WINHEX Using Tutorials

Source: Internet
Author: User

Tags: using file data problem log code AD as time

Winhex has perfect partition management function and file management function, can automatically analyze the partition chain and file cluster chain, can be different ways to backup the hard disk, and even clone the entire hard disk; Binary content of any file type (shown in hexadecimal) its disk editor can edit any sector of a physical or logical disk, and is the preferred tool for manually recovering data.

First of all to install the Winhex, the installation is ready to start the Winhex, after the start, the first appears is the Start Center dialog box.
Here we are going to operate on the disk, select "Open Disk", the "Edit Disk" dialog box appears:
In this dialog, we can choose to open to a single partition, or to the entire hard disk open, HD0 is I am now using the Western Data 40G system disk, HD1 is we want to analyze the hard drive, Maxtor 2G. Here we choose to open HD1 the entire hard drive, and then click OK. And then we saw the entire working interface of Winhex.
The top is the menu bar and the toolbar, the largest window below is the workspace, now see the hard disk of the first sector of the content, with 16 binary display, and the right to display the corresponding ASCII code, the right is the detailed resource panel, divided into five parts: state, capacity, current position, window situation and clipboard conditions. These conditions are very helpful in capturing the entire hard drive. In addition, right-click on it to swap the detailed assets panel with the window, or close the resource panel. (If the resource panel is turned off, it can be opened by the View menu-Display command-detailed resource panel).
The bottom column is useful for ancillary information, such as the number of current sectors/Total sectors ... such as
Pull down the scroll bar, you can see a gray bar, each to a bar for a sector, a sector total of 512 bytes, every two digits of a byte, such as 00.
Let's analyze the MBR as we said earlier, the first 446 bytes is the boot code, it doesn't make sense to us, here we only parse 64 bytes in the partition table.
Partition Table 64 bytes, can describe a total of 4 partition table entries, each partition table entry can describe a primary partition or an extended partition (such as the above partition table, the first partition table entry describes the primary partition of the C disk, the second partition table entry describes the extended partition, the third Fourth partition table entry 0 unused)
Each partition table entry is 16 bytes, each byte meaning is as follows: (h = 16 binary)
Byte position content and meaning
The 1th byte boot flag. A value of 80H indicates the active partition, and a value of 00H indicates an inactive partition.
2nd, 3, 4 bytes starting magnetic number, sector area code, cylinder number for this sub-region
5th byte partition type character:
00h--indicates that the partition is not in use
06h--fat16 Basic Partitions
0bh--fat32 Basic Partitions
05h--Extended Partition
07H--NTFS partition
0fh--(LBA mode) extended partition
83h--linux partition
6th, 7, 8 bytes End of this sub-region number one, sector area code, cylinder number
9th, 10, 11, 12 bytes The number of sectors that have been used before this partition
13th, 14, 15, 16 bytes Total sectors in sub-region
The First partition table (or MBR) of this hard disk is analyzed as follows:
First Partition table entry (C-drive)
1th Byte 80: Indicates that this partition is an active partition;
5th byte 0 B: Indicates that the partition type is Fat32;
9th, 10, 11, 12 bytes System implied sector 3F 00 00 00: The so-called system implied sector is the number of sectors that were used before the sub-region (c-Drive), which is a hexadecimal number, but note that the true implied number of sectors should be filled in reverse (for example: the number of implied sectors is 3E 4D 5A 6F, The reverse is 6F 5A 4D 3E, which is the actual number of implied sectors. So, 3F 00 00 00 in turn, it's 003F, or 3F, to turn him into a decimal number before we know what the actual number of implied sectors is. This can be calculated using the calculator, click the Calculator button on the toolbar, such as:
This will start the calculator.
There are two models of the calculator, we want to make the conversion, we must choose "Scientific type"
For example, if we want to convert hex 3F to decimal, we need to check "hex" First, then enter 3F
Check "decimal" again, hexadecimal 3F to decimal equals 63. Think of what we said earlier, MBR occupies 63 sectors, that is, the number of sectors used before the C drive is 63, the 64th sector is the first sector of the C drive, but note that the entire hard disk's LBA address is zero-based, 0~62 sector is MBR.
13th, 14, 15, 16 bytes Total sectors of the subregion (of course, this is the size of the C-drive): C1 E6 15 00, also, the actual hexadecimal number must be reversed, that is, the E6 C1, convert it to hexadecimal number is 1435329. I'll give you a question, do you know which sector the EBR of D-Disk is in? Let's count it together, remember that table in the data structure above? is the D-disk EBR behind the C-drive? The size of the first sector of the D-disk EBR =mbr+c disk, which is 63+1435329=1435392.
