-->
When you turn on BitLocker for a fixed data drive, you can choose to unlock the drive using a password or smart card. If you turned on BitLocker for the OS drive, then you could also choose to automatically unlock a fixed data drive when you sign in to Windows.
When you turn on BitLocker for a removable data drive, you can choose to unlock the drive using a password, smart card, or automatically unlock when connected.
When you turn on BitLocker for an OS drive, you can choose to unlock the drive at startup with a password, USB flash drive, PIN (with TPM), or automatically unlock.
You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information, and can no longer unlock the OS drive, fixed drive, or removable drive normally. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid BitLocker password, recovery key, or startup key (.BEK file) is used to decrypt the data.
To recover a damaged OS drive with the BitLocker Repair Tool, the OS drive will need to be connected to another PC if you are not multi-booting with another Windows on the same PC to run the BitLocker Repair Tool from.
You will need to have an empty output volume (drive) of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output volume will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
The following limitations exist for Repair-bde:
This tutorial will show you how to use the BitLocker Repair Tool (repair-bde) to recover the contents of a damaged drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.
You must be signed in as an administrator to use the BitLocker Repair Tool.
CONTENTS:
EXAMPLE: Before and after using BitLocker Repair Tool
1. Open an elevated command prompt.
2. Type the command below into the elevated command prompt, and press Enter. (see screenshot below)
3. When prompted, enter the BitLocker password used to unlock this drive, and press Enter. (see screenshot below)
4. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
5. You can now close the elevated command prompt.
1. Open an elevated command prompt.
2. Type the command below into the elevated command prompt, and press Enter. Make note of the first section of numbers (ex: '1C689B42') for the Numerical Password ID. This is the key ID to help ID the recovery key for this drive. (see screenshot below)
3. Go to where you backed up the BitLocker recovery key for this drive. Look for the 48-digit recovery key for this drive that matches its key ID (ex: '1C689B42') from step 2 above. (see screenshot below)
4. Type the command below into the elevated command prompt, press Enter. (see screenshot below)
5. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
6. You can now close the elevated command prompt.
1. Open an elevated command prompt.
2.
3. Type the command below into the elevated command prompt, press Enter. (see screenshot below)
4. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
5. You can now close the elevated command prompt.
That's it,
Shawn
Aug 22, 2016 Here comes a free “Software Repair Tool” by Microsoft to fix Windows 10 problems.This tool can fix many system problems and other issues. Everything is done automatically. However, for some issues, it asks your permission before repairing or enabling them.
The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
- Read the official guide to the Sysinternals tools, Troubleshooting with the Windows Sysinternals Tools
- Read the Sysinternals Blog for a detailed change feed of tool updates
- Watch Mark’s top-rated Case-of-the-Unexplained troubleshooting presentations and other webcasts
- Read Mark’s Blog which highlight use of the tools to solve real problems
- Check out the Sysinternals Learning Resources page
- Post your questions in the Sysinternals Forum
Sysinternals Live
Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> or live.sysinternals.comtools<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at https://live.sysinternals.com/.
What's New
What's New (June 11, 2019)
- Sysmon v10.0
This release of Sysmon adds DNS query logging, reports OriginalFileName in process create and load image events, adds ImageName to named pipe events, logs pico process creates and terminates, and fixes several bugs. - Autoruns v13.95
This Autoruns updates adds support for redirected user Shell folders.
What's New (February 18, 2019)
- Sysmon v9.0
Sysmon v9.0 introduces rule groups that enable the specification of AND or OR matching logic across a set of rules. It also fixes a memory leak in signature verification.
What's New (December 18, 2018)
- Sysmon v8.04
This release reverted the filtering change made in 8.02 as this broke a number of configuration files. We are planning to revisit and enhance the filtering in the new year. It also fixed a BSOD in legacy named pipe filter used on Windows 7 and earlier, and a kernel memory leak that occurred when the configuration is reloaded.
What's New (October 17, 2018)
- Sigcheck v2.7
Windows WinVerifyTrust function reports signed MSI files that have malware appended to them as signed, so Sigcheck now indicates when appended conent is present.
What's New (September 17, 2018)
What's New (July 5, 2018)
- Sysmon v8.0
Sysmon now includes the ability to tag rules so that event log entries include the rule tag that generated them, as well as several bug fixes. - Autoruns v13.90
Autoruns now includes Runonce*Depend entries, adds GPO logon and logoff locations, and fixes a bug in WMI path parsing.
