SystemRescue (formerly named SystemRescueCd) is a bootable Linux rescue toolset for repairing or manipulating your partitions and data on a disk. This post shows how to quickly mount a Windows NTFS file system to recover files.
1) Download the ISO and burn it to CD. Or, if you are rescuing a Windows VM, you will just mount the ISO.
https://www.system-rescue.org/Download/
2) Boot to SystemRescue. If you are working on a physical host, you may need to change you BIOS setting to boot the CD/DVD drive first. If a VM, make sure you attach the ISO and modify your boot order if needed. When presented to you, select “Boot SystemRescue using default options.” The Live CD option will load and when prompted, enter:
[root@sysrescue ~]# startx
3) The desktop will load and provide access to various tools. When the desktop is loaded, you can either enable the network or mount a USB drive to insert a file (drivers, tweaks, etc.) or retrieve files from the file system. Depending on the method you choose, see Network Access or USB Drive Access below for the steps.
a) Network Access. In the lower right corner, right-click the rotating swoosh and green dots icon and select edit connections. Select Wired Connection 1 and click the gear icon at the bottom. On the IPv4 Settings tab, select Method, then Manual, click Add and enter an IP address, Mask, Gateway, DNS (if DNS is needed) and click Save. It can take about 10 seconds for the settings to apply and the network service to restart. Ping to verify that it is up.
b) To quickly enable SSH/SCP/SFTP and securely harvest files over the network:
[root@sysrescue ~]# systemctl enable sshd
[root@sysrescue ~]# systemctl start sshd
[root@sysrescue ~]# systemctl disable iptables
[root@sysrescue ~]# systemctl stop iptables
[root@sysrescue ~]# passwd (to reset the root password)
c) Launch an Xterm, Putty or Powershell on a remote host to verify access. For example in an xterm or Powershell:
> ssh root@ip.you.assigned.above
d) If using Filezilla: to drag and drop/copy files to or from, enter these parameters and click QuickConnect.
Host: sftp://ip.you.assigned.above
Username: root
Password: root’s password
Port: 22
e) USB Drive Access. Insert a USB drive to the physical host or attach a USB device to a VM. In this case, the device ID below a simple 2 GB, vfat formatted PNY USB stick.
[root@sysrescue ~]# blkid (to find your USB device such as the one listed below on /dev/sdb1)
/dev/sdb1: LABEL=”SYSRCD-5″ UUID=”90BB-72F0″ BLOCK_SIZE=”512″ TYPE=”vfat” PARTUUID=”04aa1751-01″
f) Mount the USB device. Once mounted, you can move or copy files to or from the /usbdrive mount point.
[root@sysrescue ~]# mkdir /usbdrive
[root@sysrescue ~]# mount /dev/sdb1 /usbdrive
[root@sysrescue ~]# ls -l /usbdrive
drwxr-xr-x 2 root root 4096 Nov 22 2019 ‘System Volume Information’
4) Check for the Windows partition.
[root@sysrescue ~]# blkid | grep ntfs
/dev/sda2: BLOCK_SIZE=”512″ UUID=”ECF28F77F28F44B4″ TYPE=”ntfs” PARTUUID=”03fdd544-02″
/dev/sda1: LABEL=”System Reserved” BLOCK_SIZE=”512″ UUID=”240E8ECC0E8E9688″ TYPE=”ntfs” PARTUUID=”03fdd544-01″
a) See /dev/sda1 in the list? The partition with LABEL=”System Reserved” is not the one you want to mount. In this case, /dev/sda2 is the Windows OS partition with all of your files, logs, registry, etc.
b) Create a mountpoint and mount the Windows partition.
[root@sysrescue ~]# mkdir -pv /mnt/windows
[root@sysrescue ~]# ntfs-3g /dev/sda2 /mnt/windows
c) Check the new mountpoint.
[root@sysrescue ~]# cd /mnt/windows
[root@sysrescue /mnt/windows]# ls -l
drwxrwxrwx 1 root root 0 Aug 22 2013 ‘$Recycle.Bin’
-rwxrwxrwx 1 root root 427680 Aug 22 2013 bootmgr
-rwxrwxrwx 1 root root 1 Jun 18 2013 BOOTNXT
lrwxrwxrwx 2 root root 23 Aug 22 2013 ‘Documents and Settings’ -> /mnt/windows/Users
-rwxrwxrwx 1 root root 2147483648 Dec 17 20:51 pagefile.sys
drwxrwxrwx 1 root root 0 Aug 22 2013 PerfLogs
drwxrwxrwx 1 root root 4096 Dec 16 19:07 ProgramData
drwxrwxrwx 1 root root 4096 Dec 16 18:37 ‘Program Files’
drwxrwxrwx 1 root root 4096 Apr 16 2021 ‘Program Files (x86)’
drwxrwxrwx 1 root root 0 Nov 27 2020 ‘System Volume Information’
drwxrwxrwx 1 root root 0 May 24 2021 temp_share
drwxrwxrwx 1 root root 4096 Nov 27 2020 Users
drwxrwxrwx 1 root root 0 Nov 27 2020 vboxshare
drwxrwxrwx 1 root root 24576 Dec 17 20:52 Windows
d) You can also launch the GUI File Manager (Thunar) and simply double-click into the /mnt/windows folder. Click the blue X where the Windows Start icon would normally be > select File Manager. Under Devices select File System and then double-click the “mnt” folder and then the “windows” folder. Launch another File Manager window and you can simply drag and drop between the “windows” and “usbdrive” folders.
5) Files of interest. For troubleshooting a broken system, check the following locations.
a) User and log files.
/mnt/windows/Users/<your_username>/Documents
/mnt/windows/Users/<your_username>/Downloads
/mnt/windows/Windows/debug
/mnt/windows/Windows/Logs
/mnt/windows/Windows/Prefetch (useful if it was enabled)
/mnt/windows/Windows/System32/drivers (to remove a buggy driver)
/mnt/windows/Windows/System32/drivers/etc/hosts (to see if IPs were defined)
/mnt/windows/Windows/System32/LogFiles
/mnt/windows/Windows/System32/winevt/Logs (for all of the Windows Event Viewer Logs)
b) Registry files:
/mnt/windows/Windows/System32/config
6) When done, unmount the folders and reboot/shutdown. Change your directory first and umount.
[root@sysrescue /mnt/windows]# cd /
[root@sysrescue ~]# umount /mnt/windows
[root@sysrescue ~]# umount /usbdrive
a) Shutdown the host. Click the blue X in the lower left > Log out > Shutdown.
Excellent post, thanks!
excellent! I used this ISO to restart a windows 11 pc with a damaged boot sector. The ntfs-3g command detected a boot sector malfunction and fixed it automatically.