Jump to content

Help for Recovering Data with Recuva & System Restore (after a weird issue...)


Marc27

Recommended Posts

Hello,

This is the situation...

Suddenly I received an error in windows, something like cannot locate the route of the specified file when attempting to open a folder, and at the same time other 200 folders that where present in the same directory as the one that I tried to open disappeared!

I rebooted, nothing. So I tried system restore, and well it fixed it, it restored all the files. But then I did the biggest mistake ever, I thought of undo the restoration and take note of some configs I made in the time between the last restore point and the actual state.

 

But right afterwards I undo the restoration it popped up a notification telling that there was little space on disk and !@# all system restore points where deleted. The reason for this it seems that when I restored the system I copied the vanished files to another partition (which it seems had system restore enabled on it too) causing this drive to lose all the restore points. After undoing the restoration the files copied to the other partition where lost as well.

 

So, my bet is somewhere these files are. I ran Recuva but it only detected a handful of the folders, even before I used the system restore point. Meaning the files where there but Recuva couldn't recover them.

Now, first thing I did after all the restore points where gone. Scanned with Recuva and saved the files to a third partition so I got this

 

File List C.txt (it seemed better idea instead of posting it on the code box)

 

 

So I'm sure the files are there and may be recovered but Recuva doesn't detect them.

Options that come to my mind is to attempt to recreate the old restore point using the files recovered with Recuva.

Else to only use the info related to the files and import** that info into an actual restore point. I already learnt how to access the system restore protected directory.

Third I can try to recover the files from the other (second partition) in which I copied the files as well but disappeared after I undo the restoration.

These files are quite important, meaning lots of lots of work hence all the effort to recover them.

 

Files Recovered in second partition (note I didn't manage to recover all - I ran out of space - up to 75% 1.77GB)

File List F.txt

 

I forgot to mention I'm running Windows XP SP3...

Link to comment
Share on other sites

Hello,

This is the situation...

Suddenly I received an error in windows, something like cannot locate the route of the specified file when attempting to open a folder, and at the same time other 200 folders that where present in the same directory as the one that I tried to open disappeared!

I rebooted, nothing. So I tried system restore, and well it fixed it, it restored all the files. But then I did the biggest mistake ever, I thought of undo the restoration and take note of some configs I made in the time between the last restore point and the actual state.

 

 

You copied the files that vanished before to separate partition and you thought they would be safe in there once you undo the restoration? I don't understand how this is supposed to be since my understanding of system restore is that it doesn't wipe off personal files when restoring activity has taken place.

 

The question is why did a lot of these folders suddenly disappeared in the first place? Then you got this error message popping up that lead you to do a system restore? So these folders just suddenly went missing. Did somebody else deleted these folders? Was it the work of the virus or malware?

 

Perhaps you can post a screenshot of this error box that appears in your screen and maybe we could diagnose the problem better.

 

Recuva can't recover all the lost files especially those that are now badly overwritten. Have you tried the deep scan option in Recuva yet? It digs more lost files but again, those that are badly overwritten are now barely usable.

I love computer maintenance tasks.

Some of my favorite programs:

Wordpad -basic word processing

Notepad - temporary clipboard and basic scripting module

Windows Media Player 12- video, music and online radio player

Windows Media Center - live TV, local FM radio

CCleaner- handy computer maintenance tool

 

If something fails to work after using the registry cleaner, use SYSTEM RESTORE.

Link to comment
Share on other sites

As far as I can tell the files got marked for deletion because of the increase in free space that matches the size of the lost data. I really don't believe there's a virus.. I checked the process, memory, performance, and done some quick memory scan.

 

I will go a little more in detail in how the error happened: I was working with several folders in the same main directory. I was actually checking them in order (the 500+ folders). At one point I attempted to open the next folder and I got the error "unable to.." tried with the one that followed after that and again the same error. After 2 seconds those two folders disappeared and then I realized that the item count in the status bar changed from 550 aprox to 280. Nothing in the recycle bin. No error message in the event viewer.

