Sadly this is a true story but maybe it'll help someone.
Pointers for Recovering a Destroyed Partition Table
Recently I contracted a virus on a Win98 boot block which McAfee
kindly cleaned for me. Unfortunately, without any indication, it
also zapped the Partition table so I appeared to have lost
absolutely everything except the first Windows C: partition. The
original partition table had been like this;
hda1 Windows 98
hda2 Linux /boot
hda3 Linux swap
hda4 <extended partition>
hda5 Linux / [SuSE v6.0]
hda6 vfat data partition
But I had no idea where the block boundaries had been set to when I
originally configured Linux.
I was able to guess where I had started the /boot and swap
partitions and fdisk recovered them fine. I also now had the
beginning of my original Linux root partition but I had absolutely
no idea where the extended partition had been split other than being
roughly a 5Gb + 2Gb split.
Here's how I was able to recover everything; hope this helps someone
who also has to tolerate MS destructive behaviour.
*** WARNING ***
NEVER use DOS FDISK - its a killer!
What you will need;
a rescue disk (such as SuSE v6 CD)
fdisk [linux version]
Most rescue disks will include all these except perhaps cfdisk.
cfdisk may not be essential if your Linux was built with fdisk. Disk
Druid may also be appropriate if you used it.
SuSE v6+ seems to use cfdisk during partitioning and not fdisk as it
Step 1 - the easy bit
Boot using your rescue disk
Use fdisk to set up the partitions you are reasonably sure of
Check them with mount and e2fsck
best to keep them read-only using
e2fsck -n /dev/hda2
mount -r /dev/hda2 /mnt
Step 2 - the hard bit
OK now we need to figure out partition splits
Of course, these steps should work for any partition whose details
have been lost.
If you know where a Linux partition starts, you can define it with
fdisk and set the ending block to anything. To find where it should
end, write the partition table and run
e2fsck -n /dev/hda?
If you have located the start of the partition correctly but its
length is incorrect, e2fsck should complain that the superblock may be
corrupt because the actual length (from your fdisk entry) does not
tally with that specified in the superblock. e2fsck will report a
number of blocks from the superblock; this number should agree with
the maximum number of blocks reported by df.
You should be able to mount the partition even though its end block
is not correct with
mount -r /dev/hda? /mnt
and check the max blocks with
In fact you should be able to navigate through the
directory tree; you may get errors if you try to read beyond the end
of the partition if your experiments have defined the partition as
smaller than it really is. Defining it as larger does not seem to
hurt but make sure the partition is mounted read-only (the -r switch).
Now you know how many blocks should be there and how many have been
defined in the partition table. Use fdisk to alter your ending block
until df -v reports the same number e2fsck reported; when both are
the same, e2fsck will stop reporting an error condition.
This allows you to recover a complete Linux partition provided it
has not been damaged for some other reason. You may be lucky enough
to be able to continue defining subsequent partitions in the same way.
Unfortunately, this procedure may not get you to the start of
subsequent partitions. The reason for this is because of how fdisk
translates the disk geometry into block locations. Most versions of
fdisk have a maximum block of 1024 which falls well short of the
true number of blocks on large disks. Therefore fdisk can leave gaps
between partitions as it rounds up to its nominal blocks (this is
genuine LOST space on your HD). If you have this problem, cfdisk may
Using cfdisk you can recover this lost space and if your original
partitions followed on from one another without you deliberately
leaving space between them, they should come back OK. The problem
with cfdisk is that you cannot specify blocks directly but must specify
a partitions size in Mb. So a combination of fdisk and cfdisk should
allow you to figure things out OK. Note also that cfdisk lets you
specify a partition measured from the tail of the disk; this may be
useful if you are looking for a final partition of which you know the
size but not its starting location.
If you are as lucky as me, you will now have all your partitions
back to normal and all you have to do is boot into your original
Linux partition using your rescue disk and run lilo to restore the
MBR. Of course, if you never used LILO this may not be a good idea.
Step 1.5 - getting a clue to partition boundaries
If you use SuSE, there is a file lurking in
This gives a complete partition list with max. block counts for each
partition. The block counts should tally with those reported by df.
If you have a running system, you can verify this now. df will not
report the length of a swap partition though; just hope you
remembered its configuration size correctly.
Other distributions may have similar files or perhaps report
partition structures in /var/log/messages or other log files.
So if you can find the start of your main Linux partition and mount
it successfully, you should be able to get an idea of what the
complete partition table should look like.
Boot your favourite Linux
Run fdisk and/or cfdisk and/or DiskDruid
Write down your partition table on the back of a handy envelope and
file safely along with the note you wrote your root password on.
Breath a sigh of relief
Also add to your note the following....
*** WARNING ***
NEVER EVER EVER EVER use DOS FDISK to try and recover partition
tables, it will trash Linux partitions whether or not you have a
good or bad partition table.
*** WARNING ***
DOS FDISK is RADIOACTIVE and will cause IMMEDIATE HAIR LOSS
*** WARNING ***
DOS FDISK is an insidious class A VIRUS
There is no known cure for this virus!
*** FINAL WARNING ***
Why don't you believe me? DOS FDISK is EVIL
And yes, it did trash my Linux partition, almost completely! Yes, I
am now bald. Yes, I am wiser than I was before.
Sysop MOIL BBS +44-1247-273357
andy at moil.demon.co.uk
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!