Dell Win 8.1 desktop won't boot - where has the user data gone!

[neil]

Got a Dell desktop with Win 8.1 came in not booting to Windows and stuck in a repair loop. Obviously it couldn't auto repair, System Restore was not possible (no restore points), System Refresh fails. I'm looking at a Windows reinstall BUT when I look on the hard drive, there is no Users folder and the Windows folder has just a few files - nothing like I would expect for a typical Windows install. The completely absent Users folder is a new one for me, and it's not just hidden as I can see other hidden folders. Of course, the owner hasn't backed up in a while, so the total loss of his files is going to be an unpleasant surprise.

I haven't worked on many Windows 8.1 systems and so I'm wondering if I'm just missing something. Anyone seen anything similar? Is this some new Crypto virus that hides User files in some way? Any ideas appreciated!

Neil

 

[PBComputer]

The only time I have seen anything like this is when the system had a failing hard drive or a very bad virus infection.

 

[neil]

I haven't done a virus check yet, but have a scan running now. The HD looks OK in a simple test with CrystalDiskInfo, so nothing glaringly obvious there. Hardly a complete test I know, but it should at least show major problems if there were any.

 

[katz]

You could try a search for some typical user files, using the *.mp3 or *.doc, etc. A bad virus infection could have moved or renamed the user folder.

 

[hmig89]

Hi Neil, was there any encryption on the drive? Also have you tried running the bootrec commands in the windows recovery?

 

[Markverhyden]

If they value their data and you value them as a customer you had better make a full disk image. Then start fiddling around with it. Since it looks like files have been deleted you might want to run a data recovery app against it.

 

[neil]

No viruses found, just the usual Conduit, Sweetpacks, Searchprotect etc. PUP infestation.

 

[HFultzjr]

If they value their data and you value them as a customer you had better make a full disk image. Then start fiddling around with it. Since it looks like files have been deleted you might want to run a data recovery app against it.

^^^^^^^^^^^ THIS^^^^^^^^^

Pull the hard drive
Make 2 images of it (keep 1 as an extra, JUST incase)
Run recovery software on a mounted image.

Or, if important enough, send to an expert!

Maybe customer tried some "fixes" before you got it.

I have seen customers start a recovery from the recovery partition and then decide to quit....Before it's finished. Really mucked up the system.

Harold

 

[neil]

markverhyden: indeed, an image was the first thing I did and I have been working only on that. Interestingly, there is a 'found.000' directory with about 6GB in dated yesterday (when the machine failed). Looks CHKDSK has been busy and that's where the Users folder may have gone.

 

[neil]

HFultzjr: yes, I know the customer had been messing around before calling me, so damage may have been done already. That may account for the CHKDSK activity mentioned above, or that may have just happened as part of the attempted auto repair.

Thanks for the comments guys, just discussing it helps me think things though.

 

[pc-rebuilders]

My guess would be your customer try to do something and it failed, they panicked and called you to bail them out. Been down that path before...

 

[Markverhyden]

Neil, have you ever used R-Tools R-Studio for data recovery? You can download the full product and run it against a target. If you like what you see you can then buy the license and apply it to do the recovery. Without the key the max file size is something like 64k.

I've used testdisk in the past to recovery FAT's but that will not work here as you have w8.1 so the drive is almost certainly GPT. I've not had to mess around with a GPT disk yet for data recovery so cannot offer any suggestions on tools to rebuild those partitions.

 

[neil]

Hi Neil, was there any encryption on the drive? Also have you tried running the bootrec commands in the windows recovery?

I'm going to show my almost complete ignorance of Windows encryption here:- if the drive was encrypted would I still be able to browse folders and so on (which I can). If encryption was set at a folder level wouldn't the folder still be visible?

I had tried BOOTREC in recovery but the killer is that the Windows directory is effectively empty, so there is much more going on than just a corrupt MBR.

Currently it looks like some event corrupted the MFT and next time the system booted CHDSK did it's stuff on the dirty volume and a lot of important stuff went missing. Now I recall the customer saying that "nobody here knows how to shut down this Windows 8 computer so they just turn it off at the wall" which has to be at least one strong possibility for the mess!

 

[ohio_grad_06]

Seems like I had one like this in before and never could get the data. Seems like I tried many of the things already suggested here. Is there any possibility of trying to do a system restore and setting if you can go back that way?

 

[Xander]

Interestingly, there is a 'found.000' directory with about 6GB in dated yesterday (when the machine failed). Looks CHKDSK has been busy and that's where the Users folder may have gone.

I had one like this a month or two ago. Can't remember all the details now but I didn't find anything wrong with the drive itself; it was all at the software level. As far as I know, I was able to find most of his files in the Found folders and there were hundreds of subfolders with the majority of his stuff in just a few of them. I basically did a search for each file type and pulled them off that way.

 

[thecomputerguy]

Sounds like your customer attempted to repair the computer themselves and botched it.

 

[neil]

Xander: What you described was exactly my scenario.

So, in the end I just reinstalled Win 8 with system reset to get the thing booting again.

Managed to recover over 50GB of files from the 'found.000' directory. Although many of the folders were like 'dir0001.chk', the subfolders below them retained their original names so most of what would have been in the Users folder seems to be intact. I'll see for sure of course once the client has looked through in detail. On the whole, considerably better than I expected though.

I've read horror stories about CHKDSK over the years, but I've never seen such extensive damage to a Windows installation. I'll probably never know the root cause of the directory corruption which made CHKDSK run, though yanking the power while the system was writing is certainly a contender.

And now to see if I can convince the client about the merits of backup ;-)

 

[Ktex]

You still found all data, great. I once had all data not show up under the user's account, it somehow migrated to the public account, found it by looking at all the folders' properties. I still have no idea how all the data ended up there, laptop was cleaned by another "tech" previous to data loss.

 

[glennd]

You still found all data, great. I once had all data not show up under the user's account, it somehow migrated to the public account, found it by looking at all the folders' properties. I still have no idea how all the data ended up there, laptop was cleaned by another "tech" previous to data loss.

accidental drag and drop. it happens a lot, particularly if the mouse pad is ultra sensitive. user has no idea what just happened. I've watched it happen and they totally denied they did anything.

 

[lcoughey]

What you found the the found.000 folder the the broken chains that weren't lost. But, there still is question of what is missing and what caused the MFT corruption in the first place?

I know that the drive was imaged (without any errors?) and passed basic tests. But, I'm still suspicious of the physical hard drive.