Last week while browsing the net, my laptop (winxp on safeboot) started misbehaving and lost network connectivity which seemed to be malware attack. After multiple network repair attempts I decided to reboot the laptop, but that was the last time I saw it working. After reboot, I logged into safeboot as usual and winxp started to boot. But midway it threw blue screen and rebooted. Since then the status remains the same, after safeboot login winxp starts but crashes midway. I am a corporate user of safeboot and my support staff tried to recover the data using BartPE and code of the day but according to them the windows partition is no more visible.
( NOTE : To be on safer side I created clone of my laptop disk last month using EaseUS Disk Copy, a freeware)
Due to the amount of data I hold on that laptop, decided to install the above clone disk in laptop rather than original disk being wiped out and reimaged. Now I have safeboot & winxp working, atleast I could resume my work with a month old clone. Now in an attempt to recover data I connected the original disk to an external USB casing. That's when I started seeing weird behavior. On connecting that USB disk to laptop, system is not able to access the disk at all to the extent that USB disk is not visible to windows disk manager. Also disk behaves as if it has severe disk issues. But if I boot laptop from this USB disk, safeboot starts successfully and after auth even XP starts to boot up, but crashes with same blue screen.
Now what are the odds of recovering data from this disk. I can see the partition details on disk if I boot from EaseUS Boot CD, but support team says they do not see any partition after booting from BartPE. I cannot access the disk connected on USB, whereas I can boot off the same USB disk, login to safeboot and can see XP crashing at the same stage. Please suggest. I desperately need data from this disk.
Thanks, Sanjay Kumar
the odds are very high if you can boot the disk to Windows - it sounds like you just don't have the right drivers on your BartPE disk for the BIOS of your machine, just switch it into ATA mode and the standard built in ones should work fine. Worst case, just boot of a SafeTech floppy and decrypt it.
It would help to know what the BSOD error is though of course.
Thanks for quick response to my query.
The BSOD talk about removing any recent software or hardware installation. That's the reason I suspect it to be a malware attack. I won't be able to give the exact error as I am on same laptop right now.
Yes, the techsupport is going to attempt decrypt tomorrow. That's the only hope I have, but techsupport also warned about permanent data loss if that fails for any reason. Can you point me to guide on:
1. Adding drivers to BartPE for Dell E6400. (It uses SATA disk)
2. Decrypting disk using SafeTech CD.
Do I need to install original disk back to laptop or connecting it on USB can work as well.
As to how to add drivers to BartPE - you can find all the details in the BartPE docs themselves - A google search for "adding drivers to bartpe" yeilded http://www.nu2.nu/pebuilder/help/english/drivers.htm
as to using SafeTech - it needs to be off a floppy, not a CD (to be supported), but this is something we only allow helpdesks to use - it's not something that's typically available to end users.
Seems my support does not have SafeTech Floppy. They just have BartPE CD. Is there any other way they can force decryption, offcourse XP is not coming up, so forcing that from server is not an option.
Also do I need to handover laptop with the bad disk or just the disk in USB casing and support can work on the bad disk connected to USB of any laptop/workstation.
As you asked about BSOD, so it talks of cleaning virus infection in the system / remove new hdd or hdd controller / run chkdsk. This error code thrown is:
STOP : 0x00000037 (0xBA4EF524, 0xC0000034, 0x00000000, 0x00000000 )
Finally my problem got resolved and I could access the data from original disk. Steps that worked are:
1. Support team decrypted the disk, but still error was same.
2. Booted from WinXP SP3 CD and opted for repair "R".
3. On command prompt run "fixmbr". This corrected the partition type from "unknown" to "NTFS".
4. Now till 3 consecutive runs of "chkdsk /r" it reported "filesystem has one or more errors". On 4th run filesystem came up clean.
System came online without any error from original disk after that.
But the question remains - cannot I run all these commands without going to through 2 hrs long decryptin cycle ? Do we already have these commands on BartPE or if not, can they be added ?
you can run chkdsk off a BartPE CD of course once you've mounted the encrypted drive, but no, you can't run FIXMBR - that would remove the EEPC boot code. You also can't run the WinXP repair function, as Microsoft don't provide any ability to add decryption drivers into their OS distribution image.
Usually people would just run BartPE, capture the user data, then reformat the machine - it's rarely worth it in terms of time and effort to try and "fix" any OS problems nowadays.