Re: Counterfeit disk showing up in Explorer
- From: John Hensley
- Date: Tue, 22 May 2007 20:51:57 -0400
John,
I've attached the files you asked to see. It appears as though Drive
0 and Drive 1 are exactly the same. I selected them separately in
DskProbe/Physical Drive but they seem to output the same data.
Not sure why they did that.
I'm not sure what drive 2 is but it might be my USB external drive.
Thanks for your interest.
Fred
Fred,
It?s natural for the master boot record on hard drives to appear
nearly identical. The bytes between offset 0x1b5 and 0x1fe are the
only thing unique because these contain the unique disk signature,
checksum and the partition table entries. The rest of is boot loader
code. If you look at the bytes between offset 0x1b5 and 0x1fe you
will see they are not actually the same in Disk0.dsk and Disk1.dsk.
The primary partition table in Drive2.dsk contains a tiny hidden
partition. The disk signature and partition offset specified in the
MountedDevices key for drive K: match this hidden partition exactly.
Drive J: in the Mounted devices key matches partition 1 on this drive.
This is what the 2 partition table entries on this drive contain:
Partition 1
238,472 MB
Type 0x7 NTFS
Starting sector 63
Total sectors 488392002
Partition 2
0 MB
Type 0x14 Hidden DOS FAT-16
Starting sector 488392065
Total sectors 0
To get rid of the bogus drive K: you need to use DiskProbe to zero out
the bytes starting at offset 0x1d0 so that the values C1 FF OE FE FF
FF 81 45 1C 1D are replaced with zeros. You should also delete the
drive K: entry in the MountedDevices key. If you make a mistake you
can always restore this sector from the file Drive2.dsk.
The information in drive0.dsk shows that you partitioned the drive
with a primary NTFS partition which matches drive F: in the
MountedDevices key and a second extended partition which I assume
encapsulates drive G: because the starting offset specified in the
MountedDevices key for drive G: is located near the beginning of the
extended partition. An extended partition is basically a linked list
of partition tables with each partition table containing one entry
specifying the location and size of the current partition and a second
entry that specifies the location of the sector containing the next
partition table.
Partition 1 - 49,994 MB Type 0x07 NTFS
Partition 2
188,473 MB
Type 0x0f Extended LBA
Starting sector 82124280
Total sectors 152312265
This disk signature and starting offset specified in the
MountedDevices key for drive I: show that it must be a hidden
partition located on this drive starting at sector 234436545.
Partition 2 starts at sector 82124280 and contains 152312265 sectors
meaning that partition 2 ends at sector 82124280 + 152312265 =
234436545 so the hidden partition starts immediately after the
extended partition area.
To get rid of drive I: you will need to manually walk the linked list
in the extended partition until you locate the bogus partition entry
and then delete the entry in the previous link that points to it. If
you are up for that I can probably give you instructions on how to do
it.
Now the question is what created these bogus partition entries?
John Hensley
www.resqware.com
.
- References:
- Re: Counterfeit disk showing up in Explorer
- From: John Hensley
- Re: Counterfeit disk showing up in Explorer
- From: Fred615
- Re: Counterfeit disk showing up in Explorer
- From: John Hensley
- Re: Counterfeit disk showing up in Explorer
- From: John Hensley
- Re: Counterfeit disk showing up in Explorer
- From: John Hensley
- Re: Counterfeit disk showing up in Explorer
- Prev by Date: Re: Permissions Help Please
- Next by Date: Re: Renaming .htaccess File
- Previous by thread: Re: Counterfeit disk showing up in Explorer
- Next by thread: Re: Random shared folders are changing attributes
- Index(es):
Relevant Pages
|
