at 63 (sector). Look at the other partition and they do end at 63. There would be a conflict between the MBR and the VBR (Volume Boot Record).

cbagger01- if you agree , will let you tell him how to edit the table , likely with DD , read/edit/write back to MBR ? Have never done it all would not like mess the hdd up.


EDIT: cbagger01- he will also need the NTFS set Active to boot into XP, if editing the partition table works.

Just to let you know, the 5 is actually 58. Not sure how the smiley got in there! Don't know if that changes anything. I know it's still not 63.

Not sure how the smiley got in there!
It's an artifact of the way that the board's software stores and displays smileys. The 8 was next to a close paren character, and the two together get translated into a smiley. Several character combinations do this.

Ok, I used gpart to write the partition table. I do have more icons on the desktop: sda1, which is the Hidden Dell partition, I'm able to mount and get in to, and sda3 I'm also able to get in to. sda2, which is the one I want to mount and open, I still can't get in to. When I try to mount, I get:
Could not mount device.
The reported error was:
Failed to read last sector (478431764): Invalid argument
Perhaps the volume is a RAID/LDM but it wasn't setup yet, or the
wrong device was used, or the partition table is incorrect.
Failed to startup volume: Invalid argument
Failed to mount '/dev/sda2': Invalid argument
The device '/dev/sda2' doesn't have a valid NTFS.
Maybe you selected the wrong device? Or the whole disk instead of a
partition (e.g. /dev/hda, not /dev/hda1)? Or the other way around?
Is there any thing else I can do?
Thanks

The problem is that your rebuilt NTFS partition is listed as the wrong size in the new partition table.
The partition table says that your size is 478431760 sectors, but the filesystem is telling Linux to read sector number 478431764 and this fails.

The solution is to redefine your NTFS partition size to be 478431765 sectors, with a startpoint of 96390 and an endpoint of 478528154.

You can do this by typing:

sudo cfdisk /dev/sda

in a terminal window. Then use the menu to delete your Primary Partition #2. Then create a new Primary partition #2 and have it take up all of the available space (as stated above). Then change the partition type of your newly created partition to type #7 or "0x07". Then write your partition table and exit the program.

Then reboot and try again.

Good Luck.

You guys are geniuses!!! Thank you soooooooooo much! It worked. I was able to access all of my files . You saved me $1600.00 that the Geek Squad wanted to charge to recover files!!! One last question. Before I had a chance to put the windows cd in, the computer re-booted. Windows started up fine, and everything appears to be here and working, except I'm able to see the Hidden Dell partition and the other partition after my C drive now. They are called local disk F and G. Since I can now boot, do I still need to boot from the Windows cd, and run the Windows recovery or fixmbr command, or is everything ok now? Again Thank you very, very much!!!!

You guys are geniuses!!! Thank you soooooooooo much! It worked. I was able to access all of my files . You saved me $1600.00 that the Geek Squad wanted to charge to recover files!!! One last question. Before I had a chance to put the windows cd in, the computer re-booted. Windows started up fine, and everything appears to be here and working, except I'm able to see the Hidden Dell partition and the other partition after my C drive now. They are called local disk F and G. Since I can now boot, do I still need to boot from the Windows cd, and run the Windows recovery or fixmbr command, or is everything ok now? Again Thank you very, very much!!!!

If you can boot normally, then you do not need to run the fixmbr command. Everything is OK now.

If you wish to make the Dell partition "hidden" again, you can go into the Windows control panel administrative tools and choose computer management. Then choose Disk Management. Then you can select your Dell partition and choose Change drive letter and paths and "Remove drive letter" from the menu. But please make sure that you are choosing the correct partition (Dell). If you pick the wrong one, bad things will happen.

I am new here and wasn't sure on this forum's etiquette. Apologies if this is in the wrong place.

I think I have the same problem, but I didn't know whether you prefer me to post a new thread, or continue this one... if you prefer me to start my own thread, then reply saying that, and I will start a new thread for my problem instead.

