Home / System / Windows : Drive healing from scratch

Windows : Drive healing from scratch

May 28, 2020

In this post let’s understand hard drive operation and try to find a methodology (procedure) to troubleshoot it (and heal it if needed).

Lab setup

for the purpose of our test we mount this setup: PC + USB to SATA adapter + Seagate 1T HDD. The most basic setup to play with our hard drive.

Gather some information on the system

On my PC I run this command: run>msinfo32, that shows this information :

  • Microsoft Windows 10 Professionnel, 10.0.18363
  • ASUSTeck, X556UB, x64, Intel i7-6500U CPU @ 2.50GHz, 2 core, 4 logical processors
  • BIOS UEFI

Lets gather also, some information on this drive?

using msinfo32, we get this output:

and it shows nothing!

let’s use disk management (diskmgmt.msc)

it shows nothing too!

What’s wrong

Windows disk management and msinfo show nothing about my already connects hard drive. What is not working? Fault in system (os, driver)? usb port (controller, etc.)? cable? disk itself?

in File Explorer (Win + E, run>explorer.exe), i check that an additional disk is present (F:) (that is not present in disk management or msinfo32)

right click and click on properties shows: no utilization information, tools (chkdsk, defragmenter) do not have access to it.

in Device Manager (devmgmt.msc) I tried to unplug/plug usb cable and the adapter is detected indicating that nothing wrong with this part.

The plug/unplug showed no problem with driver by MS in this version 10.0.18362.1 (21/06/2006) version, USBSTOR.SYS.

I tried next to uninstall/install this device to intialize all the install process.

But the test fails, the disk does not respond in an acceptable time! not able to close it either (usb device unplugged)! hopefully i was able to kill it under (taskmgr)

and it’s still there in Device Manager

let’s uninstall the controller and see but the test fails not able neither to access it!

restart an see… not able to just restart, needed to force shutdown! any results? now the drive has disappeared from File Explorer, from Device Manager and from Disk Management.

replug the adapter: the drive appears now under Disk Mgmt using an MS (21/06/2006) 10.0.18362.1 version driver (disk.sys, EhStorClass.sys, partmgr.sys, EPMVoIFI.sys)

but no information on the vendor is in there?!

a lookup for drivers, tools to diagnose at Seagate website: SeaTools for Windows returns nothing (did not detect the usb drive); Drive Detect? No help…

MiniTool Partition versus Windows Disk management

What can MiniTool Partition Wizard Free offer? something wrong with the partition? lets run partition recovery wizard

While running the tool, the good news is that the adapter led is now blinking: analysis is going on, drive accessible, readable.

The utility discovered an existing NTFS partition (and its file structure, data) but the Disk Management keeps failing!

Deep in to bit level to check : Hex Workshop

At this stage, let’s check how the drive is written at the lowest level? let’s deep into this using Hex Workshop application and check MBR table information (Bootstrap, Partition table, Signature). The image shows the MBR table organization:

.

The first partition hex is (00)(0A0902) (EE)(FEFFFF)(00800000)(00E06F74).

The first field (1 bytes) indicates if the partition is active (is set to 80 hex, Windows labels this partition as SYSTEM (visible in MiniTool Partition Wizard or diskmgmt.msc for example), in our case it is set to 00 hex whick indicates that the partition does not have the boot flag set (no other values are possible), a non-active partition.

The 2nd field (3 bytes) represents the partition starting sector in CHD (Compressed Hunks of Data).

The 3rd field (1 byte) represents the partition file system (07 for NTFS, EE for GPT protective MBR).

The 4th field (3 bytes) represents the ending sector of the partition in CHD.

The 5th field (4 bytes) indicates the starting sector on disk.

The 6th field (4 bytes) indicates the size of the partition (the number of sectors indeed which is multiplied by the sector size).

Analyzing the other partitions information in MBR table indicates only one partition (the 1st) is existing, which contradicts MiniTools Partition Wizard findings (at least one NTFS partition is found) after a deeper analysis of the drive storage area!

As a first conclusion,

First, we’ve checked the physical part of our setup to try to spot what’s wrong with it. No physical issues were found but still the disk is not detected by the OS (Windows) using the utilities offered by it (msinfo32, disk manager, etc.). Using another application the Mini Tools allowed us to have some more information than OS built-in utilities.

Further we analysed the structure of the disk itself at a lower level (byte level, Hex) using the Hex Workshop application. If something is not correct at this level it would explain why Windows not able to play the disk. We’ve found some contradictory information on how the MBR is written and what MiniTools or Windows built-in tool show.

Before the healing : Hex Workshop versus File Explorer

Before the healing the MBR (stands for the master boot record) table showed hex written to the hard drive: the MBR signature, the four partitions and the bootstrap area. In a modern standard MBR, the signature is two byte length and a value of 0x55AA.

a snapshot on file explore does not show the disk 1 partitions.

After the healing : Hex Workshop, Disk Manager and Test Disk.

after the healing the content of zones representing the four partitions has changed the value to the value shown in the next figure.

in the windows disk manager (diskmgmt.msc) the drive is recognized now as shown in the next window and in File Explorer the disk is back and usable again.

We run next TestDisk with success showing that the structure is ok. the primary bootable is marked with an asterisk (2 partitions: EFI System and System) in addition to two primary partitions: Recovery and Data.

diskmgmt.msc show the information in the next figure.

further more, using the hex Workshop utility the four partitions were deleted before creating a new simple one volume in the MBR table as shown in the snapshot next.

in the figure reprensenting the MBR table, only the first partition is written and the three others are deleted.

atlink'admin

One Comment

Leave a Reply

  • Transmit Power Control in IEEE 802.11 Cisco WLAN networks
    TPC stands for Transmit Power Control. It’s a one of Cisco RRM, Radio Resources Management, techniques that are aimed at tackling interference, cross and co-channel, in Wlan networks. RRM: TPC, CHD and DCA It works tightly with CHD, Covergate Hole Detection, to optimize transmit power. TPC tends to minimize the transmit power and CHD to eliminate
  • 10 security measures against 10 attacks in a LAN network – Part I
    An Ethernet switch is the central element of a LAN network and operates at data link OSI layer. Every switch port defines a collision domain and can extend a broadcast or broadcast frame domain that is stopped by a router routed interface that operates at network OSI layer. By default switches support one broadcast domain
  • Understand how Aruba ARMizes your WLAN for sure!
    Presenting ARM In this post, that is a part of a serie of post that discuss how Wlan to radio ressources management, we talk of Aruba way of doing it. The figure shows a simple wlan network of 6 AP or access points. This is heatmap showing that radio signal is very strong (in red)
  • Understand RIP Routing Timers All in One Shot!
    This post is part of a series of posts about dynamic routing protocols and especially RIP. We’ll try to get a deep understanding of its operation and function as an introductory to dynamic routing logic in general. You’ll see that what we think easy may hide an incrementing complexity… a little introduction Berfore we start
  • DUAL route FSM Processing of EIGRP Queries
    This blog is a part of series of posts about EIGRP routing protocol. Let’s recall that EIGRP is one of the so called IGP routing protocols. IGP stands for interior routing protocols as opposed to EGP or exterior routing protocols. In addition EIGRP is a hybrid as it borrows some similiarities to distance-vector and link-state
July 2025
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Table of Contents

Table of Contents