How many times have I heard this story before? You install
Windows XP or hook your iPod up to your XP machine. Your computer crashes, and when you reboot, Windows runs autochk and converts all of your precious folders containing your Neil Diamond music and third quarterly earning projections into a small 32 kB file.
No, this is not the work of digital gods/goddesses trying to give you a bad hair day or get you fired (though I sometimes wonder). This is a fault in Windows XP's chkdsk utility that
Microsoft techs were too lazy to fix.
"So are my Neil Diamonds gone?" you may ask. The good news is "No, they are not", though it will be one tough puppy to retrieve them.
I am not writing this post to ask a question on recovering my files (though I would expect few people to know how to recover them). Instead, I'm going to write a tutorial on how to get back your precious files, and I hope Tech Support Forums will be kind enough to leave it posted and maybe even pin it up!
So, what do I do? Stupid Windows XP/2000 didn't even give me a choice. It just said 'Yes', and when I went to the path it listed, I found a monkey of a 32 kB file with the same name as the folder that was there, but now the folder's gone!
First thing's first. Don't do anything! I mean don't take any action that would modify the contents of the hard drive that the files were on (such as loading this post if it's your primary drive). Any modification to your drive could overwrite the lost data you wish to recover.
Okay, it may be too late for that (you are reading this thread, aren't you?) But that's okay. Just print out this post (if you can) and keep reading.
The second thing you need to do is find the log where autochk wrote the scan details. You can do this by going to 'Start' > 'Run' and typing in "eventvwr" (without the quotes, my precious sheeps) in the text field and hitting [ENTER]/clicking 'OK'.
A nifty little Event Viewer window should pop up. Select the 'Application' choice in the left pane and you should see a list (as short as it may be) of application logs. The one you want should show 'Winlogon' under the source column at the date and time the autochk scan happened. (Choose the right one. There may be multiple 'Winlogon' entries, but only one should be at the exact time the scan happened.)
Double-click the entry and copy all the text under 'Description:' to Notepad (just type in "notepad" minus quotes in 'Start' > 'Run' like you did for the Event Viewer and hit [Ctrl][V] to paste it in.) From here, either print out the text or save it to a drive THAT DOES NOT CONTAIN THE MISSING DATA (both are recommended). This could be a jumper drive, a floppy disk (if you still use those), or another hard drive.
What?! The entry's not in the event log you say? No worries. You probably cancelled the autochk scan or it ended prematurely. Just find C:\bootex.log and follow the same copy'n'paste steps above. (It may be easier to open it by entering "notepad C:\bootex.log" in the 'Start' > 'Run' text field -- you should be used to no quotes by now.)
Phew! Got that done. It's almost over, right? No way. Now you have to begin the tedious process of data recovery. The text you just saved/printed is a log of all the outputs of autochk, including the paths to the folders that were converted into your happy 32 kB files. The next step is to find a program that can read the hex dump of an entire drive. (Don't worry if you don't know what that means. Just follow along.)
I recommend HxD (
http://mh-nexus.de/en/hxd/). It's simple, it's lite, and it has everything we'll need for this little adventure. It's the one I use, so it's the one I'll use for the remainder of this tutorial. Download HxD (again, to a drive that doesn't contain the data you wish to recover) and install it (ditto). If the data you lost was on your primary (C:) drive, you may consider installing it on a mobile flash drive. The installation only takes up about 2.3 MB, so it'll easily fit on most mobile media. Make sure you don't create Start Program or Desktop icons while installing if this applies to you.
Now you're ready to begin. Start the program HxD and open a hex dump of the drive you wish to recover. (If this is your iPod, make sure it's hooked up.) Go to 'Extras' and 'Open disk...'. Choose the drive that the lost data's on. Now STOP! Before you click 'OK', make sure you uncheck the box next to 'Open as Readonly' and then click 'OK'. If you already went ahead and didn't read that part, no worries. Just close the current hex dump ([CTRL][F4]) and do it again, this time unchecking.
NOW, A WARNING TO HEX DUMP BEGINNERS! The following steps will require editing the contents of your hard drive byte-by-byte. ANY ACCIDENTAL OR UNINSTRUCTED CHANGES YOU MAKE TO YOUR HARD DRIVE COULD MESS UP OTHER DATA THAT'S STORED ON IT, NOT TO MENTION POSSIBLY MAKE WINDOWS UNUSABLE. If you are not comfortable doing this, I would recommend that you stop here and ask someone with more experience for help. This is some dangerous work, and if you do it incorrectly, you could damage the directory structure of your hard drive or other data. I urge you to be cautious as we proceed.
What you now see starting at your face (after you carefully read and awknowledge the warning message) is the hex dump of your hard drive. Basically, it's all the data on your hard drive written out byte-by-byte and "line-by-line" in hexadecimal format. But don't fret. You won't have to learn how to analyze complex base-16 algorithms or multiply CAFE by CAFE in order to use this. All you have to pay attention to is the column of hexa-numbers under '0B' indicated in blue in the top row.
