NTFSRECOVER(8)              System Manager's Manual             NTFSRECOVER(8)

       ntfsrecover - Recover updates committed by Windows on an NTFS volume

       ntfsrecover [options] device

       ntfsrecover applies to the metadata the updates which were requested on
       Windows but could not be completed because  they  were  interrupted  by
       some  event such as a power failure, a hardware crash, a software crash
       or the device being unplugged.  Doing so, the file system  is  restored
       to a consistent state, however updates to user data may still be lost.

       Updating  the  file  system generally requires updating several records
       which should all be made for the file system to be kept consistent. For
       instance, creating a new file requires reserving an inode number (set a
       bit in a bit map), creating a file record (store the file name and file
       attributes),  and  registering the file in a directory (locate the file
       from some path). When an unfortunate event occurs,  and  one  of  these
       updates  could  be  done  but  not all of them, the file system is left

       A group of updates which have all to be done to preserve consistency is
       called  a  transaction,  and the end of updates within a transaction is
       called the commitment of the transaction.

       To protect from unfortunate events, Windows first  logs  in  a  special
       file  all  the metadata update requests without applying any, until the
       commitment is known. If the event  occurs  before  the  commitment,  no
       update  has  been  made and the file system is consistent. If the event
       occurs after the update, the log file can be  analyzed  later  and  the
       transactions which were committed can be executed again, thus restoring
       the integrity of the file system.

       ntfsrecover similarly examines the log file  and  applies  the  updates
       within committed transactions which could not be done by Windows.

       Currently,  ntfs-3g does not log updates, so ntfsrecover cannot be used
       to restore consistency after an unfortunate event  occurred  while  the
       file system was updated by Linux.

       Below  is  a  summary  of all the options that ntfsrecover accepts. The
       normal usage is to use no option at all, as most of these  options  are
       oriented towards developers needs.

       Nearly  all  options have two equivalent names.  The short name is pre-
       ceded by - and the long name is preceded  by  --.   Any  single  letter
       options,  that  don't  take  an argument, can be combined into a single
       command, e.g.  -bv is equivalent to -b -v.  Long named options  can  be
       abbreviated to any unique prefix of their name.

       -b, --backward
              Examine  the  actions described in the logfile backward from the
              latest one to the earliest one without applying any update. This
              may  encompass  records  generated  during several sessions, and
              when Windows is restarted, it often  does  not  restart  writing
              where it ended the previous session, so this leads to errors and
              bad sequencing when examining the full log file.

       -c, --clusters CLUSTER-RANGE
              Restrict the output generated when using options -b -f -u -p  to
              the  actions  operating  on  a  cluster within the given cluster
              range.  CLUSTER-RANGE is defined by the first and  last  cluster
              numbers   separated   by  a  hyphen,  for  instance  100-109  or
              0x3e8-0x3ff. A single number means restricting to a single clus-
              ter.  The first four log blocks have a special role and they are
              always shown.

       -f, --forward NUM
              Examine the actions described in the logfile  forward  from  the
              first  one  to  the last one without applying any update. As the
              log file is reused circularly, the first one  is  generally  not
              the  earliest. Moreover when Windows is restarted, it often does
              not restart writing where it ended the  previous  sessions,  and
              this  leads to errors when examining a log file generated during
              several sessions.

       -h, --help
              Show some help information.

       -k, --kill-fast-restart
              When Windows has been interrupted with fast restart  mode  acti-
              vated, part of pending changes are kept in the Windows cache and
              only the same Windows version can recover them. This option  can
              be  used  to apply the changes recorded in the log file and drop
              the ones in the Windows cache.  This is dangerous and may  cause
              loss of data.

       -n, --no-action
              Do not apply any modification, useful when using the options -p,
              -s or -u.

       -p, --play COUNT
              Undo COUNT transaction sets and redo a single one, a transaction
              set  being all transactions between two consecutive checkpoints.
              This is useful for replaying some transaction in the past. As  a
              few actions are not undoable, this is not always possible.

       -r, --range BLOCK-RANGE
              Examine  the actions described in the logfile forward restricted
              to the requested log  file  block  range  without  applying  any
              update.  The  first four log blocks have a special role and they
              are always examined.

       -s, --sync
              Sync the file system by applying  the  committed  actions  which
              have  not  been  synced  previously. This is the default option,
              used when none of the options -n, -f, -r, -p and -u are present.

              The option -s can be repeated to request applying the  committed
              actions  mentioned  in the obsolete restart page. This is useful
              for testing the situations where the latest restart page  cannot
              be read though it can actually be read.

       -t, --transactions COUNT
              Display  the  transaction parameters when examining the log file
              with one of the options --forward, --backward or --range.

       -u, --undo COUNT
              Undo COUNT transaction sets, thus resetting the file  system  to
              some  checkpoint in the past, a transaction set being all trans-
              actions between two consecutive checkpoints. As  a  few  actions
              are not undoable, this is not always possible.

       -v, --verbose
              Display  more  debug/warning/error  messages. This option may be
              used twice to display even more information.

       -V, --version
              Show the version number, copyright and license of ntfsrecover.

       Sync an NTFS volume on /dev/sda1.

              ntfsrecover -s /dev/sda1

       Display all actions which updated a cluster in range 100 to 119 :

              ntfsrecover --verbose --backward --clusters=100-119 /dev/sda1

       If you find a bug please send an email describing the  problem  to  the
       development team:

       ntfsrecover was written by Jean-Pierre Andre

       ntfsrecover is part of the ntfs-3g package and is available from:

       ntfs-3g(8), ntfsfix(8), ntfsprogs(8)

ntfs-3g 2017.3.23               September 2015                  NTFSRECOVER(8)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2022 Hurricane Electric. All Rights Reserved.