What's New (February 13, 2018)
- Autoruns v13.82
This Autoruns release shows Onenote addins and fixes several bugs. - Process Monitor v3.50
Process Monitor now includes a /runtime switch to control headless capture duration, correctly shows picoprocesses, displays details for file system APIs introduced in Windows 10, and includes numerous minor improvements and bug fixes.
What's New (January 2, 2018)
- Sysmon v7.0
Sysmon now logs file version information, and the option to dump the configuration schema adds the ability to dump an older schema or dump all historical schemas.
What's New (November 19, 2017)
- Sysmon v6.20
This Sysmon release adds the ability to change the Sysmon service and driver names to foil malware that use them to detect its presence. - Whois v1.20
Whois, a command-line utility that reports domain registration information for the specified domain, works with new whois registry server redirects.
What's New (September 11, 2017)
- Sysmon v6.10
This update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, adds monitoring of WMI filters and consumers, an autostart mechanism commonly used by malware, and fixes a bug in image load filtering. - Process Monitor v3.40
Process Monitor, a file system registry, process and network real-time monitor, now includes a /runtime switch for terminating monitoring after a specified amount of time, when in hexadecimal mode shows process tree process IDs in hexadecimal, and fixes a bug in automated boot log conversion. - Autoruns v13.80
This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning.
What's New (May 16, 2017)
- ProcDump v9.0
This major update to ProcDump, a utility that enables process dump capture based on a variety of triggers, introduces the ability to take capture multiple dumps sizes. This is particularly useful when capturing crash dumps of applications susceptible to termination due to unresponsiveness (e.g. IIS Ping killing w3wp.exe). This release also adds support for an associated Kernel Dump of the process that includes the kernel stacks of the process.
What's New (February 17, 2017)
- Sysmon v6
This release of Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, introduces an option that displays event schema, adds an event for Sysmon configuration changes, interprets and displays registry paths in their common format, and adds named pipe create and connection events (thanks to Giulia Biagini for the contribution). Check out the related presentation from Mark’s RSA Conference, “How to Go From Responding to Hunting with Sysinternals Sysmon.” - Autoruns v13.7
Autoruns, an autostart entry point management utility, now reports print providers, registrations in the WMIDefault namespace, fixes a KnownDLLs enumeration bug, and has improved toolbar usability on high-DPI displays. - AccessChk v6.1
This update to AccessChk, a command-line utility that shows effective and actual permissions for file, registry, service, process object manager, and event logs, now reports Windows 10 process trust access control entries and token security attributes.
How to Use BitLocker Repair Tool to Recover Encrypted Drive in Windows
When you turn on BitLocker for a fixed data drive, you can choose to unlock the drive using a password or smart card. If you turned on BitLocker for the OS drive, then you could also choose to automatically unlock a fixed data drive when you sign in to Windows.
When you turn on BitLocker for a removable data drive, you can choose to unlock the drive using a password, smart card, or automatically unlock when connected.
When you turn on BitLocker for an OS drive, you can choose to unlock the drive at startup with a password, USB flash drive, PIN (with TPM), or automatically unlock.
You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information, and can no longer unlock the OS drive, fixed drive, or removable drive normally. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid BitLocker password, recovery key, or startup key (.BEK file) is used to decrypt the data.
To recover a damaged OS drive with the BitLocker Repair Tool, the OS drive will need to be connected to another PC if you are not multi-booting with another Windows on the same PC to run the BitLocker Repair Tool from.
You will need to have an empty output volume (drive) of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output volume will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
The following limitations exist for Repair-bde:
- The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
This tutorial will show you how to use the BitLocker Repair Tool (repair-bde) to recover the contents of a damaged drive encrypted by BitLocker in Windows 7, Windows 8, and Windows 10.
You must be signed in as an administrator to use the BitLocker Repair Tool.
For Windows 7, BitLocker Drive Encryption is only available in the Windows 7 Professional and Windows 7 Enterprise editions.
For Windows 8/8.1, BitLocker Drive Encryption is only available in the Windows 8 Pro and Windows 8 Enterprise editions.
For Windows 10, BitLocker Drive Encryption is only available in the Windows 10 Pro, Enterprise, and Educationeditions.
For Windows 8/8.1, BitLocker Drive Encryption is only available in the Windows 8 Pro and Windows 8 Enterprise editions.