Let's see if it's right. Click the go to Sector button on the toolbar and a go to Sector dialog box appears
Then enter 1435392, then click "OK" and it's 1435392 sectors (you can use it to go back to the 0 sectors)
This is the D-disk EBR, that is, the partition table of the D-disk, how to know it? Because the MBR and EBR structure is exactly the same, all occupy 63 sectors, but only the first sector, the remaining 62 sectors filled 0. The first sector 446 bytes are the boot code, the last 64 bytes are the partitioned table, and the final 2 bytes are the 55AA end flag. Because EBR is not an active partition, the boot code is not required, so the first 446 bytes are zero.
There is another way to directly find the EBR of the D-Drive, click on the "Access" drop-down button-"Partition two"-"Partition Table", directly to 1435392 sectors.
In this way, the first partition table entry in the partition table has a total of 16 bytes, so let's take a look at the second partition table entry (extended partition).
1th byte 00: Represents an inactive partition
5th byte 05: Indicates an extended partition
9th, 10, 11, 12 bytes E7 15 00: The number of sectors before this partition (the extended partition is the MBR and the C drive, as if we had counted this number before?). Again, it turns out that the E7 00, and then the decimal is 1435392, it seems that we actually counted this number before.
13th, 14, 15, 16 bytes 40 09 29 00: The total number of sectors in this partition. That is, the total number of sectors of the extended partition. The transition to decimal should be 2689344. Think, with this number plus the previous 1435392, is not exactly the total number of sectors of the entire hard disk 4124736?
So, if the partition table is destroyed, we just have to calculate these values and fill in, the partition table will not be restored? So, why don't we analyze the 2nd, 3, 4 bytes (the first magnetic number, the sector area code, the cylinder number) and the 6th, 7, 8 bytes (the end of this partition number, sector area code, cylinder number)? This is because the c/h/s (cylinder/head/sector) is the address of the old hard drive, which is inefficient to manage the hard drive, and now almost all of the hard drives support LBA (the full name of Logic block address, which is the logical blocks of the sector) addressing mode, which is simple and efficient management method. In LBA mode, all physical sectors are numbered uniformly, arranged from zero to a maximum value, so that only one ordinal is used to determine a unique physical sector.
Tip: How many LBA (sectors) of a particular hard disk do not need us to remember, because with various tools software (such as MHDD winhex, etc.) can be detected. We just need to know a general: such as 10G hard disk has about 20 million sectors, 20G hard disk has about 40 million sectors, 40G hard disk about 80 million sectors ... Then, the 2G HDD has about 4 million sectors.
Well, you may have to ask: if you want to restore the partition table, this starting magnetic number, the sector area code, the cylinder number and the end of the magnetic number one, the sector area code, cylinder number should be how to fill it? It's very simple, I'll tell you when I restore the partition table back, and I'll just fill it out.
Are you interested in analyzing the EBR of D-disk?
In fact, D-Disk EBR and E-EBR We do not analyze, because nothing but also the partition table, and the structure of the MBR is the same, but it is easy to pass us around Halo, and because EBR is generally not easy to be destroyed, so I do not recommend analysis EBR.
But if you must analyze it, then analyze it.
Click the "Access" drop-down button--"Partition Two"-"Partition Table", directly to 1435392 sectors, that is, the partition table EBR D disk.
First Partition table entry (D-disk):
1th byte 00: Represents an inactive partition
5th Byte 06: Represents a FAT16 partition
9th, 10, 11, 12 bytes 3F 00 00 00: The number of sectors that were used before this partition, that is, the number of EBR, 63.
13th, 14, 15, 16 bytes C1 E6 15 00: The total number of sectors of the partition, that is, the number of Sectors D disk, the first in turn is the E6 C1, to decimal is 1435329.
Second Partition table entry (after the D drive):
1th byte 00: Represents an inactive partition
5th byte 05: Indicates an extended partition
9th, 10, 11, 12 bytes E7 15 00: The number of sectors that have been used before this partition, that is, the EBR of the D drive plus the total size of the D drive, 63+1435329=1435392
13th, 14, 15, 16 bytes 40 22 13 00: The total number of sectors in this partition, 1253952, which is the size of the E-drive plus the number of a EBR.