 

An interesting point is that before using the restore point (which effectively restored all the files) Recuva didn't managed to find many of them, hence they may not be all that badly overwritten. That leads me to believe that those files are recoverable and that somehow this error or whatever happened makes it hard for Recuva to find them while Windows can manage to recover them. I've used Recuva many times in the past and it usually manages to find & recover most of the files. In this case it only displayed files from 5-6 of 270 folders.

 

So having most (I hope) of the files of the restore points that managed to find and recover all the files, there may be some way to retrieve them (either from the restore files of the main partition C or from the ones in the third partition F).

There's even a file "change.txt" that seems to list the files/directories that were deleted (in both C and F syst. restore files).

 

Edit: I didn´t mention in the first post that the "Files Recovered in second partition" File List F.txt are files of the restore point in F.

Link to comment
Share on other sites

So you think if you can somehow get the restore point files on either drive C: or drive F: (the partition where I assume you backed up you retrieved files before you did an undo of the first restoration), you could somehow recover the folders that went missing? Did I get it right?

 

And you want Recuva to find and retrieve these restore point files? And now you said you have no more restore points left? Even if Recuva manages to retrieve them, I think they won't be 100% intact but hopefully usable and decent enough. Looking at the file list you gave, there are .exe files with 11-12 MB in size on the list.

 

Looking at your case, there is something rather fishy when you opened a folder then suddenly its listed as a non existent folder and many others suddenly had the same case as well. It smells like a work of a malware to me. A malware that suddenly destroys folders and its data.

 

What were the stuff you had in those folders that went missing?

 

I'd also do a malware scan if I were you. Just to be sure.

I love computer maintenance tasks.

Some of my favorite programs:

Wordpad -basic word processing

Notepad - temporary clipboard and basic scripting module

Windows Media Player 12- video, music and online radio player

Windows Media Center - live TV, local FM radio

CCleaner- handy computer maintenance tool

 

If something fails to work after using the registry cleaner, use SYSTEM RESTORE.

Link to comment
Share on other sites

Yes, that's it! (I already recovered the files of both drives with Recuva) What I'm trying to figure out is how to use them.

The folder actually contain lots of applications toolkits, so the exe's should be ok. I use to always scan them with Virustotal and download them from trusted sources.

 

Also maybe I'm missing some basic stuff of system restore, but if a malware deleted the files, shouldn't system restore be unable to restore them? Since if I recap correctly it doesn't actually store a copy of the files...?

 

There's another point that I didn't mention, after undoing the restoration, not all the files that I copied from C to F disappeared, oddly all the folders that didn't disappear are folders that didn't disappear either in C (after the initial error).

 

Anyway it makes sense to run a malware scan just to be sure ;)

Link to comment
Share on other sites

As far as I can tell the files got marked for deletion because of the increase in free space that matches the size of the lost data. I really don't believe there's a virus.. I checked the process, memory, performance, and done some quick memory scan.

That is a really strange phrase.

I only remember seeing this when CCleaner was prevented by Windows from deleting Index.dat,

and instead it would "mark for deletion" and as a result index.dat would live another day,

and only get zapped and recreated on the next reboot.

 

Did you use the wrong technical term,

or what is the reason for saying this was anything but an immediate and "normal" deletion ?

Do you have some special tool that might have done this ?

Link to comment
Share on other sites

Sorry for that, It should had been marked as deleted** (that happens for posting late).

 

So how should I use the recovered restore point files?

Should I try copying all the files from to the volume information folder?

or maybe creating a new point and replacing the files (like importing)?

At this point It looks more likely to recover the files from the recovered restore point files from F.

Link to comment
Share on other sites

  • Moderators

I would think that trying to fool Windows system files would be a daunting, if not hopeless, task. Even if you could replace the files there are so many other intimately tied in parameters, sys rest logs, transaction logs, timestamps, registry entries etc. It looks like a recipe for a rebuild., especially as I understand that XP sys rec does not support user files.

