Linux seeing vista files

I've installed PCLinuxOS onto this system ( and it IS my mates, not mine...) in an attempt to find out why his Vista will not boot. There was no safe boot options, nothing. At first it appeared to be a corrupted mbr but doing all rebuild didn't get me there so Linux to the rescue.

Well maybe.

When I mount the vista partition, ( Partitions already made before this so no changing done to install Linux) I get to see the folder structure complete but I cannot see any files at all. No system files, no files in My Documents - nothing.

For now I'm assuming that someone has triggered some form of malware that has added the '+H' attribute to all the files and that is maybe why I cannot see them.

Then again, it may well be that all the files have somehow been destroyed???

Some folders missing I've noticed is specific user folders whereas the default folders are there.

So, where to from here?

I don't mind having to go down the track of a full re-install AND they get to play with Linux as well, BUT it would be good to recover their personal files before I start.

Some work done to date include a complete rebuild of the mbr but upon reboot I only get the Error post page about faulty hardware or software connection and cannot proceed past that except once rebuilding the mbr using a system repair command prompt I can move one more screen where it lists one OS being the name I gave it with " bootrec.exe /create /d "Microsoft Windows" /application osloader " then it reverts back to the error post page - a continual loop.

So first, are the files still there? How do I find out?

Needless to say, I do have full admin rights, recovery disk ( which reports it has done things successfully re 'startup repair' though nothing has changed) and I think I have enough of a vista system install made from a previous vista machine to allow a full re-install.

So all I need to get is the files from that partition.

Note: All other partitions, I can get to see and use the files.

This is a HP Laptop, about two years old and in the hands of a 'blondie'. So lord only knows how it got to this state.

Will watch out for anyone with the time to assist.

A small update. I just tried the GUI version of the rescue disc for Automatic Startup Repair and got the message that it was unable to repair the boot. Tried it four times to be sure as I'm aware that it fixes only one file at a time - no change.

Um, Yarddog.... He's way past that part.

Have you done a search for them? The files might not be where he thinks..

You could try copying to a usb drive... You'd then have ownership of them... But it seems they have been moved or modified...

Have you tried a boot disk drive utility? Maybe a bulloxed up drive.

G/L and welcome

Thanks for the replies folks. Greatly appreciated.

I've tried a full rebuild of the boot for vista using the command prompt within the recovery disc and though those files have got onto the HDD things did not progress.

Looking at the partition when mounted all I see is a folder structure without any files visible.

Doing a ls -al from konsole doesn't show anything either. ( As root from within this PCLinuxOS install which is on the same laptop.)

I'm hoping that some malware simply changed the file attributes and am seeking a way to be sure that this is so or not as basic commands do not appear to be able to see anything.

In case it helps - the file structure I see appears basic. IE> when I go to the user folder I get to see Administrator folder, Default Folder and One other - I do not see that actual user named folder that I know existed.

Regardless, opening any folder results in there being no files whatsoever being seen.

And again, another 2 partitions and the logic partitions for this Linux installation are all sound and without problems.

It's just that I cannot believe that every file has been removed, I mean EVERY file.

I'll try using testdisk later and do a file recovery to see what happens there.

Just would be nice to know if there is a way to force file attribute change across a whole partition just in case they have been +H 'ed.

Another quick update. Used testdisk in an attempt to recover deleted files and got:

TestDisk 6.13-WIP, Data Recovery Utility, November 2011
Christophe GRENIER <[email protected]>
Main Page - CGSecurity
1 * HPFS - NTFS 0 32 33 19507 144 21 313387000 [Harwood]
Deleted files

No deleted file found.


Seeing as how this partition hasn't been mounted since the problem started I would have assumed that the missing files would be available to testdisk.

I've been looking around and needed to update another thread so thought to put here where I was up to . Hope it helps get me there soon.

<quote>
Thx gregrocker for your reply.

