How to recover Bootcamp NTFS Partition?

Discussion in 'Windows, Linux & Others on the Mac' started by PerceptorC5, Jul 16, 2012.

  1. PerceptorC5, Jul 16, 2012
    Last edited: Jul 19, 2012

    macrumors newbie

    Joined:
    Jul 16, 2012
    #1
    I've had my 90 GB Bootcamp partition with Windows 7 on it for more than seven months now, and today, as I was in Google Docs in Windows, the computer suddenly shut down for no reason. However, there was an extremely short-lived security notification in Windows right before all my programs closed and the computer shut down. (I wasn't downloading anything, either, as far as I know.) When I went to my 2011 MBP's boot up screen after turning on my computer and pressed the option key, I couldn't find the Bootcamp partition in the menu.

    Then, I went to Mac OSX Lion's Disk Utility, and the BOOTCAMP partition was nowhere to be found: The only thing other than my 229 GB Mac OSX partition was a greyed out and unmountable disk0s2. I've rebooted my computer many times, and I still can't find the BOOTCAMP partition anywhere. There isn't even a blank space where it used to be on disk utility.
    [​IMG]

    [​IMG]

    Boot Camp Assistant has been of no help. Is there any way at all I can recover the Bootcamp partition and its many programs and files? Sadly, my last backup of my Bootcamp partition's files was two months ago.
    Thank you in advance!

    Update: I went to the Apple store, and I found out that something very strange had happened. Apparently, the disk0s2 partition was supposed to be the BOOTCAMP partition, but it was completely unrecognized by the computer, even in terminal. After attempting to verify the partition in bootcamp, I got an error messsage: Verify volume failed: Unrecognized file system. I still don't know where all 90 GB went, and the disk0s2 partition is only 209 MB. In addition, my entire hard drive now has a Master Boot Record partition map scheme. It's something to do with the software, not the hardware.

    Does anyone have any ideas? Can I recover my data from the bootcamp partition in the worst case by using recovery tools?
     
  2. thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #2
    Update with Testdisk

    I ran testdisk on my Macintosh system today, and I found the Bootcamp partition listed:

    [​IMG]

    The Bootcamp partition is listed as "Logical", but it has a space size of 90 GB, just like it was supposed to have. When I list my files in the partition, many names appear, but with a value of zero:

    [​IMG]

    Is it still possible to recover my data in any way, and what should I do if it is possible?
     
  3. macrumors 6502a

    Joined:
    Mar 19, 2012
    #3
    Note the first letter of each line with size 0 begins with a d for directory. Directories always have file size of zero. That's normal.

    You should NOT be using Windows or DOS disk utilities other than chkdsk to repair the NTFS volume itself. You are at very high risk losing all data, both Windows and Mac OS, by using such utilities. Windows utilities only understand MBR partition scheme, it will ignore the GPT which is also present. Once the two are no longer sync'd there's no good way to figure out which is correct so I highly advise you stop using utilities that cannot possibly understand the unique hybrid MBR that Apple is using to make Windows work on Apple hardware.

    Boot from Mac OS X, launch Terminal, and issue this command. It is a read only command, it makes no changes. Copy-paste the results into the forum, tagging the text with CODE tags for proper formatting. After pasting, highlight the text and use the # button in the toolbar to add the CODE tags.

    Code:
    sudo gpt -r -vv show disk0
     
  4. thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #4
    Thank you for replying; I'm quite new at this. The testdisk utility running on my Macintosh partition is read-only, with write access disabled.

    Here's the results in Terminal from the command you gave me:

    Code:
    gpt show: disk0: mediasize=320072933376; sectorsize=512; blocks=625142448
    gpt show: disk0: Suspicious MBR at sector 0
    gpt show: disk0: Bad CRC in GPT table at sector 2
          start       size  index  contents
              0          1         MBR
              1     409639         
         409640  447265632      3  MBR part 175
      447675272    1269536      4  MBR part 171
      448944808  176197640
     
  5. macrumors 6502a

    Joined:
    Mar 19, 2012
    #5
    This is saying your disk does not have a GPT at all. I don't know how you arrived at this situation because there are two GPTs, a primary and secondary.

