# Unrecoverable Error: Convert Folder to File (Y/N)? Yes.



## amanisdude (Oct 5, 2009)

How many times have I heard this story before? You install Windows XP or hook your iPod up to your XP machine. Your computer crashes, and when you reboot, Windows runs autochk and converts all of your precious folders containing your Neil Diamond music and third quarterly earning projections into a small 32 kB file.

No, this is not the work of digital gods/goddesses trying to give you a bad hair day or get you fired (though I sometimes wonder). This is a fault in Windows XP's chkdsk utility that Microsoft techs were too lazy to fix.

"So are my Neil Diamonds gone?" you may ask. The good news is "No, they are not", though it will be one tough puppy to retrieve them.

I am not writing this post to ask a question on recovering my files (though I would expect few people to know how to recover them). Instead, I'm going to write a tutorial on how to get back your precious files, and I hope Tech Support Forums will be kind enough to leave it posted and maybe even pin it up!


So, what do I do? Stupid Windows XP/2000 didn't even give me a choice. It just said 'Yes', and when I went to the path it listed, I found a monkey of a 32 kB file with the same name as the folder that was there, but now the folder's gone!

First thing's first. Don't do anything! I mean don't take any action that would modify the contents of the hard drive that the files were on (such as loading this post if it's your primary drive). Any modification to your drive could overwrite the lost data you wish to recover.

Okay, it may be too late for that (you are reading this thread, aren't you?) But that's okay. Just print out this post (if you can) and keep reading.

The second thing you need to do is find the log where autochk wrote the scan details. You can do this by going to 'Start' > 'Run' and typing in "eventvwr" (without the quotes, my precious sheeps) in the text field and hitting [ENTER]/clicking 'OK'.

A nifty little Event Viewer window should pop up. Select the 'Application' choice in the left pane and you should see a list (as short as it may be) of application logs. The one you want should show 'Winlogon' under the source column at the date and time the autochk scan happened. (Choose the right one. There may be multiple 'Winlogon' entries, but only one should be at the exact time the scan happened.)

Double-click the entry and copy all the text under 'Description:' to Notepad (just type in "notepad" minus quotes in 'Start' > 'Run' like you did for the Event Viewer and hit [Ctrl][V] to paste it in.) From here, either print out the text or save it to a drive THAT DOES NOT CONTAIN THE MISSING DATA (both are recommended). This could be a jumper drive, a floppy disk (if you still use those), or another hard drive.

What?! The entry's not in the event log you say? No worries. You probably cancelled the autochk scan or it ended prematurely. Just find C:\bootex.log and follow the same copy'n'paste steps above. (It may be easier to open it by entering "notepad C:\bootex.log" in the 'Start' > 'Run' text field -- you should be used to no quotes by now.)

Phew! Got that done. It's almost over, right? No way. Now you have to begin the tedious process of data recovery. The text you just saved/printed is a log of all the outputs of autochk, including the paths to the folders that were converted into your happy 32 kB files. The next step is to find a program that can read the hex dump of an entire drive. (Don't worry if you don't know what that means. Just follow along.)

I recommend HxD (http://mh-nexus.de/en/hxd/). It's simple, it's lite, and it has everything we'll need for this little adventure. It's the one I use, so it's the one I'll use for the remainder of this tutorial. Download HxD (again, to a drive that doesn't contain the data you wish to recover) and install it (ditto). If the data you lost was on your primary (C drive, you may consider installing it on a mobile flash drive. The installation only takes up about 2.3 MB, so it'll easily fit on most mobile media. Make sure you don't create Start Program or Desktop icons while installing if this applies to you.

Now you're ready to begin. Start the program HxD and open a hex dump of the drive you wish to recover. (If this is your iPod, make sure it's hooked up.) Go to 'Extras' and 'Open disk...'. Choose the drive that the lost data's on. Now STOP! Before you click 'OK', make sure you uncheck the box next to 'Open as Readonly' and then click 'OK'. If you already went ahead and didn't read that part, no worries. Just close the current hex dump ([CTRL][F4]) and do it again, this time unchecking.

