mirror of
https://git.code.sf.net/p/ntfs-3g/ntfs-3g.git
synced 2024-11-23 18:14:24 +08:00
4278fbb7f6
The new ntfsrecover option --kill-fast-restart can be used to delete the Windows fast-restart indication before playing the log. This can lead to data loss, but is needed before mounting a partition improperly unmounted from Windows when remounting on Windows is inconvenient.
173 lines
6.6 KiB
Groff
173 lines
6.6 KiB
Groff
.\" Copyright (c) 2015 Jean-Pierre Andre
|
|
.\" This file may be copied under the terms of the GNU Public License.
|
|
.\"
|
|
.TH NTFSRECOVER 8 "September 2015" "ntfs-3g @VERSION@"
|
|
.SH NAME
|
|
ntfsrecover \- Recover updates committed by Windows on an NTFS volume
|
|
.SH SYNOPSIS
|
|
\fBntfsrecover\fR [\fIoptions\fR] \fIdevice\fR
|
|
.SH DESCRIPTION
|
|
.B ntfsrecover
|
|
applies to the metadata the updates which were requested on Windows but could
|
|
not be completed because they were interrupted by some event such as a power
|
|
failure, a hardware crash, a software crash or the device being unplugged.
|
|
Doing so, the file system is restored to a consistent state, however updates
|
|
to user data may still be lost.
|
|
|
|
Updating the file system generally requires updating several records which
|
|
should all be made for the file system to be kept consistent. For instance,
|
|
creating a new file requires reserving an inode number (set a bit in a bit
|
|
map), creating a file record (store the file name and file attributes), and
|
|
registering the file in a directory (locate the file from some path). When an
|
|
unfortunate event occurs, and one of these updates could be done but not all
|
|
of them, the file system is left inconsistent.
|
|
|
|
A group of updates which have all to be done to preserve consistency is
|
|
called a transaction, and the end of updates within a transaction is called
|
|
the commitment of the transaction.
|
|
|
|
To protect from unfortunate events, Windows first logs in a special file all
|
|
the metadata update requests without applying any, until the commitment is
|
|
known. If the event occurs before the commitment, no update has been made and
|
|
the file system is consistent. If the event occurs after the update, the log
|
|
file can be analyzed later and the transactions which were committed can be
|
|
executed again, thus restoring the integrity of the file system.
|
|
|
|
.B ntfsrecover
|
|
similarly examines the log file and applies the updates within committed
|
|
transactions which could not be done by Windows.
|
|
|
|
Currently, ntfs-3g does not log updates, so
|
|
.B ntfsrecover
|
|
cannot be used to restore consistency after an unfortunate event occurred
|
|
while the file system was updated by Linux.
|
|
|
|
.SH OPTIONS
|
|
Below is a summary of all the options that
|
|
.B ntfsrecover
|
|
accepts. The normal usage is to use no option at all, as most of these
|
|
options are oriented towards developers needs.
|
|
|
|
Nearly all options have two equivalent names. The short name is
|
|
preceded by
|
|
.B \-
|
|
and the long name is preceded by
|
|
.BR \-\- .
|
|
Any single letter options, that don't take an argument, can be combined into a
|
|
single command, e.g.
|
|
.B \-bv
|
|
is equivalent to
|
|
.BR "\-b \-v" .
|
|
Long named options can be abbreviated to any unique prefix of their name.
|
|
.TP
|
|
\fB\-b\fR, \fB\-\-backward\fR
|
|
Examine the actions described in the logfile backward from the latest one to
|
|
the earliest one without applying any update. This may encompass records
|
|
generated during several sessions, and when Windows is restarted, it often
|
|
does not restart writing where it ended the previous session, so this leads
|
|
to errors and bad sequencing when examining the full log file.
|
|
.TP
|
|
\fB\-c\fR, \fB\-\-clusters\fR \fBCLUSTER-RANGE\fR
|
|
Restrict the output generated when using options -b -f -u -p
|
|
to the actions operating on a cluster within the given cluster range.
|
|
CLUSTER-RANGE is defined by the first and last cluster numbers separated
|
|
by a hyphen, for instance 100-109 or 0x3e8-0x3ff. A single number means
|
|
restricting to a single cluster. The first four log blocks have a special
|
|
role and they are always shown.