    Please report the results of this command:

    Code:
    sudo fdisk /dev/disk0
    Next go download GPT fdisk (a.k.a. gdisk) and install the binary for Mac OS X.
    http://sourceforge.net/projects/gptfdisk/

    After installation, report the result of:

    Code:
    sudo gdisk -l /dev/disk0
     
  6. PerceptorC5, Jul 21, 2012
    Last edited: Jul 21, 2012

    thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #6
    Yeah, apparently the whole hard drive is now under MBR instead of GPT. :confused: I have no idea how that happened, as I used Bootcamp Assistant and installed Windows the normal and recommended way.

    Here's the results from the fdisk in terminal before the installation:
    Code:
    Disk: /dev/disk0	geometry: 38913/255/63 [625142448 sectors]
    Signature: 0xAA55
             Starting       Ending
     #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
    ------------------------------------------------------------------------
     1: 00    0   0   0 -    0   0   0 [         0 -          0] unused      
     2: EE 1023 254  63 - 1023 254  63 [         1 -     409639] <Unknown ID>
     3: AF 1023 254  63 - 1023 254  63 [    409640 -  447265632] HFS+        
     4: AB 1023 254  63 - 1023 254  63 [ 447675272 -    1269536] Darwin Boot 
    Here's what appeared from the gdisk after the installation:
    Code:
    GPT fdisk (gdisk) version 0.8.5
    
    Usage: gdisk [-l] device_file
     
  7. macrumors 6502a

    Joined:
    Mar 19, 2012
    #7
    This is screwed up. 2 should be 1, 3 should be 2, 4 should be 3. And you're missing the 4th entry for Windows.

    You issued the command incorrectly. Highlight the text I wrote, copy it, and paste it into the terminal window.
     
  8. thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #8
    Ok, I ran the command again:
    Code:
    GPT fdisk (gdisk) version 0.8.5
    
    Caution: invalid backup GPT header, but valid main header; regenerating
    backup header from main header.
    
    Caution! After loading partitions, the CRC doesn't check out!
    Warning! Main and backup partition tables differ! Use the 'c' and 'e' options
    on the recovery & transformation menu to examine the two tables.
    
    Warning! One or more CRCs don't match. You should repair the disk!
    
    Partition table scan:
      MBR: hybrid
      BSD: not present
      APM: not present
      GPT: damaged
    
    Found valid MBR and corrupt GPT. Which do you want to use? (Using the
    GPT MAY permit recovery of GPT data.)
     1 - MBR
     2 - GPT
     3 - Create blank GPT
    
     
  9. macrumors 6502a

    Joined:
    Mar 19, 2012
    #9
    Choose option 2 to use the GPT. Then enter the letter p and report the results.
     
  10. thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #10
    This is what was returned when option 2 was chosen and p was entered in:

    Code:
    Warning! Secondary partition table overlaps the last partition by
    9002440837424676213 blocks!
    You will need to delete this partition or resize it in another utility.
    Disk /dev/disk0: 625142448 sectors, 298.1 GiB
    Logical sector size: 512 bytes
    Disk identifier (GUID): 455657A8-D38A-4FA9-894F-0881063176FF
    Partition table holds up to 128 entries
    First usable sector is 34, last usable sector is 625142414
    Partitions will be aligned on 8-sector boundaries
    Total free space is 2029 sectors (1014.5 KiB)
    
    Number  Start (sector)    End (sector)  Size       Code  Name
       1              40          409639   200.0 MiB   EF00  EFI System Partition
       2          409640       447675271   213.3 GiB   AF00  Macintosh HD
       3       447675272       448944807   619.9 MiB   AB00  Recovery HD
       4       448946176       625141759   84.0 GiB    0700  BOOTCAMP
      17  16177792531902366089  9002440838049818627   4.9 ZiB     FFFF  ⶾ᎛糟鮏0狑餀䑱タ歬섾F塇븀弖ꓧૐ墯픆
      18  9024114456867150270  4785357088958439475   6.2 ZiB     FFFF  墉晸Ή곑惿拇䷫璈馆菌숏¯靟촓ӝ垬꧹✬
     
  11. murphychris, Jul 24, 2012
    Last edited: Jul 24, 2012

    macrumors 6502a

    Joined:
    Mar 19, 2012
    #11
    OK based on the MBR data and this GPT data, I'm confident that partitions 1 through 4 have the correct values. Best practices suggests you go to the recovery menu and issue the c command to load the backup partition table, and issue the p command to display it. Then compare the backup and primary. The thing is, the backup CRC is known to be bad, so I don't know that the backup table will tell us anything we don't already know.