NOW, A WARNING TO HEX DUMP BEGINNERS! The following steps will require editing the contents of your hard drive byte-by-byte. ANY ACCIDENTAL OR UNINSTRUCTED CHANGES YOU MAKE TO YOUR HARD DRIVE COULD MESS UP OTHER DATA THAT'S STORED ON IT, NOT TO MENTION POSSIBLY MAKE WINDOWS UNUSABLE. If you are not comfortable doing this, I would recommend that you stop here and ask someone with more experience for help. This is some dangerous work, and if you do it incorrectly, you could damage the directory structure of your hard drive or other data. I urge you to be cautious as we proceed.

What you now see starting at your face (after you carefully read and awknowledge the warning message) is the hex dump of your hard drive. Basically, it's all the data on your hard drive written out byte-by-byte and "line-by-line" in hexadecimal format. But don't fret. You won't have to learn how to analyze complex base-16 algorithms or multiply CAFE by CAFE in order to use this. All you have to pay attention to is the column of hexa-numbers under '0B' indicated in blue in the top row.

Now comes the tedious part. Go to 'Start' > 'Run' again and type in "cmd". (If you entered the quotes, I'll come over and bite your hair off!) MAKE SURE you use CMD. Do not use the COMMAND console, as it will give different outputs for the commands we will be using.

In the command console, type in the letter of the drive containing lovely Neil Diamond (or your lost data, whichever you prefer) followed by a colon. So, if your lost data is on your 'D' drive, for example, type in "D:". (Watch out. The quote gnats are out to get you!) Then, to be on the safe side, type in "cd\" and hit [ENTER]. This should take you to the drive's root directory.

Now open up the autochk log you saved earlier. If you didn't save it in a place where you'd remember or forgot what you called it, boink yourself on the back of the head for me. You should have given it a simple name and put it in a safe place. Once you find it, you should easily be able to open it up in Notepad.

Now you have two options. If you're a computing guru, you can make a batch file to print out the directory output of each of the parent paths of the folders lead by "Unrecoverable error in folder " to another file, or you could follow along in what may be the coffee-sipping up-all-night way if you have a large hard drive. (If enough people request it, I'll show you how to make the batch file.)

Anyway, since I'm assuming most of you aren't computer Jedis (as you probably gathered), let's pour ourselves a fat vat of coffee. First, take a good, hard look at the log entries in the text file. Right next to each line reading "Unrecoverable error in folder " should be the full path of the folder that was converted into a file minus the drive letter. This is all the information you'll be needing. You can delete or ignore everything else.

Now, go to the CMD console and type in "dir /x" (swoop one for the quote gnats!) followed by the path of the missing directory as listed in your log file minus the affected folder ("My Music\" without "My Awesome Neil Diamond Collection", for example). (Note: If your folders were located directly in the root directory--i.e., were directly on the hard drive--just typing in "dir /x" should do the trick.) Despite your mysterious quote inhibitions, you should probably type this path between a set of quotes, BUT ONLY THE PATH. "dir /x" should remain safely unquoted.

(Another way to do this, if you're smart or lazy, is to type in the full path of the directory as printed in the log file followed by a backslash and two dots, no spaces. Ex: dir /x "\My Music\My Awesome Neil Diamond Collection\.." )

This should print out the directory information for the folder containing your 32 kB folder file, including the 8dot3 short name of the 32 kB file if it has one (fifth column, right after the number 32,768), which we'll need in a bit. Copy down this 8dot3 short name, in ink or digital, for all the folders that have been converted to 32 kB files in that directory. Include all the characters that appear before the long filename of the folder. (For example, for a folder file called "My Folder File", the 8dot3 short name should be something like "MYFOLD~1" followed by "My Folder File". Copy down the "MYFOLD~1".*) Then, move on to the next path listed in the log and continue for all paths following "Unrecoverable error... yada yada". Be patient. If this happened on a large drive, chances are there'll be a lot of these recoverable "unrecoverable errors".

(*Note: If the folder long name has a dot in it, such as "Folders.Rock", the short name should show up as "FOLDERS ROC" or so. That's fine. Just copy down each segment as if they were in a different column. If the folder had more than one dot in the name, such as "Folders.Is.Are.The.Rock", the 8dot3 short name would still look something like "FOLDERS ROC." More on this below.)

Huh? Oh. Done already? That wasn't so bad, was it? Now it's time for the actual recovery part of this tutorial. But first, a quick lesson on the FAT32 file system!