For Windows 10, BitLocker Drive Encryption is only available in the Windows 10 Pro, Enterprise, and Educationeditions.
CONTENTS:
- Option One: Recover Damaged BitLocker Drive with BitLocker Repair Tool using Password
- Option Two: Recover Damaged BitLocker Drive with BitLocker Repair Tool using Recovery Key
- Option Three: Recover Damaged BitLocker OS Drive with BitLocker Repair Tool using Startup Key
EXAMPLE: Before and after using BitLocker Repair Tool
Recover Damaged BitLocker Drive with BitLocker Repair Tool using Password
1. Open an elevated command prompt.
2. Type the command below into the elevated command prompt, and press Enter. (see screenshot below)
repair-bde <source drive letter>: <output drive letter>: -pw -f
Substitute <source drive letter> in the command above with the actual drive letter (ex: 'H') of the damaged BitLocker drive you want to recover.
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
For example:
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
For example:
repair-bde H: E: -pw -f
3. When prompted, enter the BitLocker password used to unlock this drive, and press Enter. (see screenshot below)
4. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
5. You can now close the elevated command prompt.
Recover Damaged BitLocker Drive with BitLocker Repair Tool using Recovery Key
1. Open an elevated command prompt.
2. Type the command below into the elevated command prompt, and press Enter. Make note of the first section of numbers (ex: '1C689B42') for the Numerical Password ID. This is the key ID to help ID the recovery key for this drive. (see screenshot below)
manage-bde -protectors -get <drive letter>:
Substitute <drive letter> in the command above with the actual drive letter (ex: 'H') of the BitLocker drive you want to recover.
For example:
For example:
manage-bde -protectors -get H:
3. Go to where you backed up the BitLocker recovery key for this drive. Look for the 48-digit recovery key for this drive that matches its key ID (ex: '1C689B42') from step 2 above. (see screenshot below)
4. Type the command below into the elevated command prompt, press Enter. (see screenshot below)
repair-bde <source drive letter>: <output drive letter>: -rp <recovery key> -f
Substitute <source drive letter> in the command above with the actual drive letter (ex: 'H') of the damaged BitLocker drive you want to recover.
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
Substitute <recovery key> in the command above with the 48-digit recovery key from step 3 above for the BitLocker drive (ex: 'H').
For example:
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
Substitute <recovery key> in the command above with the 48-digit recovery key from step 3 above for the BitLocker drive (ex: 'H').
For example:
repair-bde H: E: -rp 659395-153670-001177-404635-666061-005951-081125-304997 -f
5. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
6. You can now close the elevated command prompt.
Recover Damaged BitLocker OS Drive with BitLocker Repair Tool using Startup Key
1. Open an elevated command prompt.
2.
Type the command below into the elevated command prompt, and press Enter. Make note of the External Key File Name. This is the name of the BitLocker startup key file for this OS drive. (see screenshot below)
manage-bde -protectors -get <drive letter>:
Substitute <drive letter> in the command above with the actual drive letter (ex: 'C') of the BitLocker OS drive you want to recover.
For example:
For example:
manage-bde -protectors -get C:
3. Type the command below into the elevated command prompt, press Enter. (see screenshot below)
repair-bde <source OS drive letter>: <output drive letter>: -rk '<Full path of startup key .BEK file>' -f
Substitute <source OS drive letter> in the command above with the actual drive letter (ex: 'C') of the damaged BitLocker OS drive you want to recover.
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
Substitute <Full path of startup key .BEK file> in the command above with the actual full path of where the startup key .BEK file from step 2 above is saved at for the BitLocker OS drive (ex: 'C').
For example:
Substitute <output drive letter> in the command above with the actual drive letter (ex: 'E') of the empty drive you want to copy the contents of the BitLocker drive to. The output drive needs to be of equal or larger size than the damaged BitLocker encrypted drive. The contents of the output drive will be completely deleted and overwritten by the decrypted contents of the damaged BitLocker drive.
Substitute <Full path of startup key .BEK file> in the command above with the actual full path of where the startup key .BEK file from step 2 above is saved at for the BitLocker OS drive (ex: 'C').
For example:
repair-bde C: E: -rk 'G:CFB586D0-6A39-422E-B232-1BE2EDDFA0D6.BEK' -f
4. Run chkdsk on the output drive (ex: 'E') if ACTION REQUIRED. (see screenshot above and below)
5. You can now close the elevated command prompt.
That's it,
Shawn