On the topic of this issue, that SBFS gets corrupted after a WinPE 3 boot and usage of WinTech.exe or EETECH.exe, could we have some best practice?
I myself faced the problem recently and have had to request the code of the day and DB file to access my encrypted HDD (that has bad sectors and can't boot).
I previously used a BertPE boot CD that does not seem to have the issue.
I created boot CDs using resources on this page:
(Note that the scripts were not working. I had to correct them. Some double-quotes were missing, the "support files" were not copied/included because the path to them was wrong, wim and ISO are created under "PETOOLS" folder of WAIK etc etc.)
If taking the disk offlien is enough, maybe a script exemple could be useful to us?
Now it seems that I can remove EEPC with WinTech (I have the CoD and Recovery file). I have a "Remove EEPC" window, that displays :
SafeBoot removal process started
Opening Disk Manager
And it has been there for hours now. Is it normal ?
Isn't there a progress bar of some kind?
The HDD LED blinks every second, but I don't know if that is caused by WinTech operations.
I am afraid of stopping the decryption process because as I see it, it could very well render the system completely corrupted !
I think it's actualy WinPE 3.1 which is the problem. This has been documented in the EETech guides for some time, for example
search for "Diskpart"
You are right BartPE does not have the same problem, because BartPE is based on XP, wheras PE3.1 is based on Win7.
If you have bad sectors on the drive it could take some time to decrypt - it's up to the drive as to how to proceed after each bad sector, it could continue, it could give up. As long as you used "remove" it will keep track of progress though. Only the FORCE option does not.
Best practace if you have bad sectors though is to image the drive first - trying to decrypt a failing drive (ie, trying to write a whole drive of sectors to a drive with bad magnetic media) is usually terminal.
I am actually using a WinPE/Win7 environment, thus PE 3.1.
I'll build a working/safer environment if/when I can
Can I stop the remove EE brutaly now and restart ? I would actually copy what I need/can from the drive onto another media.
if you used the normal remove option, and the drive was in good enough condition for EETech to write its progress markers, yes you can safely stop it.
OK, I stopped it.
I rebooted (note that it is v5 SafeBoot, using SafeBoot.sys driver and WinTech/SafeTech).
I removed EE after I have offlined the HDD, as mentioned in the manual (BTW, this is the only mention of diskpart in the manual. Not a word about potential corruption of SBFS under WinPE3.1 after you used the token identification, not a word about how to prevent that from happening).
Now I have "RAW partitions". It seems that the VBR and BCB are not correct/still encrypted.
I am running the testdisk utility on one partition, it is currently searching for the mft, but I doubt it will find it.
How can I solve the issue?
Can I reinstall EE on the drive in order to be able to use token authentication, then mount it and access it, like it used to work before SafeTech corrupted the partition? BTW, some explanation about what gets written to the DD "silently" by Windows and why it corrupts the SBFS would be apprectiated. I am somewhat skilled in everything that related to HDD logical structures, I know what are MBR, VBR, BCB, MFT, disk drivers, filter drivers etc.
did you remove it completely? Do you have the disk information still on the drive readable by ..Tech?
I am assuming this is the same machine as you mentioned previously that had bad sectors?
No, you can't reinstall EEPC now as you can't access the drive (it's encrypted), and it was not SafeTech which corrupted the partition, it was WinPE3.1 which wrote to the SBFS when you mounted the drive - it's not related to any token functions. Preventing that happening is why you take the disk offline with Diskpart.
Let's start by evaluating the disk information on the drive - you probably want to image it though, as I mentioned trying to decrypt a failing hard disk is never going to work - if it's so broken that you are seeing bad sectors, it's already remapped a huge number invisibly.
I am working with a clone of the original disk that I made with Ghost, ignoring bad sectors.
How can I evaluate the disk information on the drive?
(I'll keep my thoughts and questions regarding the corruption under WinPE3.1 environment for a later time, as it is worth it's own thread)
I have something but it does not smell too good:
Disk Information (error=e002000a)
Does it mean that, just because I booted WinPE3.1 on the computer, my encrypted drive (which I could access priorly, I could authenticate with token and mount the driven copy some file etc) is now completely useless (as far as its data are concerned) ?
It just means that WinPE3.1 corrupted your pre-boot system. You'll need to force decrypt it. (or, your disk image was not sector-for-sector, and if that's the case the whole image is invalid as the encryption is based on the sector number)
You really should start your own thread for this though - do you want me to branch your discussion out?Message was edited by: SafeBoot on 1/29/14 7:18:52 PM EST