I know. I know. Some of you (the lazy ones) are probably wondering why you'll need to know jack about FAT32. Well, you'll need to, buddy! Just trust me.

Unlike what conventional wisdom would tell you, FAT32 is not the size of your last outfit. It is actually the format in which data is stored on your hard drive. If your even reading this post, chances are that the data you lost was on a drive formatted in FAT32. You can check this by going to 'My Computer', right-clicking the drive's icon, selecting 'Properties', and looking next to 'File system:'. Convinced? Good.

FAT32 is actually an older filing system created back in the Windows 98 days. Not surprisingly, Windows XP actually prefers the much newer NTFS filing system and oftentimes messes up bigtime when dealing with FAT32. If you're not dual-booting your PC with an older operating system, you might want to consider converting all of your internal hard drives to NTFS.

That aside, FAT32 basically treats folders as files that point to more folders and files (kind of like the DMV). Each folder entry on the hard drive has a list of the names of all the files and folders, as well as their attributes, their size, and their memory location on the hard drive. In fact, the only thing that differentiates a folder from a file is a little data entry located at memory address 'XXXXXXXXXx0B'. Does this look familiar? It should. Remember the column I told you we'll need to focus on in HxD? Column '0B'? I'll Explain more along the way. For now, I think we're ready.

This is where all the work you've done begins to pay off. Switch back to the HxD application, which should still be open in the background. Go to 'Search' > 'Find' in the program menubar (or simply hit [CTRL][F]). Under 'Search for:', type in the first 8dot3 short filename entry you wrote down in ALL CAPITAL LETTERS. The entry should contain no spaces. (If the folder filename had any dots in it, this may not be true for you--read the note above. If so, skip the next two sentences.) If it has any spaces, you messed up. Go back and read this post again carefully. The 8dot3 filename should have a maximum of eight characters with three optional extension characters (those appearing after a dot). (You won't have to worry about the extension characters unless you had a folder name with a dot in it. If this is the case, the FIRST THREE characters after the LAST DOT should make up the filename extension. Keep this in mind.) All the characters should be either letters, underscores, tildes (~), or numbers. No other characters should be present. If there are, you messed up! Go back and re-read.

Once you type in the 8dot3 filename (without the extension), you should hit the spacebar until there are eight characters total in the box. If extension characters were present, type them in now (only the first three, remember). If there were no extension characters, just hit the spacebar three more times. There should now be eleven characters in the text box (count 'em to make sure!): The 8dot3 characters and, most likely, a bunch of spaces. For the other options in the dialog, check the 'Case sensitive' box and select "All" under 'Search direction'. Finally, in the 'Datatype:' text field, make sure "Text-string" is selected. 

Now we're ready. Click 'OK' to begin the search.

Now the waiting game begins. Go on, take a break. This may take a while.

Eventually, if you've done everything right, you should get a result. There should be two areas in the HxD data pane that are highlighted: A set of byte entries in the central hexadecimal data column and the corresponding ASCII characters in the rightmost text column. However, depending on the uniqueness of the file folder name, this may or may not be the hit you want. Check and make sure that the entire result is all on the same row and starts in the '00' hexadecimal column and ends before the familiar '0B' column. If not, hit [F3] to continue the search.

If your result does adhere to these criteria, then this may well be the entry you're looking for. Look around the area that is highlighted (above and below). You should see some familiar file and folder entries that correspond to those in the same folder that your little 32 kB file folder is located within, including some that you may have deleted. (It may help to keep your 32 kB file's parent folder open during this process.) If you don't see anything familiar, this may not be the right entry, but keep reading. 

This is where your knowledge of FAT32 begins to come in handy. In the same row as highlighted result in the hexadecimal section should be the file attribute entry under '0B' Check and see what the data entry is under that column. If it is "10", "20", or some other value where the first digit is NOT "0", it's not the value you're looking for. Keep searching. HOWEVER, if the value is "00" or some other value beginning with "0", then EUREKA!! You've probably found it! Now here comes the dangerous drive editing part. MAKE SURE YOU DO THIS IN COLUMN '0B' IN THE SAME ROW AS THE RESULT. Click right before the first "0" in "00" and hit [1]. This should change the value from "00" to "10" (or "1"-whatever) written in red. Continue for all folders that were affected that were located in that same parent directory. Their entries should be close above or below your result. (Remember, 8dot3 entries only.) Conducting another search for them will take just as long as this one, so it's best to save time this way. 

