Tuesday 9 August 2016

Bypassing NTFS permissions in Windows when recovering data from a faulty drive

There's nothing more frustrating than trying to recover data from a drive that's on its last legs and to add insult to injury, if you have put the drive in a different PC and you try and access the files in the user folder you won't be able to see them because of the permissions present on the drive.

Normally, you can just take ownership of the folders and get around this - but when its a faulty drive that may fail at any time you really don't want (or the drive may not be able to) go through each file and folder to change the permissions.

there's a simple way to get around them though - as the "system" permission is present on these folders. So all we have to do is launch our favourite copying app as a "system" user and grab the data we need.

To do this, you will need one of the sysinternal tools called PSExec:
https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx

Once downloaded, you can use this tool to run another application (in my case, I've chosen unstoppable copier) as a system process

To get unstoppable copier, download it here:
http://roadkil.net/program.php?ProgramID=29
So, here's how you do it:

1: Download PSExec and put it in a location (c:\temp\ will be used in this example)
2: Download unstoppable copier and put it in the same location (c:\temp\)
3: Open a command prompt as an administrator (right click the start menu in Windows 10 and select "Command Prompt (Admin)" or right click on the "command prompt" menu option in Windows 7 and select "Run as administrator)
4: You will start in C:\windows\system32 - type cd\ and then press enter
5: Type cd\temp and press enter
6: Now type psexec unstopcpy_5_2_Win2k_up.exe (you may need to change this bit depending on the app you're launching or the version of unstoppable copier you have downloaded)
7: This should now launch unstoppable copier as a system user and you should be able to browse to any folders to copy your data without having to take ownership!

I really hope this helps someone - having a drive fail is a total pain



2 comments:

  1. As far as I understand, this is only required on XP and older. Starting from vista, an elevated cmd has enough permissions to bypass ntfs permissions. No need to run as LocalSystem

    ReplyDelete
  2. It depends on the data; on a drive from a Windows 7 machine the user folders are still locked and you would have to force your way in putting extra pressure on a potentially already damaged drive.

    ReplyDelete