    So if you want, go to the recovery/transform menu by typing r <enter>, then switch to the backup GPT with c <enter> and then p <enter> to display. Copy paste that.

    Otherwise your next step is to make sure you have backups of your most important data on the Mac side, if you haven't already, and then do the following. IF YOU GET CONFUSED OR GET ANY ERROR MESSAGES, STOP. You can use CONTROL-C to quit gdisk at any time, it does not work on the on-disk partition data, only on an in-memory copy, unless and until you use the w command to write it to the disk. So you can bail out at any time until then.

    I'm not sure if you're quitting out of gdisk each time or staying put so I'll start from the beginning. First column is the command, and the 2nd column is the description of what it does.
    Code:
    sudo gdisk /dev/disk0
    2 <enter>           choose GPT
    d 17 <enter>        delete partition 17
    d 18 <enter>        delete partition 18
    r <enter>           recovery menu
    v <enter>           verify disk
    h <enter>           create new hybrid MBR
    2 3 4 <enter>       add partitions 2 3 4 to the MBR
    y <enter>           yes, place EFI GPT first
    <enter>             accept default value for partition 2
    n <enter>           do not make it bootable
    <enter>             accept default value for partition 3
    n <enter>           do not make it bootable
    <enter>             accept default value for partition 4
    y <enter>           do make it bootable
    o <enter>           display the MBR to confirm it's correct, should have three entries, last one has a * under the boot column.
    w <enter>           write out the new partitions to disk
    This will write out repaired GPT primary and secondary headers and tables, and a new (hybrid) MBR. You should now be able to boot either OS X or Windows.
     
  12. macrumors 6502a

    Joined:
    Mar 19, 2012
    #12
    As for how in the world both the MBR and GPT got screwed up this badly? At least three different sectors of the disk were modified, one of which is on the complete opposite end of the disk as the other two. I just don't see how a crash causes this. I suspect either a Windows utility was used to try and resize the NTFS volume, or maybe there is Windows malware trying to do something nefarious with the partitions.

    The thing is, GPT aware utilities tend to not mess with the MBR. And MBR utilities tend to not even be aware of the GPT. So it's a peculiar case indeed.
     
  13. macrumors 6502a

    Joined:
    Mar 19, 2012
  14. macrumors newbie

    Joined:
    Jul 27, 2012
    #14
    Hey! I have what sounds like the same problem as Perceptor here, and I haven't found anything about it anywhere except for this post, so I made an account just to say so here. The same thing happened to me that Perceptor describes, but mine wasn't after a crash. I ended up in the situation after booting into OS X from Windows 7 in bootcamp. I just couldn't get back into Windows, and the partition seemed to have just disappeared. :confused::(
     
  15. macrumors 6502a

    Joined:
    Mar 19, 2012
  16. Xcelerate, Jul 28, 2012
    Last edited: Jul 28, 2012

    macrumors regular

    Joined:
    Jul 11, 2008
    #16
    Hey, I had a similar problem as the OP and managed to fix it today after learning about MBR and GPT partitions (my thread is here: http://forums.macrumors.com/showthread.php?t=1412864).

    These two articles on Wikipedia help immensely:

    http://en.wikipedia.org/wiki/GUID_Partition_Table
    http://en.wikipedia.org/wiki/Master_Boot_Record

    So does this article:

    http://www.rodsbooks.com/gdisk/whatsgpt.html

    What screwed up my disk was one of two things: Windows update did something wonky, or the new dynamic partition I had just created in Windows screwed up the GPT. (I think the latter, as you'll see in a minute).

    So I couldn't even boot into any OS on laptop. I installed a live Linux distro (PartedMagic) onto USB and booted from that. [By the way, PartedMagic doesn't like recent Nvidia cards like the GT 650m in the RMBP, so you have to select "Failsafe" from the selection menu and something like "Kill Nouveau".]

    Then I ran:

    Code:
    dd if=/dev/sda of=/root/lba0 bs=512 count=1 skip=0
    to get the MBR (the GPT actually starts at sector 1; the MBR is at sector 0 for legacy applications).

    Then I did:

    Code:
    hexdump -C /root/lba0 
    Comparing the hexdump with Wikipedia's MBR article, it all looked fine to me.

    Then I moved on to the next sector (lba1):

    Code:
    dd if=/dev/sda of=/root/lba1 bs=512 count=1 skip=1
    You can compare this with Wikipedia and see how yours looks. Mine again looked fine.

