Search and Rescue

Although everyone does it sooner or later, accidentally deleting a file is one of the worst things you can do. Recently, I closed a long Microsoft Word document before I had saved the file, and the work I had performed on the file seemed to disappear. However, the text that I had spent 2 hours typing wasn't lost. I used a few handy tools to search for and retrieve the data.

The process took a long time; I labored for 4 hours to recover 2 hours' worth of work. I spent that much time because I planned to write about the experience for the benefit of other people who also accidentally delete files—and also because I liked the words I had written in the document that I inadvertently deleted. I could have written an acceptable replacement document in 2 hours, but the replacement wouldn't have been the same as the document that I generated the first time.

When Data Disappears
Some administrators have no sympathy for users who accidentally delete important files, and they certainly wouldn't want to spend time trying to recover lost data. However, regardless of your feelings about users who lose data, someday you might need to recover lost information.

For example, several years ago, I worked in an office in which we ran a Novell NetWare server beside a Windows NT Server system. The NetWare server was our inhouse LAN server, and the NT server was an experimental setup. Because the NetWare server was low on disk space, we made the NT server available to users at their own risk.

One user put irreplaceable files on the NT machine, accidentally deleted them, then asked me how to recover them. I couldn't refuse to help the user—he was my boss.

First Steps
When you need to recover a document that someone has accidentally deleted, try a couple of simple solutions before you resort to the complicated procedure that took me 4 hours to complete. Minimize the applications that your machine is running, then double-click the Recycle Bin on the desktop. A list of recently deleted files will appear, as Figure 1, page 162, shows. Click any file to display its Original Location and Date Deleted. If the file you need is in the Recycle Bin, you simply click Restore in the lower-left corner of the Recycle Bin window to recover the file.

Unfortunately, if the user deleted the file from a command prompt or used a delete function from within a program other than Windows Explorer, the file won't be in the Recycle Bin. To recover the file, you can use Executive Software's Undelete 2.0 for Windows NT/2000. (Download a free 30-day trial version of the program from http://www.execsoft .com/downloads/downloads.asp.) This program exploits the mechanism that Windows 2000 (and most other OSs) use to carry out a delete command. The OS doesn't actually erase a deleted file. Instead, the OS renames the file by replacing the first letter of the filename with a tilde (~), then marks the file as hidden. The OS doesn't alter the disk sectors that the file occupies until the OS needs more space to write files. Thus, if you use Undelete immediately after the user accidentally deletes a file, you have a good chance of recovering the lost file before the OS overwrites the disk space that the file occupies. Undelete looks for hidden files that have a tilde as the first letter, then presents you with a list of recently deleted files and asks you whether you think one of them is the file you're looking for. If you think one of them is the file you need, select the file, then Undelete asks for the correct first letter, replaces the tilde with it, removes the hidden file attribute, and recovers your file.

The full version of Undelete patches your OS so that files you delete from the command line automatically copy to a backup directory that works just like the desktop's Recycle Bin. This feature simplifies recovering a deleted file—you simply check the directory to see whether the file is there. This feature is especially valuable on servers, which quickly reuse disk sectors that deleted files occupy.

The 4-Hour Solution
In some cases, such as when I deleted my Word file, neither the Recycle Bin nor Undelete are much help. I hadn't saved the file, so the system never saved a copy of the file that the Recycle Bin or Undelete could help recover. But data from the file still existed on the hard disk.

Many programs (e.g., Word 97) use temporary files to store work in progress. When only those temporary files exist, a search-and-recover procedure might have trouble finding the data. That's when you need DiskProbe, which is part of Windows 2000 Support Tools. To find and recover a file, use the following procedure:

Step 1. To install DiskProbe, run setup.exe. (You can find setup.exe in the \Support\Tools directory of your Win2K Pro CD-ROM and on the Microsoft Windows 2000 Resource Kit CD-ROM.) If possible, run setup.exe before you need to use DiskProbe. If you don't install DiskProbe until you need it, your DiskProbe installation might overwrite the data you're trying to recover.

Step 2. Select Start, Programs, Windows 2000 Support Tools, Tools, DiskProbe. On DiskProbe's Drives menu, select Logical Volume, which displays the Open Logical Volume dialog box.

Step 3. On the list of Logical Volumes at the top of the dialog box, double-click the volume that you want to search, then click Set Active for Handle 0 (below the list of volumes). The Active Handle label below the list of volumes will change to match the volume you double-clicked. Click OK.

Step 4. On DiskProbe's Tools menu, select Search Sectors, which opens the Search Sectors dialog box that Figure 2 shows. Select the Exhaustive search option, which will search the entire volume, and the Ignore case option, which sets DiskProbe to find text regardless of capitalization. Type the text you want to find into the Enter characters to search for field at the bottom of the dialog box. Click Search, then wait while DiskProbe looks for the text.

Step 5. If DiskProbe finds the requested text, a dialog box appears that says Found match in sector \[number\], Press Yes to Continue Search. Click No, and DiskProbe will display the sector in which it found the text. Look at this data to see whether the data is part of the file you're looking for. If the data is what you're looking for, select Volume Information from DiskProbe's Drives menu and note the Sector Size value. Then, select Read from DiskProbe's Sectors menu. In the resulting Read Sectors dialog box, the starting sector is the sector in which DiskProbe found the search text. To calculate the number of sectors you need to read to capture the complete file, estimate the file size in bytes and divide by the sector size (e.g., if the file is 10KB and the sector is 512 bytes, you would need to read 20 sectors). When you've entered the number of sectors in the appropriate field of the dialog box, click Read.

Step 6. To browse the sectors you just read, use the VCR-style icons in DiskProbe's toolbar. Make sure your sector selection includes the complete file you're looking for. (If you find only part of the file, you can read more sectors: Start in the same sector as in Step 5, but type in a larger number of sectors to read.) When you've found as much of the file as you can, go to DiskProbe's File menu and select Save As. Then, type a pathname for the location where you want DiskProbe to save the data. If Win2K hasn't allocated any of the file's disk space for use by other files, you can open the file by using the program that originally created it (in my example, Word). If the file won't open in the program you used to create it, try opening it in Notepad. Delete the junk characters that you might find at the file's end, then try saving the file again.

Step 7. If you don't find the data you're looking for on the first try, don't get discouraged. Continue searching sector by sector. If you find a lot of matches that aren't the files you need (e.g., my first search was for the text Microsoft, which DiskProbe found all over both hard disks), you might try searching for a more unique term.

If you frequently need to search for and recover lost files on your hard disk, consider using's Diskview, which is part of the company's Extreme Power Tools 2001. Diskview has a simpler user interface (UI) and is significantly faster than DiskProbe. Extreme Power Tools 2001 costs $44.95 and includes more than 100 utility applications, but Diskview alone is worth this price if you regularly need to recover accidentally deleted files.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.