 

Whilst I haven't quite grasped the full flow of what you've done I'd go back to more basic recovery methods. Are you running deep scan?

Link to comment
Share on other sites

I understand that XP sys rec does not support user files.

That is true in theory.

In practice XP has a split personality.

When saving files to a Restore Point Firefox Cache is considered s System File and is copied,

But when restoring to a previous point then the Firefox Cache is considered a User file and NOT replaced, but the version in R.P. is copied as Cache(1).

CCleaner was always good at removing Cache, but Cache(1) and Cache(2) and Cache(...) lingered till I zapped them.

Link to comment
Share on other sites

Sorry for that, It should had been marked as deleted** (that happens for posting late).

 

So how should I use the recovered restore point files?

Should I try copying all the files from to the volume information folder?

In theory that is what I'll try to do as well. Its not a guarantee and I'm not sure if that will work but maybe worth a try in my view.

I love computer maintenance tasks.

Some of my favorite programs:

Wordpad -basic word processing

Notepad - temporary clipboard and basic scripting module

Windows Media Player 12- video, music and online radio player

Windows Media Center - live TV, local FM radio

CCleaner- handy computer maintenance tool

 

If something fails to work after using the registry cleaner, use SYSTEM RESTORE.

Link to comment
Share on other sites

I would think that trying to fool Windows system files would be a daunting, if not hopeless, task.

Maybe, maybe not!

 

First, you have to understand how Windows knows which files are considered System files.

 

I messed around, just to see what would happen, years ago back. Windows puts a System attribute on system files. You can use a program to turn off the System attribute, read only, etc, & it will then behave just like a normal file will. You can also mark normal files as System & read only, but I did not try that.

 

Additionally, you can use a utility like Unlocker, that will be able to move files that ordinary file move/copy operations will not.

 

That said, I do not recommend just moving system files around, unless you know what you are doing.

Link to comment
Share on other sites

It looks it's behave differently as well when undoing a restoration.

The restore points in F are around 1,77 GB, and looking at the files I can tell they are there but renamed. And maybe that's the reason why Recuva can't find more files with their original names/paths... (at least in F, I still don't know why it found so little folders in C before restoring all files via system restore).

 

So considering that's highly unlikely to recreate a restore point (though I can still try copying all the files to the volume information folder), can the files contained there be renamed? So far the file "changes.txt" seems to contain a list, but it's a difficult to read format. Maybe it can be converted to a more readable one? and then use a program to rename the files like Renamer?

 

Edit: @Ishi OK, then I will try this. I already tried copying only the files in C to volume information folder... So I will try copying the recovered restore files of C and F to their respective volume information folders in their partitions, and copying only the recovered files of F while disabling the supervision of all the other partitions.

 

Edit2:@Super Fast So I just checked as well the system attributes of the recovered files. There's a check box that reads "File" that is checked, "Read only" and "Hidden" are unchecked. "File" equals to "System"? If not, I can easily change all the file attributes with BulkFileChanger and set the files as read-only or hidden.

Link to comment
Share on other sites

The contents of each R.P are every file that has been captured BUT the name has been changed to A0123456.ext etc

in which the new extension is the same as the original, but the new name has a number that increments with each preserved file.

There is also a set of changes.log that gives a cross reference index relating the original name with the corresponding A0digits name

Link to comment
Share on other sites

Edit2:@Super Fast So I just checked as well the system attributes of the recovered files. There's a check box that reads "File" that is checked, "Read only" and "Hidden" are unchecked. "File" equals to "System"?

No. File doesn't automatically = system. But system areas, such as many of the files in the System32 area, or System Restore, etc, have special attributes to them.

Normally, these system attributes are hidden from a juser, but Pete Romainges attribute changer can show the extra attributes of files.

 

User files normally do not have system attributes, but some, such as Spybot Search & Destroy, have used System attributes on their files once installed, to prevent modifications or changes by malware/users etc.