Now, before you save (no, the changes have not been made to your drive yet), you may wish to write down the Sector number indicated in the text box at the top of the HxD screen (right below the menubar) in case you've made a mistake. That way, you can always come back and change the value back to "00" later on. But chances are you've found the right data entry, especially if you found other entries there. Go to 'File' and hit 'Save' before you continue. 

Okay, now here's where all your hard work should begin to show results. Open the folder that contained your file folder atrocities if it's not already open and see if those howling little 32 kB files have been turned back into folders. (You may have to hit [F5] to refresh the folder data.) If so, then YAAAY!!!! You've done everything right! Go into your now-reclaimed folders to make sure all your files are there. (If the files that should have changed back are still files, the search result you received was probably wrong. Go and change back the data you changed and continue the search.) If no data was written to your hard drive since the files disappeared, all your files and folders in the folder should be there unharmed. However, if for some sad reason data was written, your files and folders may be corrupt. Check them to make sure.

If all is good (or even if it isn't), continue on with the rest of the folders on the list. Just follow the steps above. All your lost files should be back in no time! (If none of this is working for you, feel free to contact me by replying below. I should be checking this thread for several days/weeks after this post.)

Done? See, that wasn't so bad. Now, before you go to sleep, there is one more thing you should do. Because Windows XP converted these folders to files once, chances are it'll do it again. So, BACK UP YOUR FILES!! I can't stress that enough. Watch, one more time. BACK UP YOUR FILES!! It is more than likely that autochk did detect some error in that folder which, due to it's poor diagnostic capabilities, enticed it to turn it into a file. Converting it back into a folder with HxD probably didn't fix the problem. If your computer crashes before you get a chance to backup your files, CANCEL AUTOCHK AT STARTUP!! Then, backup, delete, and copy all your important files back to the drive. And keep your backups. Important files always deserve a backup.

Okay, that's it. I hope this helped you. Please post comments below, and if it didn't help, hate mail is welcome, too. (Just don't expect a response.) Also, if you can think of anything else I should add to this, please let me know.


If you want to learn more about FAT32 and become a computer wiz like my 6-year-old nephew, 
I recommend reading the description at 

ComputerHope (http://www.computerhope.com/fat32.htm) 
and the File Allocation Table Wikipedia entry (http://en.wikipedia.org/wiki/File_Allocation_Table).


----------



## amanisdude (Oct 5, 2009)

Here are some additional links about FAT32 if you're interested:

Microsoft's Knowledge Base (http://support.microsoft.com/kb/154997)
Windows XP issues with FAT32 (http://support.microsoft.com/kb/314463)

Also, it is worth noting that the files that your folders may have been converted into may not be 32 kB in size. They may actually be smaller, depending on how your file system is configured. This is more likely for drives with lower data capacities. The smallest size possible should be 512 bytes. (If this is the case, you probably have one slow hard drive.)

Also worth noting is that these procedures can be used for devices that use the FAT filing system. The file size of the converted folders in these systems will most definitely be 512 bytes.

And on one final note, you may have to log in as the system administrator to be able to access some of your missing files/folders. If this still doesn't work, try unhiding hidden and system files/folders.


----------



## deleted6052011 (Jul 16, 2009)

WOW Amanisdude, you've got some tme on your hands :laugh:


----------



## amanisdude (Oct 5, 2009)

Actually, it was two days of sitting and waiting while HxD scanned my hard drive. So I figured, "Why not post my agony?" and my agony I did post.

Now I just hope someone out there has time enough to read it. :wink:


----------



## MJmoonwalk (Oct 26, 2009)

Thanks...

I have a problem like this (0KB Files) in WinVista

I cannot find the errorlog...


----------



## Chidoze (Dec 1, 2009)

Well, I did like you had described and all the files were changed back to folders, but the folder size is still 32kb and there are no files showing.

Did I do something wrong or miss something, I just changed the "00" to "10" under the OB column and that was it.


----------



## amanisdude (Oct 5, 2009)

I apologize to all. I haven't been on this forum in a while.

MJmoonwalk: I am not sure about Windows Vista, since I've never used it. I suspect, though, that it is a different problem, since the file size should match the size of an FAT32 cluster.