    At this point, I decided to just dump the whole first 34 sectors of the drive and look at them. Sectors 3-34 contain information about each partition. I noticed all was fine until address 0x0c00. There was some random garbage here. Turns out that 370 bytes of random garbage was some header information for the new "dynamic disk" I created in Windows. It also appeared in the secondary (backup) GPT at the end of the disk. So I overwrote this with zeros:

    Code:
    dd if=/dev/zero of=/dev/sda bs=1 count=370 seek=3072
    (3072 is decimal of C00.)

    See, the GPT header contains a checksum of all the partition entries. Since garbage was at 0x0c00, this was screwing up the checksum and not letting anything boot. When I deleted this, it restored the GPT to match its original CRC32 checksum.

    So there you go. Of course, only after learning how to do all this manually did the tool Gdisk make any sense to me, so creating a hybrid MBR + GPT using that tool would have been much quicker.
     
  17. thread starter macrumors newbie

    Joined:
    Jul 16, 2012
    #17
    I apologize for replying back so late; I was away for a while.

    One thing before I write to my disk: Should I backup the data on my Windows side as well before I go on, and what tool (if any) should I use to do a full backup of the partition? Or is all the data on the Windows side guaranteed to be safe? I can tell that most if not all of the files on my Windows side are still intact.

    Thank you for all your help.
     
  18. macrumors 6502a

    Joined:
    Mar 19, 2012
    #18
    If the data is important you'd already have a backup. That disk is just waiting to die at any moment without notice.

    No guarantees at all. All I can tell you is that gdisk writes to sectors that have nothing whatsoever to do with your data. But anything can happen at anytime - total power failure right at the moment you issue the write command. Oops!
     
  19. macrumors newbie

    Joined:
    Aug 13, 2012
    #19
    I also ran into this problem. I have a vista bootcamp partition with OSX lion on a MacBook PRO. Yesterday I had a blue screen in Vista (it referred to the driver ataport.sys I believe) while running Diablo 3 and also just launched steam. After that my Vista partition was no longer detected at all. The above instructions worked perfectly to make it visible again.

    Here's what I saw:

    Code:
    gpt show: disk0: mediasize=160041885696; sectorsize=512; blocks=312581808
    gpt show: disk0: Suspicious MBR at sector 0
    gpt show: disk0: Bad CRC in GPT table at sector 2
          start       size  index  contents
              0          1         MBR
              1     409639         
         409640  114641112      3  MBR part 175
      115050752    1269544      4  MBR part 171
      116320296  196261512         
    
    Your answer: 2
    
    Warning! Secondary partition table overlaps the last partition by
    9002440837737236853 blocks!
    You will need to delete this partition or resize it in another utility.
    Disk /dev/disk0: 312581808 sectors, 149.1 GiB
    Logical sector size: 512 bytes
    
    Partition table holds up to 128 entries
    First usable sector is 34, last usable sector is 312581774
    Partitions will be aligned on 1-sector boundaries
    Total free space is 13 sectors (6.5 KiB)
    
    Number  Start (sector)    End (sector)  Size       Code  Name
       1              40          409639   200.0 MiB   EF00  EFI System 
    Partition
       2          409640       115050751   54.7 GiB    AF00 
     Apple_HFS_Untitled_1
       3       115050752       116320295   619.9 MiB   AB00  Recovery HD
       4       116320296       312581767   93.6 GiB    0700  Untitled 2
      13  16177792531902366089  9002440838049818627   4.9 ZiB     FFFF 
     ⶾ᎛糟鮏0狑餀䑱タ歬섾F塇븀弖ꓧૐ墯픆
      14  9024114456867150270  4785357088958439475   6.2 ZiB     FFFF 
     墉晸Ή곑惿拇䷫璈馆菌숏¯靟촓ӝ垬꧹✬
    
    
    And this is what I ended up with before writing out the fixes:
    
    Disk size is 312581808 sectors (149.1 GiB)
    MBR disk identifier: 0x49724971
    MBR partitions:
    
    Number  Boot  Start Sector   End Sector   Status      Code
       1                     1       409639   primary     0xEE
       2                409640    115050751   primary     0xAF
       3             115050752    116320295   primary     0xAB
       4      *      116320296    312581767   primary     0x07
    
    
    Basically the valid partition records were indeed "valid" and it was a matter of removing the two bogus entries and recreating the records. How exactly this is happening to us, I don't know. I've never seen anything like it. I also suggest running Malware Bytes in windows, getting MS Security Essentials at the very least, and running TDSSKiller from Kaspersky to check for root kits.. just in case.

