Taking a look at Executive Software's Undelete 2.0

It's easy to retrieve a deleted file in Windows NT—if you're using Executive Software's Undelete 2.0. Troy Thompson gives you the background on this handy, third-party tool in this Daily Drill Down.

How many times has this happened to you? You’re cleaning up the directories on your hard drive and delete a bunch of useless files. Just as soon as you erase the files, you suddenly remember that they weren’t so useless. Panic ensues.

It used to be that when you deleted a file in Windows NT, you were finished; you couldn’t get the file back. Fortunately, there are third-party tools you can use to fix this problem. In this article, I’ll look at one of them—-Executive Software’s Undelete 2.0.

What does it do?
Undelete 2.0 can recover files that have been deleted from your Windows NT and Windows 2000 computers. It supports NTFS, FAT16, and FAT32 file systems. Undelete also supports a wide range of SCSI and IDE disks, including:
  • Primary partitions
  • Extended partitions
  • Logical drives
  • Volume sets
  • Mirror sets
  • RAID arrays
  • Removable disks

Server vs. workstation versions
There are two different versions of Undelete, one for workstations and one for servers. Both will retrieve deleted files even if they have been deleted from a command prompt or emptied from the Recycle Bin. The server version will also allow you to recover files that have been deleted from other computers on your network as long as they have the Undelete program installed.

How Undelete works
After you install Undelete, it keeps track of the files you delete. It intercepts the request to delete files and places the files in a Recovery Bin. This allows you to easily recover files that have been deleted. To recover compressed files on NTFS permissions, you must have Undelete installed prior to the deletion of those files.

If the files were deleted before Undelete was installed, in many instances, it’s still possible to recover them. This is because Windows NT/2000 doesn’t actually remove files from the disk but marks the space where the file resides as free space. Therefore, Undelete can be successful only if the free space that’s occupied by a deleted file is not overwritten.

When Undelete recovers a file, it actually makes a copy of the deleted file. Thus, it is recommended that files be recovered to a new volume so there’s no chance that the space marked as free will be overwritten during the recovery process. Undelete adheres to the security of the Windows operating system requiring the user who is trying to recover the files to be a member of the Administrators group and have adequate file permissions.

How does the installation affect the workstation?
When installed, Undelete will supersede other data-recovery programs on your computer, including Recycle Bin. The installation process creates a new service that will allow Undelete to run in the background while other applications are running. The service is set to start automatically each time you restart Windows. The installation procedure is straightforward. It confirms that you have administrator rights, determines the Windows version you’re running, checks for necessary disk space, updates the registry, and replaces the Recycle Bin with its Recovery Bin.

Executive Software recommends that you uninstall Undelete before applying any Windows service packs. This will ensure that the service pack does not modify Undelete registry values. To uninstall Undelete, use the Add/Remove Programs icon in Control Panel. You may also need to manually remove the Undelete installation directory.

Distributing Undelete using System Management Server
If you’re running Microsoft’s System Management Server (SMS), you can install Undelete as a distributed installation. By default, SMS will install Undelete in the \ExecSoft\Undelete directory. To change the default installation directory for Windows NT, you can edit the Setup.iss file and change the line

to point to the volume and directory where you want to install Undelete.

For Windows 2000, you can share the directory where the Undelete installable files reside, then log in to the target machine and run DiskeeperServer.msi or DiskeeperWorkstation.msi from the target machine. SMS also allows you to run the Repackage Installation Wizard to create a software package for distribution.

Emergency Undelete
Once a file is deleted, the chance that you can fully recover the file decreases when other activity occurs on the same disk volume. Emergency Undelete is a feature that allows you to recover by running Undelete from a CD. This procedure writes only about 8 KB of data to your drive, decreasing the risk that the Undelete program will overwrite the file to be recovered.

You can uninstall Emergency Undelete by using the Add/Remove Programs icon in Control Panel. Emergency Undelete runs directly off your CD-ROM drive, installing only a new registry key.

When a file has been accidentally deleted, all activity on the disk should be stopped. Do not save any open files because doing so may overwrite part of the deleted file. If the computer is connected to a network, disconnect the network cable to prevent disk activity from a remote user. Deleted files that conform to the DOS 8.3 standard will have the first character in their name replaced with a tilde (~).