Chidoze: It is possible that the files were overwritten. Download PC Inspector File Recovery <http://www.pcinspector.de/Sites/file_recovery/download.htm?language=1> or another file recovery utility and scan the drive for deleted files and see if it finds anything. It may be able to recover some of the data if it is partially overwritten. Remember to install the program and save any recovered files to a different hard drive.

Also, I will try and post screenshots of each step on this thread as soon as I can. I have installed a new operating system since, so it may take a while to re-create the problem. Stay tuned...

Best,

AmanIsDude


----------



## fraktal (Dec 14, 2009)

Thanks A LOT !!!!

I just lost a huge bunch of very important folders, you saved my life !! I'm going to try this this week-end.

Isn't there some kind of HD recovery program that does all this automatically ??

And did it really took 2 days of scanning ? What size is your hard drive ?


----------



## amanisdude (Oct 5, 2009)

Hi Fraktal,

As far as I know, there is no program that automatically does this, though that would be something.

Also, be very careful when performing these operations. It's long and can be complicated if you're new to advanced Windows tasks. (Several people have messaged me with their confusion.) I have yet to reproduce this problem, but I will post screenshots when I do. Until then, if you need any help with this, feel free to PM me or post on this thread.

The size of my affected hard drive was 250 GB with 100+ affected directories, so it took a while to scan and find them all.

Anyway, best of luck! I'm glad this post helped you!

-AmanIsDude


----------



## br686 (May 2, 2010)

I realize this post is old but I'm having the issue described above. I did as the guide says and the files turned back into folders, however every folder says that it is empty. There was no data written to the drive after the folders were changed to files. This is a thumb drive that was affected, and it was formatted as fat16, could that make a difference on how this process should be done? Thanks for the help.


----------



## fraktal (Dec 14, 2009)

Hi br686

Well, I was able to fix the issue on my FAT32 following the process described here, but I had to tweak it a lot because I had a very large drive, lots of lost folders, and didn't have the patience to go throught the search process...

Regarding your issue, yes, the fact that it is FAT 16 can definitely make a difference. I would strongly advise you to spend some time on wikipedia trying to learn the differences between FAT16 and FAT32, and then see if there is something that you should do differently.

I'm sorry, I can't help you any further, becasue I have no knowledge of FAT 16.

Good luck !


----------



## amanisdude (Oct 5, 2009)

Hi br686,

Sorry for the late response. As far as I know, there is no difference between FAT16 and FAT32 in this regard. If the files are not appearing in the recovered directories, you can see if a file recovery utility such as Recuva or Restoration finds the files on the drive. (PC Inspector File Recovery is another good option.)

If not, you can try searching for known missing files using their 8dot3 names in HxD as described in the original post to see if their directory signatures are still in the file system. If they are, a good file recovery utility with a search or scan feature for lost files should be able to find and restore them, though there is no guarantee that they will be complete or functional.

Try one of these and let me know how you fare. I wish you the best!

-AmanIsDude


----------



## br686 (May 2, 2010)

Thanks for replying! This is my dad's flash drive that blew up on him so I am trying to recover the files for him. I used a file recovery tool and it found a ton of stuff (of course) but I don't know what is what, so he's weeding through it right now. Hopefully that will take care of it. I'll have to go back through and see if he can remember file names and see if I can see it in the hex dump. I was also thinking that maybe windows thinks it's fat 16 even though its fat32 and maybe if i used partition magic or another program to convert it from "16" to 32 it might fix it? Oh well, I'll give it a shot anyway, I've already made backups of everything on the affected drive anyway  I'll update everyone once I get this stuff done. Thanks again for your help!


----------



## amanisdude (Oct 5, 2009)

> I was also thinking that maybe windows thinks it's fat 16 even though its fat32 and maybe if i used partition magic or another program to convert it from "16" to 32 it might fix it? Oh well, I'll give it a shot anyway, I've already made backups of everything on the affected drive anyway


It is unlikely that Windows would think it's FAT16 when it's actually FAT32. Using any partition utility to convert the file system would only cause a bunch of data loss, guaranteed.

Although you may have been able to recover the files using a backup utility, I would wait until your dad finds all the files he needs before trying anything else on the drive. Recovering files with a backup utility may not always be complete if the file allocation tables at the head of the partition are damaged or overwritten.

