(Msg. 1) Posted: Thu Dec 25, 2008 6:43 pm
Post subject: HOWTO: Convert CHKDSK NTFS MFT FRS "file number" into path and Archived from groups: microsoft>public>windowsnt>misc (more info?)
Firstly I don't recommend methods based on either the Microsoft nfi
utility or GNU ntfsutils. These rely on MS APIs which let you supply a
file path and obtain the file ID, so that you can get there in theory
but it involves a brute force search.
Here are three methods which all DO work, avoid the brute force search
and are reasonably practical:
(1) Install Raxco's PerfectDisk defragmenter (which has a "lookup
filename from ID" function buried in its menus, on the Tools menu or
something like that). Reasonably convenient to use for this purpose,
but it's a fairly large and intrusive package and it isn't free.
(2) Runtime Software who sell disk recovery tools, also offer a free
demo (i.e. limited functionality) version of their Disk Explorer for
NTFS package, which has a fairly small footprint.
* Install this package and start it up.
* Explicitly open the drive you want to examine
* On the GoTo menu select "Mft no..." and enter the file number/file
"segment" number that chkdsk gave you (either in decimal or hex, it
offers both options). This will take you to the MFT entry for the
file.
* On the View menu, select "as File entry details" which will show you
the contents of the file or directory itself. But in the coloured
"link" bar just under the toolbar you will also see the filename, a
cluster address and a link to the parent directory!
* Follow the link and you will see the contents of the link bar
replaced by the details of the parent dir.
* If you note down the name of the directory and keep repeating this
process you will eventually find yourself back at the root and will
have reconstructed the entire path.
(3) Microsoft's diskedit.exe (note: this is not the same as Norton's
diskedit.exe, which is only for FAT volumes). This program only ever
saw the light of day on the Windows 2000 Service Pack 4 CD and that
was entirely by accident; Since then Microsoft have done their best to
bury it.
As a consequence it's very difficult to find a copy of the program to
download and you are unlikely to find any bootlegged copies of the
Win2000 SP4 CD online these days, but at time of writing there is a
copy of the program packaged together with all the necessary dll
files, at http://www.viennacomputerproducts.com/downloads/DiskEdit/DiskEdit.zip
- here's hoping it doesn't disappear altogether.
Using the diskedit program is fairly straightforward but with one
slightly annoying restriction: you can only supply the file number in
hexadecimal format.
* First unzip the diskedit program and its dlls into a clean directory
somewhere.
* Launch the program and select File...Open.
* Put the drive letter and a colon into the "Volume Name" field (C: or
D: - whatever). Click OK.
* Go to the oddly named "Crack" menu and select "Backtrack NTFS FRS".
* Now enter the HEXADECIMAL representation of the file number (either
with or without the leading "0x", it doesn't matter). It will pop up a
little window displaying the full path of the file.
(The "Read" menu also has a "NTFS File Record" option that will show
you the MFT data structures if you wish but that is unlikely to be any
use to you unless you are hand-editing the disk structures
themselves).
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other