I am a Data Recovery technician and a machine was recently brought to me that I am stuck on. This is a machine that was configured for backups, but the backups were not being performed correctly, and the important data is within a SQL DB so it is imperative that I get this machine booting again.
The machine is a Dell XP Home machine, when it first came to me it would not boot with a 'HAL.DLL is missing' error. The HDD was failing pretty fantastically but recovery was possible. Standard DR techniques allowed us to get a great amount of the data back, but about 10K LBA's had to be read without error correction, a process that reads about 10 times and then writes the average of these reads to the destination disk. After DR, I ran CHKDSK on the drive, which (as expected) had a lot of errors to fix. This is where things got interesting. The system still would not boot with a 'HAL.DLL is missing', upon further inspection the *entirety* of the system32 folder, the main User folder, the entire Registry, along with some miscellaneous other folders were relocated to the FOUND.000 folder after CHKDSK. It is a reasonable assumption that much of the system32 folder was corrupted, and through trial and error on Boot BSODS, and restoring individual system files through recovery console/WinPE, was able to get the splash screen back.
Using REGEDIT PE, I am able to mount every registry hive except for SOFTWARE and DEFAULT, and both the SOFTWARE and DEFAULT hives in the %systemroot%/REPAIR directory can be mounted, leading me to believe these are not corrupted. Ideally, I would be able to run a repair install to get the system files back to a stable state. I am very aware that there is a real possibility that the Program has little chance of actually running after this machine boots, but I hope to at least give it everything I've got. The problem is that the XP install cd does not give the option to repair the installation. At first it did not recognize an installation at all but currently the repair install process hangs at 'Searching for Windows installations...' and will just sit there as long as you do. Its not a very fun staring contest.
Where the system is now: Currently, I have the system in a state where all registry hives are mountable by REGEDIT PE, The system boots past the XP splash screen, flickers between backlit/dark like it is trying to initialize display drivers/GUI then BSODs with 'the windows logon process terminated unexpectedly with a status of 0x135'. This happens in both regular boot and Safe Mode (last driver displayed is mup.sys). I have replaced the winlogon.exe file from an xp cd, but have the same problem. My hope is that I will be able to at least get this machine to repair install, or to boot on its own so I can do some digging within the OS to the extent of the damage. I have lurked BleepingComputer for quite a while and really enjoyed the cryptolocker discussions, hoping you guys might be able to help in this situation too.
Edited by Mondrian, 25 September 2014 - 12:06 PM.