Now comes the tedious part. Go to 'Start' > 'Run' again and type in "cmd". (If you entered the quotes, I'll come over and bite your hair off!) MAKE SURE you use CMD. Do not use the COMMAND console, as it will give different outputs for the commands we will be using.
In the command console, type in the letter of the drive containing lovely Neil Diamond (or your lost data, whichever you prefer) followed by a colon. So, if your lost data is on your 'D' drive, for example, type in "D:". (Watch out. The quote gnats are out to get you!) Then, to be on the safe side, type in "cd\" and hit [ENTER]. This should take you to the drive's root directory.
Now open up the autochk log you saved earlier. If you didn't save it in a place where you'd remember or forgot what you called it, boink yourself on the back of the head for me. You should have given it a simple name and put it in a safe place. Once you find it, you should easily be able to open it up in Notepad.
Now you have two options. If you're a computing guru, you can make a batch file to print out the directory output of each of the parent paths of the folders lead by "Unrecoverable error in folder " to another file, or you could follow along in what may be the coffee-sipping up-all-night way if you have a large hard drive. (If enough people request it, I'll show you how to make the batch file.)
Anyway, since I'm assuming most of you aren't computer Jedis (as you probably gathered), let's pour ourselves a fat vat of coffee. First, take a good, hard look at the log entries in the text file. Right next to each line reading "Unrecoverable error in folder " should be the full path of the folder that was converted into a file minus the drive letter. This is all the information you'll be needing. You can delete or ignore everything else.
Now, go to the CMD console and type in "dir /x" (swoop one for the quote gnats!) followed by the path of the missing directory as listed in your log file minus the affected folder ("My Music\" without "My Awesome Neil Diamond Collection", for example). (Note: If your folders were located directly in the root directory--i.e., were directly on the hard drive--just typing in "dir /x" should do the trick.) Despite your mysterious quote inhibitions, you should probably type this path between a set of quotes, BUT ONLY THE PATH. "dir /x" should remain safely unquoted.
(Another way to do this, if you're smart or lazy, is to type in the full path of the directory as printed in the log file followed by a backslash and two dots, no spaces. Ex: dir /x "\My Music\My Awesome Neil Diamond Collection\.." )
This should print out the directory information for the folder containing your 32 kB folder file, including the 8dot3 short name of the 32 kB file if it has one (fifth column, right after the number 32,768), which we'll need in a bit. Copy down this 8dot3 short name, in ink or digital, for all the folders that have been converted to 32 kB files in that directory. Include all the characters that appear before the long filename of the folder. (For example, for a folder file called "My Folder File", the 8dot3 short name should be something like "MYFOLD~1" followed by "My Folder File". Copy down the "MYFOLD~1".*) Then, move on to the next path listed in the log and continue for all paths following "Unrecoverable error... yada yada". Be patient. If this happened on a large drive, chances are there'll be a lot of these recoverable "unrecoverable errors".
(*Note: If the folder long name has a dot in it, such as "Folders.Rock", the short name should show up as "FOLDERS ROC" or so. That's fine. Just copy down each segment as if they were in a different column. If the folder had more than one dot in the name, such as "Folders.Is.Are.The.Rock", the 8dot3 short name would still look something like "FOLDERS ROC." More on this below.)
Huh? Oh. Done already? That wasn't so bad, was it? Now it's time for the actual recovery part of this tutorial. But first, a quick lesson on the FAT32 file system!
I know. I know. Some of you (the lazy ones) are probably wondering why you'll need to know jack about FAT32. Well, you'll need to, buddy! Just trust me.
Unlike what conventional wisdom would tell you, FAT32 is not the size of your last outfit. It is actually the format in which data is stored on your hard drive. If your even reading this post, chances are that the data you lost was on a drive formatted in FAT32. You can check this by going to 'My Computer', right-clicking the drive's icon, selecting 'Properties', and looking next to 'File system:'. Convinced? Good.
FAT32 is actually an older filing system created back in the Windows 98 days. Not surprisingly, Windows XP actually prefers the much newer NTFS filing system and oftentimes messes up bigtime when dealing with FAT32. If you're not dual-booting your PC with an older operating system, you might want to consider converting all of your internal hard drives to NTFS.
That aside, FAT32 basically treats folders as files that point to more folders and files (kind of like the DMV). Each folder entry on the hard drive has a list of the names of all the files and folders, as well as their attributes, their size, and their memory location on the hard drive. In fact, the only thing that differentiates a folder from a file is a little data entry located at memory address 'XXXXXXXXXx0B'. Does this look familiar? It should. Remember the column I told you we'll need to focus on in HxD? Column '0B'? I'll Explain more along the way. For now, I think we're ready.
