Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 24, 2020 3:14 PM
Hi,
I have a machine with damaged Windows 10 partition. At startup it reports:
Your PC/Device needs to be repaired
The boot configuration data file doesn't contain valid information for an operating system
File: \BCD
Error code: 0xc0000098
Unfortunately, it is also encrypted with Bitlocker. I have the recovery key, but it says "Failed to unlock with this recovery key", most likely because the Windows partition is wrecked. The only possible choice is "Skip this drive".
I know little of Bitlocker inner workings.
I suppose that I cannot repair the volume, if I cannot unlock it.
But it seems I cannot unlock it, if I don't repair it first.
Can I try anything else, in addition to what is listed below?
Or is it better to resort to a specialized data recovery company?
===================================
From the recovery console command line, I tried manage-bde -unlock C: -rk [RECOVERY-KEY], but it reports:
ERROR: An error occurred (code 0x80070057):
The parameter is incorrect.
===================================
manage-bde -status can see only the Windows recovery pen drive:
X:\windows\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume D: [RECOVERY]
[Data Volume]
Size: 28.88 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
===================================
DISKPART can select Disk 0 (though it does not list it) and sees it as RAW filesystem:
DISKPART> select disk 0
Disk 0 is now the selected disk.
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
Disk 1 Online 28 GB 0 B
DISKPART> detail disk
SK hynix PC300 HFS512GD9MND-5510A
Disk ID: {A31DA725-0F45-422C-A655-4CF5DCA66A81}
Type : NVMe
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1D00)#PCI(0000)#NVME(P00T00L00)
Current Read-only State : No
Read-only : No
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No
Volume ### Ltr Label Fs Type Size Status Info
Volume 0 C RAW Partition 475 GB Healthy
Volume 1 RAW Partition 1024 MB Healthy Hidden
DISKPART> list volume
Volume ### Ltr Label Fs Type Size Status Info
Volume 0 C RAW Partition 475 GB Healthy
Volume 1 RAW Partition 1024 MB Healthy Hidden
Volume 2 D RECOVERY FAT32 Removable 28 GB Healthy
=================================
BOOTREC commands /Scanos, /Fixmbr and /Rebuildbcd have no effect:
X:\windows\system32>bootrec /scanos
Scanning all disks for Windows installations.
Please wait, since this may take a while...
Successfully scanned Windows installations.
Total identified Windows installations: 0
The operation completed successfully.
X:\windows\system32>bootrec /fixmbr
Incorrect function.
X:\windows\system32>bootrec /rebuildbcd
Scanning all disks for Windows installations.
Please wait, since this may take a while...
Successfully scanned Windows installations.
Total identified Windows installations: 0
The operation completed successfully.
===============================
Thank you and best regars,
/_uke
All replies (4)
Friday, January 24, 2020 7:03 PM | 1 vote
Bitlocker is working on NTFS partitions,
so when the volume is detected as RAW, the problem is not with Bitlocker: there is simply nothing to decrypt.
And of course you can not repair a boot record when there is nothing to boot from.
The file system is either corrupt, or the volume was deleted, a partition created but not formatted with a file system.
I recommend restoring from a backup
Saturday, January 25, 2020 5:56 PM
The expected output of diskpart when it comes to file systems of a locked bitlocker volume is not "RAW", but "unknown". So it could be a damaged disk, yes.
Nevertheless, I would boot from a current win10 setup stick (1909) and try the same on the command line.
Monday, January 27, 2020 11:06 AM
I tried with a recovery stick created from build 1803, which is the same as the damaged system. Does the latest 1909 offer more chances of success?
Is it possible to use partition repair/recovery tools to try and restore the lost partition without unlocking it, or could that compound the problem?
Since it is a user's PC with personal data, can a professional data recovery company retrieve the data from the damaged partition, provided they have the correct Bitlocker recovery key?
Thank you and best regards,
/_uke
Sunday, February 16, 2020 4:09 PM
Just to update you on the outcome of this, our internal forensic team managed to recover the data.
They used Falcon imaging tool from Logicube to make a physical copy of the disk, then EnCase software to decrypt the partition with its Bitlocker key and repair the file system.
Those are definitely not freeware utilities. I'm wondering if the same result could have been achieved through other tools more easily available to the large public (given that Windows repair tools were completely useless).
Best regards,
/_uke