Link to comment
Share on other sites

  • 3 weeks later...

Ok... I tried the above ideas with no luck.

So I move to the next step, trying to at least know which files folders where deleted so that I can manually recreate them again. I've gone through the changes.txt files (unfortunately I realized it only contained a fraction of the lost folders) and the files of the system restore.

 

I've one idea left. I made regularly backups of the registry and so I have the registry key that contains the folder info of the root directory.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1475]

 

Since this key contains information of custom items positions, it may as well contain the names of all the lost folders.

My bet is that "ItemPos1152x864(1)" is the REG_BINARY value that I want to convert to readable text/string. Right now it looks like

 

01 00 00 00 94 00 00 00 14 00 00 00 63 00 3A 00 5C 00

70 00 72 00 6F 00 67 00 72 00 61 00 6D 00 6d 00 65 00

... around 2600 lines.

Now I'm trying to figure out how to run a script to convert it. There are some codes out there

 

Here there's some code post but I'm not sure how to run it.

Like:

 

	For Each Val As String In ValueName
	data = k.GetValue(Val)
	ListRecent.Items.Add(Val & ": " & encoding.GetString(data))
Next

 

and

 

Function Microsoft.Win32.RegistryKey.GetValue(name as String) as Object

 

Edit: I realize this is not recuva's land, so if it's too tricky where do you recommend me to ask?

Link to comment
Share on other sites

  • 2 weeks later...
  • 4 years later...

First, i'm sorry for being here so late..., but my problem is exactly the same as the posted at the beggining of this thread.

 

This is the scenario;

*VSS has been disabled.

*VS copies has been deleted, previously were deleted the store points (i'm a Little confused about these two apparently different things: Restore Points/Shadow Copies).

*Restore System has been disabled.

Plugging the disc to another machine i've been able to "see" into "System Volume Information" folder, through Recuva, large deleted (but recoverable) files with this kind of names; {3cfc80e0-be42-11e5-a950-f46d04d75d0c}{3808876b-c176-4e48-b7ae-04046e6cc752}, ...are this large files Restore Points or Shadow Copies?, are the same thing, or very different?

Well, just in order to experiment i've saved one of those files & after a lot of trys i've been able to mount this file as a virtual DVD-rom (through a non-commercial version of DaemonTools Light). Just in case, i've made an image of this virtual unit through Testdisk. Later i've used Photorec & extracted thousands of files from from the .dd image.

Obviously, this restore point (or shadow copy?) has not the files that really matters, mostly of the files are Little images, txt's, system files, & all kind of temporary files coming from the activity of the web browsers.

I'm begging for someone who tell me that is posible to get back a deleted shadow copy, or several of them. The problem is that i don't know where to search for those "Sadow Copies", or if those files has some kind of name to search for.

I was able to "rebuild" the "System Volume Information" folder, these are the files i've recovered:

*SPP (folder in which is contained the "OnlineMetadataCache" sub-folder)

*{7048df7f-d34b-11e5-b260-f46d04d75d0c}{3808876b-c176-4e48-b7ae-04046e6cc752} (large system file).

*{3808876b-c176-4e48-b7ae-04046e6cc752} (64kb system file).

*MountPointManagerRemoteDatabase (0kb system file).

*tracking.log

The very unknown (for me!) thing, is how to set the relationship between this recovered "System Volume Information" folder & the Windows registry. I assume/wonder that if this relationship is rebuilted, we'll be able to recover entirely deleted shadow copies. Can someone tell me if i'm totally wrong about this?

I've made some proofs, as delete many large files from my disk when System Restore is active, & later, obviously, i was able to recover all those file by simply navigate into the restore points through "System Restore Explorer" & "ShadowExplorerPortable" apps.

How to rebuild a recovered SVI folder-WindowsRegistry relationship; is there a chance?

I'm sorry for this so large question...

Thx a lot in advance for the sacrifice of this part of your valuable time!
 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.