If you or your dad can't find the correct files, and if they are important enough, I would try taking the thumb drive to a data recovery specialist. It could be expensive, but may be well worth it for extremely valuable data (i.e., data which is important enough to get your dad fired).

If you want to make a backup of all the data on the drive and go crazy without really have to worry about overwriting unlinked data, you could try making a low level image copy of the drive. DD for Windows should do the trick. Download the zip archive and extract it to a directory where you'll remember it. Then, open up CMD ('Start' > 'Run' > "cmd") and navigate your way to the correct directory. (Type in the drive letter and a colon (e.g., "D:") and hit [Enter]. Then type in "CD\" followed by the path where the files are extracted. For example, if you extracted DD for Windows to the path "D:\Downloads\dd-0.5", type in "CD\Downloads\dd-0.5" and hit [Enter]. This should take you to dd's directory.)

After that, type in the following command into the command line:


```
dd if=\\.\<your flash drive> of="<where you want to save the image file>\<name of the image file>.img" bs=1M --size --progress
```
where <your flash drive> is the drive letter of your thumb drive, <where you want to save the image file> is the path to which you would like your backup saved, and <name of the image file> is the filename you would like to give your backup.

For example:


```
dd if=\\.\e: of="C:\Documents and Settings\All Users\Backups\backThisBabyUp.img" bs=1M --size --progress
```
*DO NOT* get the 'if=' and 'of=' parameters backwards, since this has been known to cause data loss.

When the drive dump to image finishes, you should be able to do whatever you want to the drive without having to worry about losing your dad's precious files. Good luck!

-AmanIsDude

BTW, I don't mean to patronize with the excessive detail I've included on how to use the CMD command line. I just don't know how much you know about this sort of stuff. ^_^" Forgive me if I was OVERLY inclusive. :laugh:


----------



## oldtiger (Jun 4, 2010)

Thank you, amanisdude!
I followed your great tutorial and it worked!
I had only 1 directory to recover and it was in the root directory on a flash drive, so it went fast. I did a random check of 4 or 5 files and they all opened ok.

1. At the time when CHKDISK changed the directory to a file, it also created a bunch (1,278) of CHK files in a (hidden) directory called FOUND.000. Do I need to keep these files?

2. The original problem that started this mess was the sudden appearance of a bunch of directories with garbage character names on the USB flash drive. When I tried to delete them, Windows said, "Cannot delete file: Cannot read from the source file or disk." I tried doing it in DOS but didn't have a way to copy the garbage characters that made up the folder names. What is the SAFEST way of deleting these garbage directories?

P.S: I also like HxD and just used it last week to hack a saved game in my RPG. I never thought I would be needing it for something like this, but it was good practice.


----------



## amanisdude (Oct 5, 2009)

Hi oldtiger,

I'm glad this thread helped! First thing you should do is back up those files. To answer your questions:

1. The CHK files that chkdsk created are essentially lost data that are no longer assigned to a directory (probably from the files you just recovered). If all the necessary files on your flash drive open correctly, it should be safe to delete these files, although I would still back up the data on your flash drive first just in case. (Windows sometimes messes up when handling cross-linked data.)

2. I've had this problem with corrupt directories before, too. In my experience, it is usually happens when Windows or DOS misreads common file data as part of the directory structure. (This can happen if the File Allocation Tables at the head of the partition are damaged.) To safely get rid of these, I would back up ALL of the data on your drive, format it, and copy all the data back. I know this seems like an obvious fix, but that's the only way I've gotten rid of them from the root directory. If the garbage directories aren't in the root directory, you could try deleting their parent directories with RMDIR in CMD (or DELTREE in DOS/Win9x) and re-creating them, hopefully overwriting that portion of the FAT.

And HxD is a very useful utility. I love it, too. ^_^


----------



## oldtiger (Jun 4, 2010)

Thanks, amanisdude,
I came to the same conclusion some days ago, so when I got your reply, it confirmed that I made the right move.

I backed up everything I wanted to keep from the flash drive, formatted the flash drive to wipe it, and copied everything back. Worked like a charm. And since I now have a backup, and the files on the flash drive are constantly being added to and updated (its a removable drive on a friend's laptop), I will be backing it up regularly. Lesson learned.