|
|
.TP
|
|
\fB\-f\fR, \fB\-\-forward\fR \fBNUM\fR
|
|
Examine the actions described in the logfile forward from the first one to
|
|
the last one without applying any update. As the log file is reused
|
|
circularly, the first one is generally not the earliest. Moreover when
|
|
Windows is restarted, it often does not restart writing where it ended the
|
|
previous sessions, and this leads to errors when examining a log file
|
|
generated during several sessions.
|
|
.TP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
Show some help information.
|
|
.TP
|
|
\fB\-k\fR, \fB\-\-kill\-fast\-restart\fR
|
|
When Windows has been interrupted with fast restart mode activated,
|
|
part of pending changes are kept in the Windows cache and only the same
|
|
Windows version can recover them. This option can be used to apply the
|
|
changes recorded in the log file and drop the ones in the Windows cache.
|
|
This is dangerous and may cause loss of data.
|
|
.TP
|
|
\fB\-n\fR, \fB\-\-no-action\fR
|
|
Do not apply any modification, useful when using the options -p, -s or -u.
|
|
.TP
|
|
\fB\-p\fR, \fB\-\-play\fR \fBCOUNT\fR
|
|
Undo COUNT transaction sets and redo a single one, a transaction set being
|
|
all transactions between two consecutive checkpoints. This is useful for
|
|
replaying some transaction in the past. As a few actions are not undoable,
|
|
this is not always possible.
|
|
.TP
|
|
\fB\-r\fR, \fB\-\-range\fR \fBBLOCK-RANGE\fR
|
|
Examine the actions described in the logfile forward restricted to the
|
|
requested log file block range without applying any update. The first four
|
|
log blocks have a special role and they are always examined.
|
|
.TP
|
|
\fB\-s\fR, \fB\-\-sync\fR
|
|
Sync the file system by applying the committed actions which have not
|
|
been synced previously. This is the default option, used when none of
|
|
the options -n, -f, -r, -p and -u are present.
|
|
|
|
The option -s can be repeated to request applying the committed actions
|
|
mentioned in the obsolete restart page. This is useful for testing the
|
|
situations where the latest restart page cannot be read though it can
|
|
actually be read.
|
|
.TP
|
|
\fB\-t\fR, \fB\-\-transactions\fR \fBCOUNT\fR
|
|
Display the transaction parameters when examining the log file with one
|
|
of the options --forward, --backward or --range.
|
|
.TP
|
|
\fB\-u\fR, \fB\-\-undo\fR \fBCOUNT\fR
|
|
Undo COUNT transaction sets, thus resetting the file system to some
|
|
checkpoint in the past, a transaction set being all transactions between
|
|
two consecutive checkpoints. As a few actions are not undoable, this is
|
|
not always possible.
|
|
.TP
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
Display more debug/warning/error messages. This option may be used twice
|
|
to display even more information.
|
|
.TP
|
|
\fB\-V\fR, \fB\-\-version\fR
|
|
Show the version number, copyright and license of
|
|
.BR ntfsrecover .
|
|
.SH EXAMPLES
|
|
Sync an NTFS volume on /dev/sda1.
|
|
.RS
|
|
.sp
|
|
.B ntfsrecover -s /dev/sda1
|
|
.sp
|
|
.RE
|
|
Display all actions which updated a cluster in range 100 to 119 :
|
|
.RS
|
|
.sp
|
|
.B ntfsrecover --verbose --backward --clusters=100-119 /dev/sda1
|
|
.sp
|
|
.RE
|
|
.SH BUGS
|
|
If you find a bug please send an email describing the problem to the
|
|
development team:
|
|
.br
|
|
.nh
|
|
ntfs\-3g\-devel@lists.sf.net
|
|
.hy
|
|
.SH AUTHORS
|
|
.B ntfsrecover
|
|
was written by Jean-Pierre Andre
|
|
.SH AVAILABILITY
|
|
.B ntfsrecover
|
|
is part of the
|
|
.B ntfs-3g
|
|
package and is available from:
|
|
.br
|
|
.nh
|
|
http://www.tuxera.com/community/
|
|
.hy
|
|
.SH SEE ALSO
|
|
.BR ntfs-3g (8),
|
|
.BR ntfsfix (8),
|
|
.BR ntfsprogs (8)
|