Emergency Undelete does have some limitations, though. Only small and large file types can be recovered on an NTFS partition. Both of these file types contain all of their information within a single file in the Master File Table (MFT). Emergency Undelete cannot recover compressed, sparse, or encrypted files. FAT32 volumes are supported only in Windows 2000. In addition, you can recover files from only the local disk volumes.

Recovery Bin exclusions
If there are files that you will delete that you know you won’t want to recover, you can exclude them from being sent to the Recovery Bin. An example of this may be a Temp directory or files that end with the .tmp extension. The Recovery Bin Exclusion List supports wildcard file specifications, which makes it easy to specify a particular type of file to exclude. You can access the Exclusion List, shown in Figure A, from the Recovery Bin menu option.

Figure A
You can exclude items from Undelete’s protection.

Using Undelete
Once Undelete is installed on your computer, you can access it by double-clicking the Recovery Bin icon on your desktop. When you do, you’ll see the screen shown in Figure B. As you can see, Undelete’s initial screen is fairly easy to understand.

Figure B
You undelete files from here.

You must navigate through the menu structure or search for the file you wish to recover. Once you’ve located the file to recover, you can right-click the file and choose to Recover, Delete, or Exclude it. If you choose Recover, you’ll be presented with a screen that allows you to recover the file to its original location or to an alternate location, as shown in Figure C.

Figure C
You can restore files to their original or an alternate location.

Once you choose to recover the file, it will no longer be listed in the Recovery Bin. You can choose to recover multiple files by holding down either the [Shift] key or the [Ctrl] key and selecting them with the mouse.

Recovery Bin properties
There are several options you can configure in the Recovery Bin properties. You can configure the size of each Recovery Bin and what should happen when it reaches its maximum size. The default size is 20 percent of the drive.

You can choose to have a separate Recovery Bin for each drive or to have just a single Recovery Bin for all drives. Enabling Recovery Bin on all drives will give each drive its own Recovery Bin. When the Recovery Bin is enabled for all drives, files that are moved to the Recovery Bin will be stored in directory folders named \RecoveryBin\ on each of the drives. From the Properties page, you can also configure other options, such as whether you want to save zero-length files.

Using Undelete from a command prompt
In addition to its Graphical User Interface (GUI), Undelete can also be used from the MS-DOS command prompt. Both the Recovery Bin and the Undelete From Disk features are supported. The two commands that can be used are Reclaim and Undelete.

If you type Reclaim /? from a command prompt, you’ll see the following syntax:
reclaim [Search_Pattern] [/i] [/r] [/d] [/?].

Let’s examine the individual components of this syntax:
  • Search_Pattern specifies the drive letter, path, and filename.
  • [/i] (include) causes the files that match the other specified search pattern criteria in all underlying subdirectories to be listed.
  • [/r] (recover) causes the listed files to be recovered from the Recovery Bin. When using /r, you’ll be prompted to confirm the recovery of the files.
  • [/d] (delete) causes the listed files to be removed from the Recovery Bin. When using /d, you’ll be prompted to confirm the removal of the files.

For example, if you type reclaim \Documents\*.doc /i /r at the DOS prompt and press [Enter], you’ll see all Recovery Bin files with the extension of .doc in the Documents folder and all underlying subfolders as well. Then you’ll have the option to recover the files listed.

The Undelete command lists and recovers deleted files directly from the disk. If you type Undelete /? from a command prompt, you’ll see the following syntax:
undelete Search_Pattern [/d=destination_path] [/i] [/?]
  • Search_Pattern specifies the drive letter, path, and filename to search for deleted files. The wildcard characters ? and * are permitted.
  • [/d] (destination) specifies the destination of the files to be retrieved. If you do not use this parameter, the files that match the search pattern that are candidates to be retrieved will be listed but not recovered. To recover the files, you must specify a valid drive letter and directory folder for the destination.
  • [/i] (include) causes the files that match the other specified search pattern criteria in all underlying subdirectories to be listed.

Undelete is a powerful utility. In this Daily Drill Down, I’ve shown that Undelete is easy to use and that its ability to recover files from a variety of file systems and disk types makes it invaluable. You can find out more about pricing and support for Undelete at Executive Software’s Web site.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.