Hello to all and please cut me some slack as I am new here and not a computer expert.

This a a long story but let's try to make it short for now.
I got a company laptop with McAfee Endpoint Encryption on it.
One day I work from home all is well , shut it down for the night.
Next day I got to my work location , fire up the laptop, get the
McAfee pre-boot authorization screen, I sign in and next I get a message
that "the following file is missing windows/system32/windows/config "

I boot off Windows XP CD, and run fixboot (not a smart move) from recovery console.

Try to boot from HD again, get McAfee log in and right after that
a message "there is no operating system" ?

So right now my 160GB HD shows as 10.1MB FAT12 drive , there is some folders
there but their labels look like Egyptian hieroglyphs, with dates like October 20 2087 ???
Can't delete them,copy them ?


My question here is , how can I tell (even thought the data was/is encrypted)
100% that there is some data on this drive besides this 10.1MB partition.
What tools/ software works ?
I have tried some from the internet but always come empty handed....
Thanks in advance for any help and suggestions.

Do you want to recover data from the drive?
DIY on disks with important data is not advised.
Seek pro help if data is critical.

The initial problem of windows not booting might have been either a bad sector on the drive or file corruption.

The process to recover data from such a situation will be somethig like ..
https://kc.mcafee.com/corporate/index?p ... &pmv=print

Running Fixboot has complicated the situation .
That is why its advised that you Clone the drive and do all operations on the clone copy, (do not work with the original drive) .

(Remember your access password)
Firstly Clone the drive to another (working & empty ) drive of same or higher capacity.
Work only on the clone copy.
Try the Decrypt the drive (clone copy )
Then you may have to run some recovery tools(R-studio) to get to your data.
If you do not succeed in this, send the original drive with the details to a DR pro(with the password)

I have personally been a victim of FIXBOOT. It begs the question, what kind of braindead Microsoft programmer would think that writing a 10MB FAT12 floppy boot sector to a hard drive amounts to fixing anything?

I managed to fix the problem by repairing the boot sector by hand, but I don't have experience with encrypted file systems. If I were working on your drive, I would use a disc editor in read-only mode to search the drive for a backup boot sector. If you would like to indulge me, maybe we could learn something together. You might consider cloning your drive first, though.

_________________
A backup a day keeps DR away.

Thank you for your replies !
No the data is not critical , more of an inconvenience at this point in time but it bugs me
to find out what this "fixboot" command did , it should not have wiped out any data , at least I don't
think so.
I am working off a clone which was done using EaseUS Backup 2.3 Free version.
Fzabkar, what is a good disc editor ?
Can disc editor show me that the drive contains ANY data in my case more than 10.1MB.
This is simply to see if there is anything on this drive beyond that 10.1MB
How would I do it ?
Please excuse me if I am asking stupid or funny questions ...
Willing to learn here.

Sathyan :

"Firstly Clone the drive to another (working & empty ) drive of same or higher capacity."
what do you mean empty ? Formatted or not ?The way it comes from factory , unallocated space ?


Thanks.

In my case FIXBOOT only touched one sector, the boot sector. Since this was a standard sector, it was relatively easily restored.

In your case I would start by examining sector 0, plus the next two. Sector 0 is where a standard partition table would be located. Hopefully it will tell us where the boot sector is located.

You could use a freeware disc editor such as DMDE.

DMDE (DM Disk Editor and Data Recovery):
http://softdm.com/download.html

To save the requested sectors, launch DMDE.

In the Select Device/Disk tab, select the Physical Drive, choose the Physical Devices radio button, uncheck the Show Partitions box, and click OK.

You should now see LBA 0 (sector 0) of your drive.

Now select Tools -> Copy Sectors

Start Sector -> 0
Number of Sectors -> 3

In the Destination pane, select File.

You will be offered a filename of lba_0_3.bin

Click Save, OK, etc.

_________________
A backup a day keeps DR away.

Erase the target drive to avoid contamination ,before cloning.
Use Erase/Fasterase from MHDD .