Click the "Access" drop-down button--"Partition three"--"partition table", directly to 2870784 sectors, E
Partition table EBR of the disk. Because there is no partition behind the E drive, there is no second partition table entry. Here we will no longer study, if you are interested, you can spare a hard disk for the slave disk, and then partition their own research and research.
Through the above research, we summarize that the MBR defines the partition when the extra capacity is defined as an extended partition, specifying the start and end position of the extended partition, pointing to a sector of the hard disk according to the starting position, as the next partition table entry, and then in the sector to continue to define the partition, if there is only one partition, define the partition, then end; If more than one partition, define a basic partition and an extended partition, the extended partition then points to the next partition description sector, on that partition continues to define the partition according to the above principle until the partition definition ends. The sectors used to describe the partitions form a "partition chain" that can describe all the partitions through this partition chain. The system finds the partition at startup by the connection order of the partition chain until all partitions are found. This chain is obviously an open chain structure, if a ring is formed, the system itself does not judge it, it just follows the chain faithful lookup partition, without any additional detection and processing. The so-called hard disk logical lock, is to let the partition chain to form a ring, so that the system in the boot on the partition table in the loop, the performance of the system can not boot, is from the floppy disk boot, and can not enter the hard disk. Understand the structure of the principle, to solve the problem is simple, there are many ways to solve the problem, we will talk about later. The system uses this method to make a hard disk partition look like multiple hard disks. The only way the system can find a logical disk other than the C drive is to find the partition along the partition chain described by EBR.
In fact, usually EBR is not destroyed, or the probability of destruction is very low, usually only MBR is destroyed, then in this case, we just have to restore the MBR partition Table 64 bytes, the other partitions along the partition table provided by the chain is naturally out. So, how can you restore a partitioned table? This is achieved by computing a combination of Winhex powerful features.
Below we will imitate the partition table by the virus destruction situation, the MBR all zeros. We will first select the sector where the MBR resides. Point to the first byte, right-click, select "Start with block"
Then point to the last byte of the MBR, right-click, select end of block
Then we right-click inside the selection and choose Edit
So there's a menu.
Then we select "Fill the block" so that it comes out with a Fill selection dialog box
Enter "00" in the "Hex Fill" input box, then click "OK"
So that the MBR sector is all filled with us as "00"
If you want to cancel the selection, then drag the mouse to select an area, then the original selection will be canceled. Note that if the sector data is modified and no disk is saved, it becomes a different color.
Changes the sector, this time has not been saved, if you want to save the disk, choose the "File" menu "Saving Sector" command.
This time there will be a hint, if you do not want to save the point to cancel, if you want to save, click OK, then point is.
OK, this will be saved, and the changed data in the sector becomes black.
So we have to delete the partition table, this time must be restarted to take effect, if you open My computer, you will find three partitions (F, G, H) is still there, and the data inside the normal use.
Now, we turn off all programs to restart the computer ...
After a long wait, the computer started up, we opened my computer to see, found F, G, h three partitions disappeared.
Again open Winhex found MBR all zero, and below we started to manually restore the partition table
First restore the boot code, this is the simplest, as long as the Winhex to another system disk to copy the boot code to the line. I don't have two hard drives hanging on my machine now? A Maxtor 2G, a West number 40G, the West number 40G is my system disk, then copies from this disk on the line.
Click the Disk Editor button
The Edit Disk dialog box appears
Select "HD0 WDC wd400eb-00cpf0", click "OK"
So we have the system disk partition table to open, notice, now we open two windows, the current window is "hard Disk 0", in the title bar is displayed. In addition, open the Window menu can be seen, the current window is ticked, if you want to switch back to the original window, click on "Hard Disk 1."
First select the boot code of the system disk
Then right-click in the selection and select Edit
Another menu, then we choose "Copy Selection"--"normal"
Then we switch back to the hard drive 1 window, right-click on the first byte of the 0 sector and select "Edit"
Then select "Clipboard Data"--"Write ..."
A window prompt appears, point "OK"
In this way, we copy the boot code from a normal system disk.
Below, we start to restore the partition table (a total of 64 bytes, divided into 4 partition table entries, each partition table entry occupies 16 bytes, generally only use the first two partition table entries), we first to restore the first partition label (that is, to describe the C-disk).
First, the partition boot flag is filled in at the 1th byte (the fifth row in the 0 sector, the penultimate byte), because the C drive is the active partition, so fill in 80.
Next is the 2nd, 3, 4 bytes (first magnetic number, sector area code, cylinder number), fill in: 01 01 00.
