1 2 3 Previous Next 26 Replies Latest reply on Dec 6, 2011 10:47 AM by SafeBoot

    Encryption error, now cannot decrypt system nor read sector 63

      I have a laptop that had a bluescreen issue due to a hardware (motheboard) malfunction.

       

      After this the user nor the admin accounts will login through the Endpoint boot screen.

      At one point I was seeing a datastore corrupt error which lead the investigation to something that looks like the issue is similar to KB53775, even tho we are using v5.2.3 and this KB might not apply?

       

      Anyhoo, I was able to get the sdb and can authenticate to the system, however, it looks like sector 63 is not readable.

      I am getting Error reading disk sector 0xe00200007

      When I try to mount or access using a43 the system just hangs and I have to close the process.

      I can load and decrypt the last sector on the drive and I see the NTLDR error.

      I can load and decryot the first sector on the second partion and see the NTLDR error.

      The Endpoint sector will run and load and I can mount it and see it using cmd.

      When trying to Remove EEPC the first time I recieved a error e002001b error.

      After this error happened the removal will hang at 'Opening disk manager'

      After playing around trying one of the super user accounts to authenticate, the system no longer gives me the datastore error, it just hangs while trying to login.

       

      A couple of side notes:

      I am trying to do the decryption on hardware that is not the same as I do not have access to a similar laptop, will this cause these issues?

       

      I was informed by our enterprise endpoint person that the WinTech cd and the SafeTech cd are the same, which might have lead to further complications as everything I have researched shows that these are two different boot disks with different operations, I currently do not have access to the SafeTech cd.

       

      Is there anything I can do now?

      We really need to get the data off this machine, and it looks like most of the info is still there when looking at the workspace sectors.

       

      Thanks

        • 1. Re: Encryption error, now cannot decrypt system nor read sector 63

          1. check the disk info - the partition does not have to start at sec tor 63, it can start anywhere, so check the MBR to see where it really is and check THAT sector

           

          2. Was the 2nd partition encrypted? It would seem not?

           

          3. Yes, wintech and safetech are completely different - you are meant to run SafeTech off a floppy though, not a CD. Not all functions will work off a CD (but the ones you're most likely to use, will).

           

          4. Find the person(s) who went through the SafeTech training with McAfee/SafeBoot when you bought the prodcut - they should be able to fix this easily.

          • 2. Re: Encryption error, now cannot decrypt system nor read sector 63

            Hi Thanks for the reply!

             

            I will answer 4 first:

            The person who went throught the training is the same person who told me that the boot disks were the same. Not only that he began the conversation with "the disk is dead" (without looking into any specifics or the machine itself) and has been rather unhelpful until I did my research and presented otherwise. He did not offer the sdb as a solution to do a machine recovery or anything to even look at part of the disk to try to recover.

             

            1: Looking at the disk info it shows Partition start sector: 63

            2: As far as I know both partitions are encrypted. How do I verify?

            • 3. Re: Encryption error, now cannot decrypt system nor read sector 63

              If the disk info says 63 is the partition boot sector, then you're right to be looking there - if your machine can't read that sector though, it sounds like a hard error on the drive.

               

              To validate, just read some other sectors in the partition and see if they decrypt nicely - perhaps the ones right at the end (they are usually blank, so they should decrypt to all zeros).

               

              You'll have to do a manual sector decryption using the force option once you've worked out the appropriate range, then recover any files you can using some 3rd party file recovery tools. If there are hard errors on the drive, you might not get much back.

              • 4. Re: Encryption error, now cannot decrypt system nor read sector 63

                I can see info in the last sector on partion one and decrypting it I can see "A disk read error occured ntldr is missing"

                When I look at the beginnning of the next partion and decrypt I see the same error as above.

                As this goes most of the data I need is on the second partion.

                 

                I did a bunch of sectors and I could not see anyting that looks like just zeros when decrypted tho?

                 

                What is interesting is I can still boot to the SafeBoot splash screen, so something is working. I just seems like the datastore and the NT loader section is messed up.

                 

                So should I do a Force Decrypt on the second partion at this point? Can I get there using the WinTech, if not where do I get the SafeTech? I see a command under Disk on the WinTech that says Force Crypt Sectors.

                 

                Message was edited by: jrubke on 11/22/11 11:08:44 AM CST
                • 5. Re: Encryption error, now cannot decrypt system nor read sector 63

                  can you read the disk information properly? If so, just us a normal remove or decrypt method - it's much safer.

                   

                  the region list in the disk info tells you what is and is not encrypted.

                  • 6. Re: Encryption error, now cannot decrypt system nor read sector 63

                    Looking under Crypt List in the disk info shows Region Count 2

                    Looks like both partions are ecrypted as I thought.

                    It does show a different start sector other than 63?

                     

                    So far the normal Remove EEPC just hangs or ends as stated above

                    • 7. Re: Encryption error, now cannot decrypt system nor read sector 63

                      I guess you'll have to crypt around the errors then. The region list is what's encrypted, not where the partition starts

                       

                      so, is there doubt about the partition start sector ?

                      • 8. Re: Encryption error, now cannot decrypt system nor read sector 63

                        No I am fairly sure that it starts at 63, I just didnt know what Start sector meant in the Crypt List as I am doing this a bit blind with no training.

                         

                        So to do a force decrypt I use the Crypt list sectors?

                         

                        Crypt List:

                        Region 0

                        SS - 7941183

                        ES - 153597464

                        SC - 145656282

                         

                        Region 1

                        SS - 153597528

                        ES - 312560639

                        SC - 158963112

                         

                        Partition 0

                        SS - 63

                        ES - 153597464

                        SC - 153597464

                         

                        Partition 1 (extended Win95)

                        SS - 153597465

                        ES - 312560639

                        SC - 158963175

                         

                        Partition 2

                        SS - 153597528

                        ES - 312560639

                        SC - 158963112

                         

                        SS - Start Sector, ES - End Sector, SC - Sector Count

                         

                        So where will I start and end the decrypt for Region 1, which I am guessing is Partion 1 and 2 (Extended LBA Win95 and the actual partion data area).

                         

                        If I were to decrypt Region 0 do I start at  7941183?

                         

                        Will I need the SafeTech or can I use the WinTech "Force Crypt Sectors" under the Disk menu?

                        • 9. Re: Encryption error, now cannot decrypt system nor read sector 63

                          If the disk info works, NEVER use the force option - it takes away all the safeguards.

                           

                          If you've not had training, I would stop now and pass this off to someone who has, but, it's not the partition info you need to be looking at, it's the region info. I am guessing that partition 0 is partially decrypted - you should find that sector 7931182 (and before) are in plain text, and 7941182 and on are encrypted.

                           

                          so, what about sector 1000, 100000, 1000000 etc? poke around and see what the beginning of partition 0 looks like, you just have to be lucky to find some empty sectors, or something not occupied by a compressed format file.

                          1 2 3 Previous Next