This is where all the work you've done begins to pay off. Switch back to the HxD application, which should still be open in the background. Go to 'Search' > 'Find' in the program menubar (or simply hit [CTRL][F]). Under 'Search for:', type in the first 8dot3 short filename entry you wrote down in ALL CAPITAL LETTERS. The entry should contain no spaces. (If the folder filename had any dots in it, this may not be true for you--read the note above. If so, skip the next two sentences.) If it has any spaces, you messed up. Go back and read this post again carefully. The 8dot3 filename should have a maximum of eight characters with three optional extension characters (those appearing after a dot). (You won't have to worry about the extension characters unless you had a folder name with a dot in it. If this is the case, the FIRST THREE characters after the LAST DOT should make up the filename extension. Keep this in mind.) All the characters should be either letters, underscores, tildes (~), or numbers. No other characters should be present. If there are, you messed up! Go back and re-read.
Once you type in the 8dot3 filename (without the extension), you should hit the spacebar until there are eight characters total in the box. If extension characters were present, type them in now (only the first three, remember). If there were no extension characters, just hit the spacebar three more times. There should now be eleven characters in the text box (count 'em to make sure!): The 8dot3 characters and, most likely, a bunch of spaces. For the other options in the dialog, check the 'Case sensitive' box and select "All" under 'Search direction'. Finally, in the 'Datatype:' text field, make sure "Text-string" is selected.
Now we're ready. Click 'OK' to begin the search.
Now the waiting game begins. Go on, take a break. This may take a while.
Eventually, if you've done everything right, you should get a result. There should be two areas in the HxD data pane that are highlighted: A set of byte entries in the central hexadecimal data column and the corresponding ASCII characters in the rightmost text column. However, depending on the uniqueness of the file folder name, this may or may not be the hit you want. Check and make sure that the entire result is all on the same row and starts in the '00' hexadecimal column and ends before the familiar '0B' column. If not, hit [F3] to continue the search.
If your result does adhere to these criteria, then this may well be the entry you're looking for. Look around the area that is highlighted (above and below). You should see some familiar file and folder entries that correspond to those in the same folder that your little 32 kB file folder is located within, including some that you may have deleted. (It may help to keep your 32 kB file's parent folder open during this process.) If you don't see anything familiar, this may not be the right entry, but keep reading.
This is where your knowledge of FAT32 begins to come in handy. In the same row as highlighted result in the hexadecimal section should be the file attribute entry under '0B' Check and see what the data entry is under that column. If it is "10", "20", or some other value where the first digit is NOT "0", it's not the value you're looking for. Keep searching. HOWEVER, if the value is "00" or some other value beginning with "0", then EUREKA!! You've probably found it! Now here comes the dangerous drive editing part. MAKE SURE YOU DO THIS IN COLUMN '0B' IN THE SAME ROW AS THE RESULT. Click right before the first "0" in "00" and hit . This should change the value from "00" to "10" (or "1"-whatever) written in red. Continue for all folders that were affected that were located in that same parent directory. Their entries should be close above or below your result. (Remember, 8dot3 entries only.) Conducting another search for them will take just as long as this one, so it's best to save time this way.
Now, before you save (no, the changes have not been made to your drive yet), you may wish to write down the Sector number indicated in the text box at the top of the HxD screen (right below the menubar) in case you've made a mistake. That way, you can always come back and change the value back to "00" later on. But chances are you've found the right data entry, especially if you found other entries there. Go to 'File' and hit 'Save' before you continue.
Okay, now here's where all your hard work should begin to show results. Open the folder that contained your file folder atrocities if it's not already open and see if those howling little 32 kB files have been turned back into folders. (You may have to hit [F5] to refresh the folder data.) If so, then YAAAY!!!! You've done everything right! Go into your now-reclaimed folders to make sure all your files are there. (If the files that should have changed back are still files, the search result you received was probably wrong. Go and change back the data you changed and continue the search.) If no data was written to your hard drive since the files disappeared, all your files and folders in the folder should be there unharmed. However, if for some sad reason data was written, your files and folders may be corrupt. Check them to make sure.
If all is good (or even if it isn't), continue on with the rest of the folders on the list. Just follow the steps above. All your lost files should be back in no time! (If none of this is working for you, feel free to contact me by replying below. I should be checking this thread for several days/weeks after this post.)
Done? See, that wasn't so bad. Now, before you go to sleep, there is one more thing you should do. Because Windows XP converted these folders to files once, chances are it'll do it again. So, BACK UP YOUR FILES!! I can't stress that enough. Watch, one more time. BACK UP YOUR FILES!! It is more than likely that autochk did detect some error in that folder which, due to it's poor diagnostic capabilities, enticed it to turn it into a file. Converting it back into a folder with HxD probably didn't fix the problem. If your computer crashes before you get a chance to backup your files, CANCEL AUTOCHK AT STARTUP!! Then, backup, delete, and copy all your important files back to the drive. And keep your backups. Important files always deserve a backup.
Okay, that's it. I hope this helped you. Please post comments below, and if it didn't help, hate mail is welcome, too. (Just don't expect a response.) Also, if you can think of anything else I should add to this, please let me know.
If you want to learn more about FAT32 and become a computer wiz like my 6-year-old nephew,
I recommend reading the description at
and the File Allocation Table Wikipedia entry (