The 5th byte is the partition type character, because the original C drive is Fat32 format, so fill in: 0B. So, what if you don't know what the C-disk format is? You can say to ask the customer, then if he does not know? Don't worry, I'll teach you how to tell the format of a partition when you're back to the DBR.
6th, 7, 8 bytes is the end of this section of the magnetic number, sector area code, cylinder number, how do you know? Don't worry, the disks are now addressed in LBA mode, not in accordance with c/h/s (and cylinder, head, sector), so this place you fill in the general relationship is not very big, but I would like to tell you there is a general method of filling, that is: FE FF ff.
9th, 10, 11, 12 bytes, the number of sectors used before this partition, that is, the number of sectors that the MBR occupies, that is not 63? Yes, but to convert 63 to hexadecimal, and then backwards to fill in. Do you remember how to use a calculator? The 63 to hexadecimal number is 3F, not enough four bytes in front plus 0, that is, the xx xx 3F, and then the number from right to left in order in turn is 3F 00 00 00.
13th, 14, 15, 16 bytes is the total number of sectors of this partition, that is, the size of the C disk, which will be a little bit of calculation to get. Because the C drive is starting from the 63rd sector, and the EBR is followed by the C-drive, the size of the C-drive is reduced by the number of the first sector of the EBR, minus 63. So how do you find the first sector where EBR is located? As we said earlier, the structure of the EBR and MBR is the same, so, the EBR end of the logo must be 55AA, then, as long as we find the end of the flag, and then look at this sector is not EBR it?
Click Search--"find hexadecimal values ..." and then come out with a dialog box
Enter "55AA" in the text box, select "All" in the search box, and then check "condition" to set the offset to "512=510".
then click OK. The screen is as follows:
First find the first "55AA", we see, a sector in the 63rd sector, not the EBR we are looking for, and then press F3 continue to find
We've found several sectors, none of them, so what's the next sector?
As we said earlier, the structure of the EBR is the same as the MBR structure, so the second-to-last byte in the penultimate fifth line should be 00 01, and the first 446 bytes should be 0, obviously this is not EBR, continue to press F3 to find ... Finally found the real EBR, in 1435392 sectors.
Tip: Now the hard disk is relatively large, to sector-wide lookup 55AA is really too slow, then there is no way to hurry it? Yes, that is the first to ask the customer C disk about how big, most customers still know, for example, he said C disk about 10 g, then you do not start from scratch, because it is too slow. 10 g is probably 20 million sectors, then you can use the go to Sector command directly to the 19 million sectors, from that place to start looking no more convenient.
With 1435392 minus 63, get 1435329, and then 16 into the system, is 15E6C1, will he inverted is c1e61500, this is the size of the C disk. In this way, the first partition table entry is completed, we save it, and then fill in the Second Partition table entry.
Second partition table 1th byte: Because the inactive partition, so write 00
2nd, 3, 4 bytes, fill in 01 01 00 (General)
5th byte: Because it is an extended partition, fill in 0F
6th, 7, 8 bytes: Filling FE FF FF (Universal)
9th, 10, 11, 12 bytes is the number of sectors that have been used before the partition, should be the C disk size plus 63, that is, 1435392, the front just calculated, to hexadecimal number and then in turn is the E7 15 00
13th, 14, 15, 16 bytes is the total number of sectors of this partition, that is, the total number of sectors of the extended partition, that is, the size of the entire hard disk minus the size of the C-drive minus 63, that is, 4124736-1435329-63=2689344, to Hex is 290940, The reverse is 40092900.
In this way, the second partition table entry is completed.
Do not forget to put the final end sign 55AA, so that the MBR is all finished, and finally, save, and then restart ...
Start up, can't wait to open My computer, found three partitions all back, and the data inside is intact.
Then right click on "My Computer" and select "Manage"
A dialog box appears, select "Disk Management", on the right you can see the disk one of the three partitions (Fat32, Fat16, Ntfs) all returned, to this point, the manual Recovery partition table completed successfully.
Manual recovery of data recovery success rate is relatively high, but also more interesting and challenging, can find a lot of fool-like software to find the file, but the requirements of engineers must have patience, and must keep awake, clear what they are operating, what the consequences will be able to return to the previous state. Especially for some destructive operation, we must consider thoughtful, as long as the conditions allow, it must be in operation before the backup, otherwise it will cause "blood" lesson, remember!

WINHEX Using Tutorials

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: