All of the NTFS hard links disappear, where are hardlinks stored on disk and how to recover them?

Posted by Osiris on Server Fault See other posts from Server Fault or by Osiris
Published on 2014-08-19T21:41:02Z Indexed on 2014/08/19 22:21 UTC
Read the original article Hit count: 245

Filed under:
|
|
|
|

This is Windows 7 x64 sp1 on a NTFS file system.

All hardlinks within C:\Windows\System32 folder disappear, and the Windows can't boot, because even the osloader, C:\Windows\System32\boot\Winload.exe also disappeared. Nevertheless, the original files are still located in the corresponding C:\Windows\winsxs folders. After booting into the Recovery Environment, and copied one Winload.exe (x64) from other folder, Windows gave an error pointing out that "ntoskrnl.exe is corrupted or missing...its file digital signature cannot be verified"

In trying to boot in Safe Mode, the message above was shown after a screen prompting "Loaded \Windows\system32\config\system"

Because at this early booting stage, smss.exe was still not loaded, so there is not any dumping and logs.

Based on my study, ntoskrnl.exe depends on the following files:  
C:\\windows\\system32\\PSHED.DLL  
C:\\Windows\\System32\\hal.dll  
C:\\Windows\\System32\\kdcom.dll  
C:\\Windows\\System32\\clfs.sys  
C:\\Windows\\System32\\ci.dll  

All those files above are copied from their corresponding folders and verified their md5 with a well-operating Windows 7 x64 SP1. But the booting error is still the same: "ntoskrnl.exe is corrupted or missing..."

**Background:**
  1. Before the reboot, there was an windows update going on. Then something unknown happen, almost all processes were broken to run, including the windows task manager, taskmgr.exe.

  2. After mount the hard disk to other computer, it seems that all hardlinks within C:\Windows\System32 folder were gone.

  3. I tried several data recovery software, but they are not be able to find those disappeared NTFS hard links.

So the question is:
Where are information about those hard links stored? And how to recover them? Are they depend on some windows service or stored in the registry?

© Server Fault or respective owner

Related posts about Windows

Related posts about filesystems