Fzabkar here is the file, looks like the forum allows to attach a file.

I don't see it yet. Looks like it may be waiting for approval.

_________________
A backup a day keeps DR away.

Fzabkar, it seems this forum has no private message capability can you contact me via my
email balanga@gmail.com.
Thanks in advance

Chris

Let's try to post the file again...
There is a forum message ," The extension bin not allowed"

This is the file seen in Notepad:

úë#SafeBoot  C Os œh |`ü»®}¹ _€?€àøub€u\¾^|¿ W¹ 󤋋O» |ø
ÍaÏŠÄ€ä€ü ~€Ä'±Òè< ~'
¡}¬
Àu¬˜ðëõyNÆ öØ´» Íëä´’¾j}ëÂú3ÀŽÐ¼ |ûf¡|f‹|½à¾©}f‰Df‰T‰l´B²€ŽÅÍs;´²€Íf3ÛŠÞCfƒá?f¡±}f‹µ}f÷ñ‹Ê3Òf÷óAÀ̆ÄÈŠò¸
²€3Û;…}r–f&>à
SBfsu…¡$|&;å
uôÿ$|f3À3ÛfÑÈf&_€ÿuñfÀu×& é
´» ̓Åf&¡ô
f&‹ø
f‹ÈfÊ…Wÿh h ~Ë
SafeBooŒhabee’corrupteœ 
SafeBooŒharœdis•erroŽ(erroŽ00h)
þ
eY> €

þÿÿ? ‚Š¡ Uª

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 FA EB 23 53 61 66 65 42 6F 6F 74 20 00 05 02 00 úë#SafeBoot ....
00000010 00 00 00 00 8F 8F 43 00 00 00 00 00 4F 73 00 00 ......C.....Os..
00000020 00 00 00 00 00 00 9C 0E 68 00 7C 60 1E 06 0E 1F ......œ.h.|`....
00000030 0E 07 FC BB AE 7D B9 04 00 8D 5F 10 80 3F 80 E0 ..ü»®}¹..._.€?€à
00000040 F8 75 62 80 7F 04 12 75 5C BE 5E 7C BF 00 06 57 øub€...u\¾^|¿..W
00000050 B9 09 00 F3 A4 8B 17 8B 4F 02 BB 00 7C C3 B8 01 ¹..ó¤‹.‹O.».|ø.
00000060 02 CD 13 07 1F 61 CF 8A C4 80 E4 0F 80 FC 09 7E .Í...aÏŠÄ€ä.€ü.~
00000070 03 80 C4 27 B1 04 D2 E8 3C 09 7E 02 04 27 01 06 .€Ä'±.Òè<.~..'..
00000080 A1 7D AC 0A C0 75 06 AC 98 03 F0 EB F5 79 06 4E ¡}¬.Àu.¬˜.ðëõy.N