Even after 25+ years working with computers, I'm still in awe about what a huge difference changing a few bits of code can make in the outcome (as long as you don't screw it up, which will make a huge difference too!).

Thanks again.ray:


----------



## Adrionis (Jun 10, 2010)

Amanisdude, thanks for your enormous effort; I am sure if somebody can develop an special software to solve this terrific problem will became millonaire. I lost over three thousand pics of my family and projects, most of them changed to 32 and 64 kb; but size is same original one. Again thanks anyway dear AMANISDUDE....money is flying around a lot of money, but so hard to get it


----------



## tereso (Apr 28, 2010)

You are the man!! Great tutorial, now i have a question. CHKDSK coverted my user profile folder in "Documents and settings" to a 5.5MB with the same name as the folder. Weird thing is i am using NTFS. Is there a way to reconvert this file to a folder and pretend nothing happened? I remember doing this with i think was DISKEDIT from Norton Utilities back in the DOS days, but i can't find any utility that does that on NTFS. Thanks


----------



## akdwivedi (Sep 5, 2010)

@amanisdude thanks a lot!!! This was a perfect solution and helped me recover all the folders which were converted to file by Chkdisk. Excellent tutorial!

-Abhi


----------



## lizardkind (Oct 4, 2010)

@ amanisdude- thanks a lot for this helpful tutorial 

The prob with me is, that, i realised that my files have been converted after formatting and reinstalling windows a couple of times, so i have no idea how to get the log of the chkdsk! what do i do for this? please help me out
Thanks in advance


----------



## amanisdude (Oct 5, 2009)

@lizardkind - I assume that Windows was installed on a separate drive/partition from your data. If this is the case, you don't need the chkdsk log (as you probably already know where the files are located). Just skip that step and manually enter the 8dot3 names of the files when using HxD's search function using the filename conversion conventions described in the original post.

If the files were on the same partition, and you just happened to back them up and restore them, I'm afraid there's probably not much you can do, as the data in the folders probably did not get backed up. You can try using one of the aforementioned file recovery utilities to see if they can find any fragments of the file which may still be scattered around the disk if you did a quick format, but the likelihood of this working is slim to none.

Alternatively, if the files in the folder you wish to recover contained some memorable ASCII text, you can try scanning your drive for a specific string which is located in the file. If HxD finds it, you can copy the data from that memory block to a text file and repeat for each part of the missing text and *tediously* try to piece it together. Bear in mind that this could take LONG hours and may not lead to a complete recovery of your documents.

I'm sorry I can't really help more. If the data is UBER important, try consulting a data recovery specialist. Chances are, though, they'll tell you the same thing or just flat out say that your files are not recoverable. It might still be worth a shot, though, if your data is vital enough...


----------



## amanisdude (Oct 5, 2009)

@tereso - Sorry it took me so long to respond to your post.

Unfortunately, FATxx and NTFS are totally different filesystems. You can try reading up on NTFS and seeing if there's some sort of log of filesystem data changes, as I believe NTFS is a journaling filesystem. I've never had any problems with CHKDSK and NTFS, so I'm afraid I can't really help you more.

POSTSCRIPT: According to Wikipedia, NTFS does in fact keep a log of filesystem changes. (http://en.wikipedia.org/wiki/NTFS#NTFS_Log) You can access this log using Microsoft's OEM Support tools found here. If your data hasn't already been overwritten, you may be able to recover some or all of your files using information found using these tools. You'll probably have to do a little more research to find out how, however.

You can also try one of the several file recovery tools I have listed in earlier posts on this thread. You may be able to recover some specific files using this method if it isn't already too late.

Anyway, I apologize again for taking so long to respond. I hope at least some of your files can still be recovered...


----------



## amanisdude (Oct 5, 2009)

Tereso,

This part of the Wikipedia entry may also be of some interest to you. Best of luck!


----------



## redcapaussie (Nov 16, 2010)

Hi,

Firstly, thanks for taking the time to write all that out and provide help to us all!

I just had a similar thing happen. I can't go through your tutorial however, because my event log does not contain everything that happened! I watched with my own eyes a number of folders be converted to folders, it skipped through them quite quickly but I recognised a lot. When I opened up the event viewer, it only had a tiny fraction of them all.

