Linux crashed causing Windows virtualized (physical) partition registry corruption

2

1

(tl;dr; sorry about the long post, text in bold has main details)

I have a Windows 10 and KDE Neon dual boot laptop. I rarely boot my Windows partition but I do use it regularly through a virtualized configuration with VMware in Neon. This has worked great for the most part...

... until last night ... I've had some issues with Linux/XOrg/KDE5/(...) going all nutty when docking/undocking and I've made it a habit to Suspend my VM just in case (usually), but last night I forgot and sure enough, my computer completely froze and needed to be powered off manually.

I powered it off, then booted back into Linux with no problem, but now Windows won't boot from the VM or from UEFI as a physical dual boot partition. Using the docking station locked up the computer and hosed my Windows partition (since it was booted in the virtual env).

The actual boot sectors and partition seem ok (after chkdsk'ing it and it did some repairs). When it starts up it will get a BSOD saying "CRITICAL_PROCESS_DIED". It reboots in a mini-recovery shell that says: "A required device isn't connected or cant be accessed - error code: 0x0000225" and has 3 options: "press enter to try again, f8 for startup settings, or esc for UEFI firmware setup". F8 presents the old-school safe-mode, boot logging, vga mode, etc options and I've tried all of those with the same results (the original BSOD).

Things I've tried:

  • Created various Win10 installation media to try to repair it: 1 based off latest release of Win 10, one off previous Insider build, and one off current Insider build (which my partition had)
    • The latest release is the first to use Microsoft's new Unified Update Platform (UUP), which means no more ESD files (by default) sent to the client machines and that means it's more difficult to make homebrew ISOs. I downloaded someone elses ISO, it seems legit.
  • On all 3 versions, I booted into recovery mode and ran the following commands (all failed):
    • DISM RESTOREHEALTH: dism /image:c:\ /cleanup-image /restorehealth /limitaccess /source:wim:d:\sources\install.wim:1 (and minor variations of this)
      • At 72.7% results in "Error 0x800f081f - the source files could not be found. Use the 'Source' option to specify the location of the files that are required to restore the the feature ... The DISM log file can be found at X:\Windows\Logs\DISM\dism.log"
    • SFC: sfc /scannow /offbootdir=c:\ /offwindir=C:\windows
      • Result: "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are includied in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not supported in offline servicing scenarios." - I guess this is considered an offline servicing scenario! :(
    • I've also checked C:\Windows\System32\Config\regback and it's just a bunch of 0-byte files
    • I've tried a restore point, but I don't have any apparently (I believe this needed to be disabled in order to virtualize my physical Windows filesystem in Linux)
    • The Refresh/Restore options in the Windows recovery shell don't exist anywhere
    • The recovery shell installed by the OS isn't anywhere to be found - only the one from the install media
    • The startup repair feature in the Windows Recovery tool - possibly the most useless placebo screen ever.
    • I've tried to go back to previous version of Windows and it fails right away (which really irks me, because I haven't ran any cleanup tools or anything, and I just updated 2 days ago - wtf!)
      • The one thing I thought seemed promising, though: there's a C:\WINDOWS.OLD\Windows\System32\Config folder. I tried overwriting all the registry files in C:\Windows\System32\Config with those old registry files (from 2 days ago). Still not booting ugh.

Things that seemed promising:

  • Running chkdsk - it did repair some stuff and seemed to allow me to get slightly further in the boot process, but now it blue screens with the message mentioned above (EDIT, sorry forgot to document original BSOD message)
  • I can still boot to KDE neon, and I CAN mount the ntfs filesystem there and do whatever I need with the files
  • I can also access the filesystem from the installation media recovery command prompt

So with all that, my questions are:

  1. Does anyone know of a tool that can be used to repair the raw registry files (I don't mean simply copying over the auto-"backups" from the regback sub-folder ... like ACTUALLY repair a corrupted registry DB)? Preferably from the recovery console or Linux - but I can also copy the reg files to another Windos box if I need to.
  2. Is there something I'm doing wrong with the dism.exe command? Maybe I've just been staring at this too long and there's something obvious...
  3. What would cause the Refresh/Restore options not to show up on the installation media's recovery console and is there a way to fix it?
  4. Why don't I have a full-blown recovery shell without the installation media? Isn't that normally installed? Did that possibly get corrupt too?
  5. Any other suggestions?