00000090 C6 04 20 F6 D8 B4 0E BB 07 00 CD 10 EB E4 B4 92 Æ. öØ´.»..Í.ëä´’
000000A0 BE 6A 7D EB C2 FA 33 C0 8E D0 BC 00 7C FB 66 A1 ¾j}ëÂú3ÀŽÐ¼.|ûf¡
000000B0 14 7C 66 8B 16 18 7C BD E0 07 BE A9 7D 66 89 44 .|f‹..|½à.¾©}f‰D
000000C0 08 66 89 54 0C 89 6C 06 B4 42 B2 80 8E C5 CD 13 .f‰T.‰l.´B²€ŽÅÍ.
000000D0 73 3B B4 08 B2 80 CD 13 66 33 DB 8A DE 43 66 83 s;´.²€Í.f3ÛŠÞCfƒ
000000E0 E1 3F 66 A1 B1 7D 66 8B 16 B5 7D 66 F7 F1 8B CA á?f¡±}f‹.µ}f÷ñ‹Ê
000000F0 33 D2 66 F7 F3 41 C0 CC 02 86 C4 0B C8 8A F2 B8 3Òf÷óAÀÌ.†Ä.ÈŠò¸
00000100 01 02 B2 80 33 DB CD 13 BE 85 7D 72 96 66 26 81 ..²€3ÛÍ.¾…}r–f&.
00000110 3E E0 01 53 42 66 73 75 85 A1 24 7C 26 3B 06 E5 >à.SBfsu…¡$|&;.å
00000120 01 75 F4 FF 06 24 7C 66 33 C0 33 DB 66 D1 C8 66 .uôÿ.$|f3À3ÛfÑÈf
00000130 26 03 07 8D 5F 04 80 FF 02 75 F1 66 0B C0 75 D7 &..._.€ÿ.uñf.Àu×
00000140 26 A0 E9 01 B4 0E BB 07 00 CD 10 83 C5 1E 66 26 & é.´.»..Í.ƒÅ.f&
00000150 A1 F4 01 66 26 8B 16 F8 01 66 8B C8 66 0B CA 0F ¡ô.f&‹.ø.f‹Èf.Ê.
00000160 85 57 FF 68 00 00 68 00 7E CB 0D 53 61 66 65 42 …Wÿh..h.~Ë.SafeB
00000170 6F 6F 8C 68 61 8D 62 65 65 92 63 6F 72 72 75 70 ooŒha.bee’corrup
00000180 74 65 9C 00 16 0D 53 61 66 65 42 6F 6F 8C 68 61 teœ...SafeBooŒha
00000190 72 9C 64 69 73 95 65 72 72 6F 8E 28 65 72 72 6F rœdis•erroŽ(erro
000001A0 8E 30 30 68 29 0D 0A 00 FE 10 00 01 00 00 00 00 Ž00h)...þ.......
000001B0 00 00 00 00 00 00 00 00 65 59 3E 07 00 00 80 01 ........eY>...€.
000001C0 01 00 07 FE FF FF 3F 00 00 00 82 8A A1 12 00 00 ...þÿÿ?...‚Š¡...
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª


