I have been trying to restore a damaged Server 2008 system and have encountered problems
all along the way. I've reached a point now where I've basically run out of ideas (and
Google research) and I'm hoping someone here can help!
The system is a domain controller, 32-bit, running Server 2008 (no Hyper-V). This system
has been running for a few years and has quite a few disks installed, along with quite a
Windows was installed and running on partition O:. In February, I decided to do a system
backup to an external hard drive (letter W: at the time). I did a "system" backup rather
than all drives.
About a week ago, a virus got onto the system that did a what appears to be a great deal of
damage. The system crashed and attempted to reboot. Just after the boot selection screen,
an error screen appeared stating that winload.exe could not be found.
I suspected partition damage so I powered off the machine and booted it from a utilities
disk that includes partition utilities. Every utility informed me that there was no longer
any filesystem on what used to be the O: partition. Other partitions on other drives were
apparently also damaged.
I next tried a partition recovery utility and scanned the old O: partition for files, then
perused the results. The resultant files/folders did look like what used to be the O:
drive, but I immediately noticed many unusual .EXE files with short, strange names all over
the place (root directory, windows directory, system32 directory, etc.) Every one of these
files had a date/time stamp exactly corresponding to the date and time of day the virus
caused the system to crash. Looking at all of these files led me to the conclusion that
the original filesystem was too polluted to try to repair, and I decided to restore the
system from the backup made two months ago.
I rebooted from the 2008 install disk and chose "Repair" then command prompt. Querying the
backup I saw that two partitions were apparently included: O: and C:. Having O: in the
backup made perfect sense since that's where the OS resided. I assumed that C: must also
have contained some relevant files.
I attempted to restore the O: partition from the backup using wbadmin. I repeatedly got
errors from wbadmin having to do with the target partition not being available. After
trying several approaches without success, I decided to start with a freshly-formatted
partition on which to restore the backup. So I reformatted that partition.
After reboot I ran the repair console again. I ran DISKPART to discover that the newly
formatted partition was no longer drive O: (it was F:). Using DISKPART I changed it to O:
and attempted to reboot the restored OS.
Everything looked good, until around the time the desktop background should have first
appeared. Seemingly just before that, the system suddenly did a hard reboot.
I wondered if, since C: was also included in the backup, that had to be restored also, so I
followed the same procedure to reformat then restore it.
Once that was done, I ran DISKPART again only to discover that the OS partition was no
longer O:. Moreover, when I tried to use DISKPART to switch it back to O:, I received the
infamous "Directory not empty" error. I did a lot of research on that error but nothing
seemed to help me. A "list volume" in DISKPART did not show me any other partition using
O:, yet it steadfastly refused to let me assign to that letter.
Out of desperation I tried assigning "P:" to the OS partition, and that worked.
On next reboot, I was back to the "missing winload.exe" error I started with %^(.
I went back to repair console and checked BCDEDIT to find that the "device" and "osdevice"
parameters for 2008 were set to "unknown". I tried setting them to "partition=p:". This
got rid of the missing winload.exe error, but now I am back to the system doing a hard
reboot just before the desktop should appear.
I appreciate any and all suggestions (other than reinstalling from scratch), but
specifically there are a few things I wonder about:
1) Could the OS be crashing because the partition layout isn't exactly the way it was
previously? I can't think of a reason why this would be, unless it expects to find some
paging file(s) on certain partitions and they're not there anymore.
2) Why can't I get the OS partition back to being O:?
3) Is there some type of boot log file I can look at to help me troubleshoot the crash
Thanks for any and all help!!!
I wonder if EVERY partition has to be exactly as it was before the first crash.