How to fix RAW filesystem issue in place

As of now, RAW file system issue is the same in all versions of Windows. This can either be due to a corrupted filesystem boot sector or corrupted main filesystem metadata entries such as the MFT (Master File Table) in NTFS.

We did some research to find out which metadata corruption leads to which errors. Before discussing the results, we need to understand what kind of metadata structures are on the disk and what format they have. The main metadata for an NTFS volume are NTFS boot sector and both MFT records: main and mirror.

NTFS boot sector

It should be located at the sector 0 of the NTFS-formatted volume. The Windows driver gets the location of the NTFS volume from the corresponding partition table (GPT or old MBR) and then goes there to check the NTFS boot sector. A healthy NTFS boot sector looks like that (we use free ReclaiMe Disk Editor to view a RAW disk content):

NTFS boot sector on-disk layout

All fields are important but the most important ones are: 55 AA signature at the end of the sector (last two bytes), word NTFS at the beginning (starting with the third byte), the pointers to the MFT starting cluster and MFT mirror starting cluster.

First, in our experiment, we zeroed 55 AA signature (last two bytes) and Windows immediately changed the status of the drive in Disk Management – now it is just a healthy partition and no filesystem. If you try to open the disk, you get the "F:\ is not accessible. Access is denied" message.

RAW disk is not accessible Disk Management for RAW disk shows uninitialized

Edited NTFS boot sector:

Edited boot sector

If we change those bytes back to 55 AA, we get the volume back as well with all the data available for access. However, you need to reconnect the disk to the PC so that the Windows driver scans the disk again rather than uses some kind of cache data.

Undo editing boot sector

Main MFT record

From the NTFS boot, we can get the pointer to the sector where the main NTFS metadata record (MFT) is located. Below is how it typically looks:

MFT on disk layout

If we overwrite, for example, the first 4 bytes (signature FILE) with zeroes like this:

MFT edited

The disk is no longer accessible with the same "Access is denied" error message. However, if we reconnect the disk to the PC we find out that the OS can access the disks and display files and folders. This is because there are two copies of the MFT main metadata and obviously, the Windows driver uses the mirror copy to open the disk when the main copy looks invalid. Let’s zero the FILE signature on the mirror copy as well like this:

MFT mirror edited

The disk immediately become inaccessible. When we reconnect the disk to the PC, we get the message saying that the "Disk structure is corrupted and unreadable".

Disk structure is corrupted and unreadable

Click OK and finally get the RAW filesystem issue:

Disk Management RAW drive

If we revert all the changes we made to the metadata and reconnect the drive, we get access to the files and folders as it was before.

So in case of RAW filesystem issue, you can try to check NTFS boot sector and MFT records with disk editor and probably try to edit them if you see the obvious damage like those we made above. However, it should be noted that the metadata editing approach is not safe, as it can lead to even more data loss. If you want to safely recover data from a RAW disk, then read the instructions on how to extract data from a RAW disk in read-only mode.

Still have questions?