Fzabkar I hope this is OK?

You should use the "code" button in the toolbar above your reply window.

Anyway, the MBR code is obviously McAfee's ("SafeBoot"), not Microsoft's, so that confirms that we are looking at the correct drive.

Here is the partition table:


It shows a single NTFS partition (type 07) beginning at sector 63 (= 0x3F) and with a size of 160GB (= 0x12A18A82 x 512).

The next thing to do is to examine sector 63 using the same procedure as before, except that the Number of Sectors = 1.

There should be a backup NTFS boot sector at the end of the partition, ie sector 312576704 (= 0x3F + 0x12A18A82 - 1).

http://www.google.com/search?q=0x3F+%2B ... in+decimal

Can you also upload sector 312576704?

_________________
A backup a day keeps DR away.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 EB 3C 90 4D 53 44 4F 53 35 2E 30 00 02 08 01 00 ë<.MSDOS5.0.....
00000010 02 00 02 03 51 F8 08 00 11 00 04 00 01 00 00 00 ....Qø..........
00000020 00 00 00 00 80 00 29 00 00 00 00 4E 4F 20 4E 41 ....€.)....NO NA
00000030 4D 45 20 20 20 20 46 41 54 31 32 20 20 20 33 C9 ME FAT12 3É
00000040 8E D1 BC F0 7B 8E D9 B8 00 20 8E C0 FC BD 00 7C ŽÑ¼ð{ŽÙ¸. ŽÀü½.|
00000050 38 4E 24 7D 24 8B C1 99 E8 3C 01 72 1C 83 EB 3A 8N$}$‹Á™è<.r.ƒë:
00000060 66 A1 1C 7C 26 66 3B 07 26 8A 57 FC 75 06 80 CA f¡.|&f;.&ŠWüu.€Ê
00000070 02 88 56 02 80 C3 10 73 EB 33 C9 8A 46 10 98 F7 .ˆV.€Ã.së3ÉŠF.˜÷
00000080 66 16 03 46 1C 13 56 1E 03 46 0E 13 D1 8B 76 11 f..F..V..F..Ñ‹v.
00000090 60 89 46 FC 89 56 FE B8 20 00 F7 E6 8B 5E 0B 03 `‰Fü‰Vþ¸ .÷æ‹^..
000000A0 C3 48 F7 F3 01 46 FC 11 4E FE 61 BF 00 00 E8 E6 ÃH÷ó.Fü.Nþa¿..èæ
000000B0 00 72 39 26 38 2D 74 17 60 B1 0B BE A1 7D F3 A6 .r9&8-t.`±.¾¡}ó¦
000000C0 61 74 32 4E 74 09 83 C7 20 3B FB 72 E6 EB DC A0 at2Nt.ƒÇ ;ûræëÜ 
000000D0 FB 7D B4 7D 8B F0 AC 98 40 74 0C 48 74 13 B4 0E û}´}‹ð¬˜@t.Ht.´.
000000E0 BB 07 00 CD 10 EB EF A0 FD 7D EB E6 A0 FC 7D EB »..Í.ëï ý}ëæ ü}ë
000000F0 E1 CD 16 CD 19 26 8B 55 1A 52 B0 01 BB 00 00 E8 áÍ.Í.&‹U.R°.»..è
00000100 3B 00 72 E8 5B 8A 56 24 BE 0B 7C 8B FC C7 46 F0 ;.rè[ŠV$¾.|‹üÇFð
00000110 3D 7D C7 46 F4 29 7D 8C D9 89 4E F2 89 4E F6 C6 =}ÇFô)}ŒÙ‰Nò‰NöÆ
00000120 06 96 7D CB EA 03 00 00 20 0F B6 C8 66 8B 46 F8 .–}Ëê... .¶Èf‹Fø
00000130 66 03 46 1C 66 8B D0 66 C1 EA 10 EB 5E 0F B6 C8 f.F.f‹ÐfÁê.ë^.¶È
00000140 4A 4A 8A 46 0D 32 E4 F7 E2 03 46 FC 13 56 FE EB JJŠF.2ä÷â.Fü.Vþë
00000150 4A 52 50 06 53 6A 01 6A 10 91 8B 46 18 96 92 33 JRP.Sj.j.‘‹F.–’3
00000160 D2 F7 F6 91 F7 F6 42 87 CA F7 76 1A 8A F2 8A E8 Ò÷ö‘÷öB‡Ê÷v.ŠòŠè
00000170 C0 CC 02 0A CC B8 01 02 80 7E 02 0E 75 04 B4 42 ÀÌ..̸..€~..u.´B
00000180 8B F4 8A 56 24 CD 13 61 61 72 0B 40 75 01 42 03 ‹ôŠV$Í.aar.@u.B.
00000190 5E 0B 49 75 06 F8 C3 41 BB 00 00 60 66 6A 00 EB ^.Iu.øÃA»..`fj.ë
000001A0 B0 4E 54 4C 44 52 20 20 20 20 20 20 0D 0A 4E 54 °NTLDR ..NT
000001B0 4C 44 52 20 69 73 20 6D 69 73 73 69 6E 67 FF 0D LDR is missingÿ.
000001C0 0A 44 69 73 6B 20 65 72 72 6F 72 FF 0D 0A 50 72 .Disk errorÿ..Pr
000001D0 65 73 73 20 61 6E 79 20 6B 65 79 20 74 6F 20 72 ess any key to r
000001E0 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 00 00 estart..........
000001F0 00 00 00 00 00 00 00 00 00 00 00 AC BF CC 55 AA ...........¬¿ÌUª


This is sector 63 IF I did it right ??

