I had a customer who received the message "missing operating system". I don't know what exactly happened, that caused this error. I wanted to repair the MBR so I startet WinTech and authenticated from the database file. After that I was authorised and authenticated. When I opened the MS Explorer and tried to open C: it said that the drive is not formated.
What I remarked was also that even withouth the authentification from the database file, the disk was not encryptet. Before I authenticated I opened the workspace and loaded till sector 63 and I could (more or less) clearly see the message "A disk read error occurred…"
Would be very thankfull for any help !
Solved! Go to Solution.
yup, assuming the users partition started at 63, then everything would be encrypted. I am guessing some installation occured.
Check the end of the partition though - the last 10 sectors or so and see what they look like - if they are also in plain text then the whole partition has been formatted, and your answer is much simpler.
if the disk was not encrypted, just do a fixmbr from a normal Windows rescue CD and that will flush out the MBR.
What does EEM say about this machine? Any encryption set?
Thanks for your fast answer...
FIXMBR wouldn't help either because, even when I DON'T authenticate, and try to access the harddisk I get the error, that it's not formated !
Ho do I check with EEM if an encryption is set ?
find the machine in EEM, and look at its properties.
Without knowing what the user did to get into this problem in the first place makes it hard to fix. If you can read the partition boot sector (are you sure it's sector 63?) that would indicate there's no encryption.
so, how did they get into the position that the drive reported full encryption, yet the first sector of the partition is not encrypted? The most obvious explanation is someone tried to reinstall the OS.
I think you need to get to the truth from your user before proceeding.
The user works also in it so I don't think that he just tried to reinstall the windows.... he said that internet explorer was really slow so he restarted the computer and got this error. He installed nothing, he just was working as usual (editing excel files and other standard stuff). so you think there is no way to rescue the data ???
I think it's very likely possible to rescue the data - you just have to find it, work out if it's encrypted or not, and if it is, decrypt it with the right key.
did you look deeper into the drive - sector 64, 65 onwards etc?
Here are some pictures:
Sector 63 - Without Authentification
Sector 64 - Without Authentification
Sector 64 - With Authentification
The disk is 100% encryptet. The user didn't uninstall the software. he just rebooted and got this error message. What maybe could have happened, is that after a restart the computer tried so start from the network and startet the windows installation, and overwrited the boot sector. you said also that it seems that the user tried to reinstall windows from cd, but I'm 100% sure he didn't play with the configuration........
What would you propose as next step ??
Thank you very much for your help and your patience !!
sector 63 is not encrypted as you probably know - you have to go find what is, and what is not by inspection. Authentication does not matter - it changes nothing. What you need to do is load in the machines sdb file and decrypt the workspace after loading in a test sector(s) - then see if it looks like plaintext after decryption or not.
If the user has been through an OS install, either by starting it themselves, or from the network, the first thing it would have done is formatted the partition, so do a binary chop on it - look at the ends and work out if it's encrypted, then divide in half and look etc, until you find out how far the format went.
You might find out that the whole partition has already been formatted, and thus the users data is lost.