My problem.
I have a SATA disk that one day stopped booting into Windows. It had three partitions. 1st is a system recovery partition installed by the manufacturer. 2nd is the Windows install. 3rd is some data. None of these partitions were showing at all. I used Acronis Disk Director to attempt a recovery of the partitions. It has found and "restored" all three, rewriting the partition table. However like the OP of this thread, my Windows partition is still unreadable. Whereas the other two are now detected and running fine again.

I have them mounted in Knoppix 5.1.1 (DVD version) as
/dev/sda1
/dev/sda2
/dev/sda5
(not sure why the odd numbering)

I have used gpart /dev/sda to find out the guessed partition points, and they have a similar "not 63" number in the CHS figures.


Begin scan...
Possible partition(DOS FAT), size(4502mb), offset(0mb)
Possible partition(Windows NT/W2K FS), size(80576mb), offset(4502mb)
Possible extended partition at offset(85078mb)
Possible partition(Windows NT/W2K FS), size(71249mb), offset(85078mb)
End scan.

Checking partitions...
Partition(DOS or Windows 95 with 32 bit FAT, LBA): primary
Partition(OS/2 HPFS, NTFS, QNX or Advanced UNIX): primary
Partition(OS/2 HPFS, NTFS, QNX or Advanced UNIX): primary
Ok.

Guessed primary partition table:
Primary partition(1)
type: 012(0x0C)(DOS or Windows 95 with 32 bit FAT, LBA)
size: 4502mb #s(9221247) s(63-9221309)
chs: (0/1/1)-(573/254/63)d (0/1/1)-(573/254/63)r

Primary partition(2)
type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
size: 80576mb #s(165019672) s(9221310-174240981)
chs: (574/0/1)-(1023/254/63)d (574/0/1)-(10845/254/55)r

Primary partition(3)
type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
size: 71249mb #s(145918328) s(174241053-320159380)
chs: (1023/254/63)-(1023/254/63)d (10846/1/1)-(19928/254/59)r

Primary partition(4)
type: 000(0x00)(unused)
size: 0mb #s(0) s(0-0)
chs: (0/0/0)-(0/0/0)d (0/0/0)-(0/0/0)r


The guessed partition locations... are these based on the partition table that Acronis Disk Director has written, or is it purely on what gpart thinks it should be?

What I need to establish is whether my partition locations are correct, and if not get them in line, so that the data on my C drive (/dev/sda2) can be recovered. In Windows (as a slave on another machine, this partition is unviewable. I can't even run chkdsk on it from Windows either.

In Knoppix, if I attempt to browse /dev/sda2 it says
"Could not mount device.
The reported error was:
Incomplete multi sector transfer detected in $MFT.
Failed to load $MFT: Input/output error
Failed to startup volume: Input/output error
Failed to mount '/dev/sda2': Input/output error
NTFS is inconsistent. Run chkdsk /f on Windows then reboot it TWICE!
The usage of the /f parameter is very IMPORTANT! No modification was
made to NTFS by this software."

Since it won't let me run chkdsk from Windows, I am hoping that gpart or TestDisk might be able to help me.

I am competent in Windows work, but have no experience of Linux & Knoppix, so am feeling my way forwards in the dark!

Mike

PC partitions can be set up in 2 different ways.

1) As a primary partition, or a "Real" partition. You can only have 4 primary partitions on a hard drive
2) As an "extended" or "logical" partition. This is basically a partition inside a "Real" partition. You can have MANY logical partitions.. more than a dozen. But all of these extended partitions are stored inside a "Real" partition.