    So chalk up one person who successfully recovered from this problem. Thanks for the help. Luckily I had already backed up my Mac partition with time machine. Now I'm running Vista system backup as we speak...
     
  20. macrumors 6502a

    Joined:
    Mar 19, 2012
    #20
    Yes it will. I do not understand how the logic occurs to anyone, that it's a good idea to have any Windows utility making changes to your (unique dual-boot) disk. It's absolutely BEGGING for data loss. I know some people must think "well I'm only having it change this one Windows partition" but they don't understand that this requires editing partition tables, and Macs with Boot Camp have two and Windows will only properly edit one. And as soon as they are out of sync, all bets are off.

    It's a hugely bad idea to do this. If you want dynamic disks, extended partitions, etc. etc. Get a dedicated PC. Or prepare to kiss your data goodbye.
     
  21. macrumors newbie

    Joined:
    Aug 16, 2012
    #21
    Thank you!

    THANK YOU murphychris for your well-written answers to this user. I had the same problem yesterday, was using Bootcamp, running Firefox and a game when the machine suddenly shut down on me. The bootcamp partition was no where to be seen except for in DiskUtility where it appeared as disk0s2.

    Your instructions in post #11 worked perfectly for me. For me, the bad partitions were 97 and 98. I wish I knew what exactly had caused the problem but I didn't see any error messages before the system shut itself down. Hopefully I won't have it happen again.
     
  22. macrumors 6502a

    Joined:
    Mar 19, 2012
    #22
    I wonder if these are heat related shutdowns. Thing is, a harddrive is well designed to not write garbage to the disk in the event of a shutdown, and certainly not explicitly in the MBR. I therefore also suspect malware because this is a great way to attack a computer and make it not boot.
     
  23. macrumors newbie

    Joined:
    Sep 12, 2012
    #23
    I don't really understand where you're getting at. You get me all the way to sudo gdisk /dev/disk0 and then you say "This will write out repaired GPT primary and secondary headers and tables, and a new (hybrid) MBR" what is "THIS" you lost me on that part.. Please I have the exact same problem as the OP. Every command i type listed matches his. I really want this partition back
     
  24. macrumors 6502a

    Joined:
    Mar 19, 2012
    #24
    Those instructions are for a specific poster, for a specific problem. Your problem is almost certainly different, so using the same instructions for a different problem may result in data loss.

    The last step in that list writes out the partition table. You need to adapt the instructions for your situation, which you have not described.

    If you have the exact same problem as the OP, and follow the exact same steps I laid out for gdisk, you'd get your partition back. It's unclear to me what problem you're having.
     
  25. macrumors newbie

    Joined:
    Sep 12, 2012
    #25
    Well, everything he described matched what had happened to me. *
    I was playing a game and running firefox like some other guy said in his post. *Then all of a sudden my computer restarted out of no where. *
    When it restarted it just got stuck on the black screen with a blinking underscore for hours. *So after coming home later that night, I just restarted it in MAC OS by holding option after the force restart. *Then I check in my disk utility for the problem and I noticed that my partition which was named BOOTCAMP was greyed out and renamed to disk0s2. *I looked in finder and it was no where to be found. *So I immediately google searched the problem and it brought me to this thread. *
    After looking at the OP post and following your commands. *EVERYTHING was matching up perfect to the OPs. *Then I got stuck on post # 11. *I didn't really understand what you were explaining and I got confused. *So I made my post.

    But anyways, it doesn't matter anymore. *I'm pretty sure I lost all of my data by going in to disk utility and highlighting disk0s2 and erasing it and renamed it back to BOOTCAMP ( which i know this is completely retarded but I was impatient and just trying to delete my partition so I could re-format windows all together. because BOOTCAMP assistance tells me :

    "Back up the disk and use Disk Utility to format it as a single Mac OS Extended (Journaled) volume. Restore your information to the disk and try using Boot Camp Assistant again."

    So I thought I could figure it out. * Now it's renamed as BOOTCAMP and it is listed in finder, but none of the folders/files in there are recognizable.

    I just really want it removed now so I can just re-format it. * I only used windows for games pretty much, and everything on my old partition is re-downloadable in a day for the most part
     

Share This Page