Additionally, I cannot find any bootex.log file.

I'm wondering perhaps if there is not an easy way via your method, if you could recommend some FAT recovery software?

thanks


----------



## redcapaussie (Nov 16, 2010)

I should have realised, I guess all that is needed for your method is the 8dot3 representation of the folder, right? And it's quite easy to tell what folders were converted since they are 32kb files with no extensions.


----------



## Jlp1928 (Sep 19, 2006)

Hi All,

I didn't have time to read all of this but here is a little info that may help you understand. All Folders (Directories) except the root directory are only files with a special attribute bit. If you convert a folder into a "file" it will onlyl contain the files information that it contains. That is File names, types, locations on the HDrive etc. Not the files that were in the folder but information that can be used to locate them on the drive. A good file recovery program will get around that foolishness. Disk Investigator is a great one. It will show you all files, show which ones have been written over and allow you to recover the good one. Also will let you see whats in the MBR and the 2 Fats. Hope this helps a little.

Good Luck, Jim


----------



## amanisdude (Oct 5, 2009)

@redcapaussie - The method you described in your second post should be pretty effective. I did this my first time recovering files before I knew about the whole Event Log thing. ^_^"

@Jlp1928 - Thanks for posting the recovery software suggestion! Maybe somebody can try Disk Investigator (http://www.theabsolute.net/sware/dskinv.html) and post if it works for this type of recovery (directory structure and all). My hunch is that, although it may be able to recover individual files, it probably won't be able to revive the directory structure, which may or may not be important.

Nevertheless, I have been searching for a program like this for a long while now. Thanks again for posting!


----------



## redcapaussie (Nov 16, 2010)

Wow. It works - GENIUS! THANKYOU!

Although after a while I got a "access denied" message while trying to save in HxD, but the disk was definitely not read-only.


----------



## redcapaussie (Nov 16, 2010)

OK, I have managed to recover all my folders. It all went smoothly.

Interestingly, at the same time that these folders were "converted to files", the scandisk also produced 30 GB worth of CHK files. I haven't done the maths, but I am guessing that is roughly about how much content was in the folders that were "converted".

Does this mean that the data has doubled up? Ie, since I have made the data accessibly again, the stuff is converted to CHK files is now useless?


----------



## amanisdude (Oct 5, 2009)

Hi redcapaussie,

I'm glad to hear it worked! However, this DOES NOT mean that the data has doubled up. It means that the CHK files (which were recovered earlier) are now _cross-linked_ with the files you recovered. (They essentially link to the same data represented by the recovered files.)

First, make sure the data you recovered manually is the same size as the block of CHK files. If the CHK files are larger, you may have missed a directory in your recovery process.

Then, I would BACK UP the 30 GB or so of files you recovered (and the CHKs too if you want to have extra backup ^_^), delete the reclaimed files along with the CHKs, and re-import them to your drive. This could prevent further damage to your directory structure along with additional data loss in a future _chkdsk_, _autochk_, or _scandisk_ scan. 

Remember, as the motto goes, "When confused, BACKUP!" I hope this helps.


----------



## Jlp1928 (Sep 19, 2006)

Hi again Red,

Glad you had some success. Those chk files are the ones that did not get listed in any directory. Could have been because the Directory File got lost or corrupted. Also happens when a device is shut down before the directory info, last thing done, is written etc. If the files were Text you will be able to open them with a text editor and if you want them rename the extension and correct the first letter of the file name if you know it. If they are program data you probably won't be able to use them. 

More luck, Jim


----------



## amanisdude (Oct 5, 2009)

This is true. Not all the files may be cross-linked with the data you recovered. You could try using TrID.NET to see if any of the files' types can be identified. If the files are exactly 32 kB, however, chances are that they do not represent complete data and that they may be cross-linked with the data you recovered. This is especially true if they were created during or after the original data loss. (You can check their filetimes to be sure.) I hope this helps.


----------



## cokkonut (Nov 22, 2010)

Hi amanisdude, found your post through google and can't be more thankful for your detailed, well-written explanation! 

So while HxD takes its time to find the first of my troublesome entries I've registered only to say *thank you so much*! You've made my day by saving a good amount of digital memories. Now as a side effect this situation has convinced my gf to buy a new fileserver with data protection. Yay! 

Cheers mate.


----------

