Directory of w:\work_dir

03/05/2021 05:08 PM <DIR> .
03/05/2021 05:08 PM <DIR> ..
02/17/2021 05:55 PM 8,589,934,592 -ccb7b397.vmem
03/05/2021 05:08 PM 2,431,389 -ccb7b397.vmss
03/05/2021 05:08 PM 10,831,003,648 hdd0.vmdk.REDO_a01528
03/05/2021 05:08 PM 3,280,601,088 hdd1.vmdk.REDO_a08620
02/19/2021 08:36 PM 1,572,864 hdd2.vmdk.REDO_a08608
02/19/2021 04:44 PM 786,432 steam.vmdk.REDO_a07036
6 File(s) 22,706,330,013 bytes
2 Dir(s) 71,383,695,360 bytes free

w:\work_dir

Please extract the attached .zip archive, then drag&drop each of the REDO files onto the batch (.cmd) file. Once done, compress/zip the new "Metedata" files, and attach the .zip archive to your next reply.

What the scrips do is to check if the files have an expected .vmdk header, and - if so - extract the metadata (header, grain directories, grain tables) from the files.

André

At E:\vmw\Get-VmdkHeader.ps1:5 char:1
+ [CmdletBinding()]
+ ~~~~~~~~~~~~~~~~~
Unexpected attribute 'CmdletBinding'.
At E:\vmw\Get-VmdkHeader.ps1:6 char:1
+ Param(
+ ~~~~~
Unexpected token 'Param' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedAttribute

Which Powershell version do you run?

André

PSVersion 5.1.17763.1490
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1490
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Windows Server 2019 1809 17763.1637

Not sure what's causing this at the moment. Do you have a Win10 PC on which you can extract the metadata?

André

I just noticed that Powershell complains about line 5 "At E:\vmw\Get-VmdkHeader.ps1:5 char:1" which is strange.
Do you by chance have some A/V, or endpoint security application, which injects code into scripts?

The first 6 lines should read:
# Extract Metadata from a single VMDK-File, or all VMDK-Files in a Directory
[CmdletBinding()]
Param(
[Parameter(Position=0)]
[String] $FilePath
)

André

Hi, apologies for the late response. Anyway I got the script to work and dumped the metadata.

I'm a bit confused.

In your previous reply, you listed 4 REDO files on the W: drive, and the attached metadata files are from 2 REDO files on the E: drive, where only one of them matches (at least its size) the previously listed files?
Anyway, I checked the files, and they both point to parent .vmdk files in "E:\my_documents\vmware\machines\actual_desktop", which I assume is what you lost? Correct?
One of the redo files for which you've provided the metadata contains 896 kB worth of changed data, and the other one only 576 kB. Is this what expect, i.e. what you want/need to restore?

The larger files (hdd0, and hdd1) for which you did not provide the metadata do contain much more changed data, from which it may be possible to successfully recover data.

André

Sorry, for the mix up. May have accidentally listed the current new folder I use for the VM. Anyway I'm not entirely comfortable providing hdd1 or 2 metadata because I don't know what exactly that is since those contain a lot of private/sensitive information.

Yes actual_desktop is the one.

There's a lot of junk on hdd1 and 2 since they are a simple empty non persistent drives I dump random stuff like downloads, cache and etc alongside a few files I'd like to keep. Is there any way I could recover the data myself?

Unless the .vmdk files are corrupted, my script will only extract metadata, i.e. the descriptor, and pointer data, but no user data. That's why I provided a source code script.

Anyway, you can certainly try to recover data by yourself. What basically needs to be done, is to create dummy base virtual disks in the original/expected location (you can find the parent path, and file name within the first 1,536 Bytes in the REDO files), format these new virtual disks in the same way as they were originally formatted, then fix the snapshot chain (i.e. set the parentCID in the REDO files to the CID found in the newly created parent virtual disks - using a Hex-Editor). If everything has been done correctly you should be able to mount the snapshots to either your host (VMware Mount Utility - included in VMware Workstation Pro), or to a helper VM, and use a recovery utility to scan the virtual disk for files.

In any case you should - unless already done - keep backups of the files, so that you can revert to them in case it's needed.

André