For now, I've installed PCLinuxOS on a partition I made some time ago believing the owner was wanting to update to Win7. So I've yet to actually touch the Vista partition hoping I'm not corrupting it further.

Though I've mentioned that I can see the folder structure and that they are empty - I've since discovered that the folder structure appears to be related to an original install as there are program folders I know I installed - missing and what's worse - user folders I know as the users are also MIA.

So right now I'm not sure what's happened and the 11 year old using this system is not forthcoming. Needless to say, his folks are distraught about possible losing all their personal records including some once only family photos.

I ran testdisk on the partition and it reported that there are no deleted files. That can not be good.

I've put an entry in GRUB for the RECOVERY partition on this HP Pavilion system and am able to access all the recovery tools from that now, ( Changing the partition table some time ago I forgot to update the system enviroment variablies to tell F11 where it was.

Another unhealthy sign is when I copied the whole partition onto a external HDD. I only got 1.14GiB of data.

I can only assume that the kid attempted to hide something ( we've since learned that he took mum's EFT-POS card and brought some Game online - he's just staying quiet about it ) and in doing so caused something to load into ram which was then able to delete everything. If this is not possible then maybe not understanding how to read HPFS - NTFS file structure is my problem - hence I'm holding off the 'Back to factory settings' full re-install.

In the meanwhile I'm coaching them in Linux (KDE) so that they can at least access their email. ( Thank the powers to be that I insisted they remain with IMAP and not POP.)

For now, I'll review your suggestions and otherwise continue to become conversant with the Vista File Structure to be sure I've left no stone unturned.

Any more words of wisdom? Anyone?
</quote>

I honestly have no idea how to help you. It is extremely odd how the files are missing.

I am not sure how pclinux is setup, but maybe try Ubuntu... Its built with everything ready.

I wonder if the kid did something like a diskerase to 1/0 the empty space. Ugh yha I think your friends up the S creek and thastg kid broke the paddle.

I'm unsure how to help you, unless you can figure out what happened.

Thanks Patonb

In my youth a visit to the wood shed would have got the answers but in this day and age you can only go the tough love way and that requires effort on behalf of all involved and still no answers. I would love to know what he actually did so as I could post a better understanding. Still, I'm the one with the fishing boat these holidays so maybe a little blackmail may get us there yet.

For now, the nearest I can get is that he brought some game using his mum's card and along the way connected a camera to the system to get the photos over.

I still do not understand how anything can remove all the files - remember, there was only the one OS ( Vista ) at the time so unless the game came as a LiveCD I have no idea how he could have pulled this one off.

And for there to be no deleted files for testdisk to find is a real mystery.

Will keep this thread up to date with the hope that someone " has been there before " and might well have some idea. For now, they will need to get familiar with Linux and PCLinuxOS (KDE) runs very much in favour of casual users ex windows so hopefully not a biggy.

One last thought - is there a differrence between NTFS and HPFS-NTFS. My linux OS sees the structure as NTFS-3G if that makes a difference.

Update and BUMP!

The lack of a fishing trip being missed on my boat could not get this youth to open up - he acts like he is 'bullet proof' and it will be some years before we get to hear the whole story me thinks.

So I'm back to trying to see whether or not the files are there and understand how Vista might secret such files.

I've tried to trick the partition into Share Mode as I have the admin user name and password but that did not work because, I believe, Vista is not recognized at resent.

Vista's own disk management GUI allows one to activate a partition, is there a way I can turn this switch on. With PCLos installed and faithful Puppy Linux and UBCD4WINDOWS on standby I'm open to any further suggestions and especially 'howto' in an attempt to try to see if any files still exist.

Is NTFS-3G the right tool to use in viewing a Vista file structure?

Is there any actual app that is Windows specific that I ought to be using at this point? NB. I am able to use the recovery option on the laptop but have no desire at changing anything on the Vista Partition until I've exhausted all possible ways of getting their personal files and photos saved.

Not looking good at present, just hoping for some new ideas now we are all back from our holidays.