Pelles C forum
C language => Work in progress => Topic started by: JohnF on April 11, 2005, 08:39:23 AM
-
I converted a C++ app that undeletes files on NTFS drives - made a few corrections and alterations to the original code. The original loaded the whole MFT into ram, this could be a problem when the MFT has become very large. Apparently one guy had an MFT record of 1 gig.
So now the app loads chunks sequentially from the MFT record until all the records have been read. This works fine on drives formatted either with the Windows formatter or with 'Partition Magic' but it does not work with drives formatted with 'Acronis Disk Director'. For some reason the data becomes corrupt after loading a few records.
Apparently one must read blocks in multiples of cluster size, which is what I'm doing, but this still does not work for drives formatted with 'Acronis'.
Does anyone know anything about this?
The original way of loading the whole MFT into ram works even with drives formatted with 'Acronis'.
John
-
I am unfamiliar with Acronis but the following is a solution that 'will' work. Have you tried creating a 'stored' carbon copy of the MFT on the harddrive and loading chunks into memory and manipulating it instead so that you are loading chunks from a static copy? This is not a perfect solution but it is workable.
Paul
-
I am unfamiliar with Acronis but the following is a solution that 'will' work. Have you tried creating a 'stored' carbon copy of the MFT on the harddrive and loading chunks into memory and manipulating it instead so that you are loading chunks from a static copy? This is not a perfect solution but it is workable.
Paul
Thanks for that advice.
John
-
The original way of loading the whole MFT into ram works even with drives formatted with 'Acronis'.
-
The original way of loading the whole MFT into ram works even with drives formatted with 'Acronis'.
ICU!
-
I know it's a very old post, but if that can help someone, hereis a very interesting link :
http://zwclose7.createaforum.com/windows-application/deleting-files-with-ntdeletefile/ (http://zwclose7.createaforum.com/windows-application/deleting-files-with-ntdeletefile/)
https://undocumented.ntinternals.net/ (https://undocumented.ntinternals.net/)
http://www.exploit-monday.com/2013/06/undocumented-ntquerysysteminformation.html (http://www.exploit-monday.com/2013/06/undocumented-ntquerysysteminformation.html)
http://www.mediafire.com/file/gj2inoktf6v9qii/ntdll.zip/file (http://www.mediafire.com/file/gj2inoktf6v9qii/ntdll.zip/file)
Good night
-
DOS used to provide the undelete command, why M$ decided to remove it?
-
Good question. I got curious and made a little test:
include \masm32\MasmBasic\MasmBasic.inc
Init
ShEx "D:\$RECYCLE.BIN\S-1-5-21-2217455635-831285763-2584204927-1003\$R53967L.png"
EndOfCode
ShEx (ShellExecute...) works fine, I see the png.
Path copied by pressing Alt C in FreeCommander XE. Two problems:
- Windows Explorer doesn't show me the recycle bin.
- FreeCommander shows me the recycle bin, but the path I can copy is much different from the original. However, there is a column "original path"...
So I can restore a deleted file, but it's rather manual ;D
-
Find the Recycle Bin
Windows 10 (https://support.microsoft.com/en-us/windows/find-the-recycle-bin-885cf298-0f98-a548-9427-a1248fce4315)