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 EB 5E 8B EE A4 D6 57 77 A9 FB 2F 78 57 3B 3D AF ë^‹î¤ÖWw©û/xW;=¯
00000010 28 2A FF 7F D4 46 35 52 7E E6 26 0F 79 B6 8D 39 (*ÿ.ÔF5R~æ&.y¶.9
00000020 F3 C8 B5 5D DD 0F 73 24 F0 D6 AD 52 63 3E 54 6A óȵ]Ý.s$ðÖ.Rc>Tj
00000030 1B B3 B9 55 39 9C 82 25 AD EE 2F CC 0B 9F EA DF .³¹U9œ‚%.î/Ì.Ÿêß
00000040 4A 46 3C 08 CF 0A 7A E0 09 27 1D 04 A3 C1 75 72 JF<.Ï.zà.'..£Áur
00000050 D0 CC FE 52 63 89 45 C7 C1 78 04 DB FB F9 73 23 ÐÌþRc‰EÇÁx.Ûûùs#
00000060 2D 85 FB EA 65 C7 A4 4B 93 BE E3 20 3E A5 ED D8 -…ûêeǤK“¾ã >¥íØ
00000070 4F 81 87 89 61 62 F9 19 9C A3 D2 8C 52 6C 65 8E O.‡‰abù.œ£ÒŒRleŽ
00000080 07 B4 E2 EC 77 EE DF 1A 8B D2 E1 C1 23 B3 EC C0 .´âìwîß.‹ÒáÁ#³ìÀ
00000090 3E 51 47 91 38 2A 1D F4 71 8A 89 52 60 F5 2A DC >QG‘8*.ôqŠ‰R`õ*Ü
000000A0 B7 4D 61 3F F4 40 4E E2 6B 70 C6 10 0F E1 9A EA ·Ma?ô@NâkpÆ..ášê
000000B0 9A 27 AB 20 7B 64 83 F7 0B 7C A5 E4 AD A6 61 5F š'« {dƒ÷.|¥ä.¦a_
000000C0 4F 40 0B EC 9C 6B 88 92 C9 45 CE 3A 46 2E 96 F1 O@.ìœkˆ’ÉEÎ:F.–ñ
000000D0 4E E5 34 D1 30 B5 4C E2 AE E4 EE 86 8E EF 24 18 Nå4Ñ0µLâ®äï$.
000000E0 CC 19 88 45 4A E4 77 6F 80 33 04 85 CB B4 D0 46 Ì.ˆEJäwo€3.…Ë´ÐF
000000F0 F7 47 26 E5 0F 09 CD 9F 54 53 1C 16 E5 CA 72 CD ÷G&å..ÍŸTS..åÊrÍ
00000100 58 35 F2 FD 89 17 47 00 39 DF 6E D9 3C 65 F1 F3 X5òý‰.G.9ßnÙ<eñó
00000110 42 92 B2 AE A4 98 26 94 9C 0F 81 8D E6 D6 92 EF B’²®¤˜&”œ...æÖ’ï
00000120 59 DC E4 C0 8E A8 90 F9 69 0F FE C0 49 33 ED 7E YÜäÀŽ¨.ùi.þÀI3í~
00000130 53 92 E9 F0 28 3A 3A 52 63 12 83 38 19 86 F2 0C S’éð(::Rc.ƒ8.†ò.
00000140 BB 59 2F E8 98 50 A6 F5 61 46 FE C0 E4 4D B8 5A »Y/è˜P¦õaFþÀäM¸Z
00000150 31 2A CD F7 C3 EA A2 B1 C5 6A 3C C9 8A AE E3 70 1*Í÷ÃꢱÅj<ÉŠ®ãp
00000160 9C 3B D0 A4 7A 5B 03 3A 60 27 14 5D 45 CF F4 D6 œ;Фz[.:`'.]EÏôÖ
00000170 51 5F 6C A5 74 F2 3D B3 BD 2E 9E B7 9B 83 3C CF Q_l¥tò=³½.ž·›ƒ<Ï
00000180 1D 9B 54 4D 78 7F 36 52 4A C8 15 45 47 34 6A DC .›TMx.6RJÈ.EG4jÜ
00000190 43 63 AF 33 37 0D 01 BE 21 15 21 F5 5A 00 65 91 Cc¯37..¾!.!õZ.e‘
000001A0 8E 56 7A 87 9A F8 6F 51 B2 20 EB FF 0D 93 E2 C6 ŽVz‡šøoQ² ëÿ.“âÆ
000001B0 6B 86 58 CC 82 76 80 C7 80 DF FF 4F FB C0 77 8E k†XÌ‚v€Ç€ßÿOûÀwŽ
000001C0 B6 68 58 93 1A C8 7A D8 39 71 8C AD D2 F3 C1 89 ¶hX“.ÈzØ9qŒ.ÒóÁ‰
000001D0 4A 06 5B 25 0A 4A D4 0E 0A A6 1A A6 8E 6C 46 6C J.[%.JÔ..¦.¦ŽlFl
000001E0 79 0D 2F 5B 25 44 B0 42 4B CC F2 74 DA BD FF 4B y./[%D°BKÌòtÚ½ÿK
000001F0 27 79 55 AE 9E A3 B5 8D 21 ED 3F 82 D7 AB 1E 2D 'yU®ž£µ.!í?‚׫.-