In Linux, primary partitions are identified by /dev/devicenameX , where X = 1 through 4
The extended partition names begin at X = 5

So my guess is that your Disk director created partition table looks like this:

sda1 (Primary, FAT/FAT32)
sda2 (Primary, NTFS most likely your "C:" drive)
sda3 (placeholder for extended partition, not a "Real" partition)
and inside sda3:

sda5 (Extended, NTFS, most likely your "E:" drive)

I would not trust the gpart generated information because it looks incorrect. For some reason it saw your "E:" drive as a primary partition and not an extended one. This explains the gap in the last sector of partition #2 and the first sector of partition #3

Chances are that your "Disk Director" has already fixed your partition table correctly, but if you wish to use a different program to try and recover your partition table, I would try "TESTDISK" and not gpart.

Ironically, you can get a version of TESTDISK from the bootable "Gparted" livecd. Just Right-Click on an empty part of the desktop and then choose TESTDISK from the menu. Another option is to burn a copy of the ULTIMATE BOOT CD. I am pretty sure that it contains TESTDISK.

But I would not use gpart to WRITE out a new partition table because the information looks inconsistent to me.

Good Luck.

What is the best way to check the data that Disk Director has already written to the partition table? Basically I want to check that the partition data in the partition table isn't screwy already (like the stuff that gpart was suggesting), in case that is messing up my file system.

You are right about the extended partition. That is how it is laid out. Thanks for giving me the info on the numbering system, it makes much more sense now.

Thanks for taking the time to reply, I'm learning heaps here!

Mike

If I was to try to write another new partition table, would it ignore the existing one, and look for the possible partition start and end points itself, or would it see the existing partition table and just use that?

I had no joy getting Testdisk to work. Via Knoppix it said the libntfs.so.9 (or something like that) wasn't found. I had it on another bootcd, but it wouldn't run there either.

Am trying DiskPatch v2.1.1 it has listed a whole load of potential partitions, but it is difficult to figure out which 2 of the bottom 6 are the correct ones....

SEQ TYPE START--- (GB) LENGTH---(GB) END-----(GB) PRI RAT
01 FAT32 63 (0) 9221247 (4.4) 9221309 (4.4) PRI #
02 NTFS 9221310 (4.4) 165019680 (78.69) 174240989 (83.08) PRI -
03 NTFS 9221310 (4.4) 165019673 (78.69) 174240982 (83.08) PRI +
04 NTFS 9221317 (4.4) 165019673 (78.69) 174240989 (83.08) PRI +
05 NTFS 174241053 (83.08) 145918332 (69.58) 320159384 (152.66) LOG -
06 NTFS 174241053 (83.08) 145918332 (69.58) 320159381 (152.66) LOG +
07 NTFS 174241056 (83.08) 145918329 (69.58) 320159384 (152.66) LOG +

Obviously the 63 figure in the gpart readout means something (is it the partition ending on a sector boundary?). Is there an easy way that I can use a calculator to get an equivalent reading from the above data? Am I just adding 1, then dividing the numbers by 64 to see if I get no remainder?

What is the best way to get that data off the current set of partition in the recovered partition table that Disk Director gave me?

I would rather use TestDisk on Knoppix though, if someone can tell me how to overcome the lib error. I am using Knoppix 5.1.1 DVD version.

Thanks

If I was to try to write another new partition table, would it ignore the existing one, and look for the possible partition start and end points itself, or would it see the existing partition table and just use that?....
The partition table is a fixed size and position, always the last part of sector 0 track 0 cylinder 0 of the hard disk. So if you write a new partition table, the old one is no longer there. The is no chance for any doubt if the old one will be used; it's gone.

If I was to try to write another new partition table, would it ignore the existing one, and look for the possible partition start and end points itself, or would it see the existing partition table and just use that?....
The partition table is a fixed size and position, always the last part of sector 0 track 0 cylinder 0 of the hard disk. So if you write a new partition table, the old one is no longer there. The is no chance for any doubt if the old one will be used; it's gone.
Thanks Harry,

I actually meant, does the scan search the partition starts/ends or will it just use the partition table if it exists. You actually indirectly answered me, as it can't write a new one if it hasn't created something different! So it must scan for partition start/ends and writing this info to a new partition table, which obviously will obliterate the old one.

Mike