Thank you!

Adam Plocher

Posted 2016-12-13T03:31:37.410

Reputation: 153

1Hey try to install gparted and make it check your windows partition for errors. But I don't think linux is the reason for your windows failure. 2 different partitions don't touch each other. – answerSeeker – 2016-12-13T03:38:41.817

Agreed, I should have mentioned that I did try that. I also tried "ntfsfix" from the apt-get repo, no luck. I'm not suggesting Linux caused the partition failure, but Linux was the one that locked up my whole system when I placed the laptop in the docking station and it was running my Windows partition in a VM at the time. So... err... I take that back, I totally am blaming Linux! =D – Adam Plocher – 2016-12-13T03:42:28.440

1That's a really great write up, I wish every request for help had that level of detail. On thing: I saw that under "things that seemed promising" you reference BSOD but the message isn't listed. The only suggestion I've got is to pull your files out (if not on dropbox/steam already) and reinstall - seems like you've spent a few evenings trying to fix it, one more reinstalling and downloading all your software and you'll be good to go. Sorry I can't answer questions 1-4. – Sir Adelaide – 2016-12-13T05:20:51.167

1Protip: before you run any more tools to recover this, dd your whole physical Windows partition to a different drive. That way if a tool breaks it more you can restore to the closest thing we have to the exact post-crash state. – newcoder – 2016-12-13T05:43:35.123

Answers

0

Ok so I have an answer for #3 and #4 and well... crazy stuff...

After reading Tatakai's comment I decided to go back and re-check gparted. The recovery partition for Windows had a yellow exclamation (well one of them, for some reason I have 3: sda1, sda5, and sda10 - sda5 was errored). After reading and trying various things I eventually just declared f*** it and decided to reformat that partition with NTFS, reapply the 2 flags (hidden and something else, can't remember) and then copy all files from sda10 to the freshly created sda5.

It didn't quite work yet, but it was progress I think. I needed to reinit my computer's booty goodness with this guide (note, started about halfway down the document at "Fix UEFI Boot in Windows 8, 8.1 or 10" - the order seems important - first time I did it kinda haphazardly and it didn't work, second time I followed it to the T and it worked great).

Ok so at this point I now have the locally installed recovery environment back available. Once I boot into that, it's got some subtle differences, such as the tools ask for an admin accounts password before accessing them and the Refresh/Restore feature is now there!

Of course that feature followed suit and decided that tonight wasn't going to be my night to get off easily. So it immediately failed every time (as did everything else, still).

I did several additional cleanups and stuff, but never quite got into Windows... I decided for my coup de grace I was going to run rsync -a /mnt/win/WINDOWS.OLD/* /mnt/win/ and just copy all of the old files over on top of the new ones and see if it boots.

Here's where it gets a little crazy ... IT WORKED! (kinda... for a while...). I was shocked, everything booted up and seemed to work quite well. A couple things were having some issues, like changing the Date/Time. I thought it would be good to run sfc /scannow now, so I did. It was actually running instead of failing immediately and about 60% in, it failed. And suddenly every file was disappearing. I mean the C:\WINDOWS folder became a ghost town of old empty folders, but hardly a single file (and yet I was still booted in it, but nothing was working). My Users folders was slowly disappearing. I could see each icon disappear off my desktop, and over the course of about 20 mins just about everything went away. I was still booted into Windows, I had the explorer.exe and cmd.exe processes locked so the executables were still in C:\WINDOWS, but nothing else was.

I believe it all got copied over to C:\WINDOWS.OLD. I don't know if sfc /scannow triggered some scheduled task or job and was confused by the build number so it thought it needed to clean itself up... no clue. I need to go through WINDOWS.OLD a little closer and make sure it has all my stuff in it. I'm kinda wishing I took "newcoder's" protip (his comment above) before going on this crazy mission.

Anyway, at this point the OS is dead for good. I'm just hoping all my files are still alive and well in WINDOWS.OLD. Thanks everyone for the assistance!

Adam Plocher

Posted 2016-12-13T03:31:37.410

Reputation: 153

Asked: 2016-12-13T03:31:37.410

Viewed: 101 times

Active: 2017-04-09T13:57:21.363