and this is sector 312576704 again IF I did it right ??

You can see that sector 63 has been replaced with a FAT12 boot sector. It's actually a HDD FAT12 boot sector with 17 sectors per track and 4 heads. Completely bogus.

MS-DOS 5.0 Floppy Disk Boot Record (on a 1200 KiB floppy diskette):
http://thestarman.pcministry.com/asm/mbr/DOS50FDB.htm

Sector 312576704 looks like it may be encrypted. I was hoping that it wouldn't be, but it does have some signs that it may be a boot sector.

If I use DOS Debug to disassemble the first line of code, I get ..


The JMP intruction jumps around the BIOS Parameter Block at the beginning of the sector just like similar jumps in Microsoft's standard NTFS boot records. The actual code begins at offset 0x060.

Examination of the NTFS Volume Boot Record of Win2K & Windows XP:
http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm

Disk Editor View of NTFS Boot Sector and "Bootstrap Code" for Win2K and Windows XP:
http://thestarman.pcministry.com/asm/mb ... rHexEd.htm

What I propose to do now is to copy sector 312576704 to sector 63. You may want to examine sector 64 first, though. I believe it should be encrypted, ie there should be no recognisable header such as "N.T.L.D.R".

To copy the sector ...

Edit -> Edit Mode

Tools -> Copy Sectors

Start Sector -> 312576704
Number of Sectors -> 1

In the Destination pane, select Device.

Start Sector -> 63

Click OK.

You will now be asked to confirm the copy operation from sector 312576704 on the source to sector 63 on the destination. Ideally you should do this on your clone.

Note that, after restoring the boot sector, you will still be back where you started, before you applied F*XBOOT.

_________________
A backup a day keeps DR away.

This is sector 64 not sure what it all means ?

That looks like an unencrypted FAT. It appears that you formatted the volume. Data recovery will now be MUCH harder.

The FAT12 BIOS Parameter Block is telling us that there are 2 FATs and that each FAT has a size of 8 sectors. This means that there will now be a root directory at sector 80 (= 63 + 2x8 + 1).


Can you show us sector 80?

_________________
A backup a day keeps DR away.

Fzabkar, here is sector 80 and...you got me worried a bit.
As I said in the beginning the staff on the drive is not critical, but getting back emails would
make life easier.

I did not format the drive at all...now do you think it will be possible to get data at all ?
I might ask the IT Dept at work to decrypt the drive next week , and working with unencrypted drive
might be easier ?
Thanks for your effort so far !!!

I confess I don't understand why sector 64 looks like it does. Sector 80 looks encrypted, so it appears to be untouched. Have a look at the sectors in between.

You could still try copying the backup boot sector over sector 63. If it doesn't work out, you could always undo the changes with the lba_63_1.bin file that you saved with DMDE.

Whatever happens, I agree with your plan. Working with an unencrypted drive would be a lot easier.

Best of luck.

BTW, I prefer not to experiment via email. If I make an obvious mistake, someone will hopefully let us know.

_________________
A backup a day keeps DR away.