big NTFS data loss using CPM in Win8

I’ve run into a big, desperate problem and I require your help.
The problem (altered MFTs on all my NTFS volumes) appeared while I was trying to make Comodo Program Manager run properly in Win 8.

Because I’ve used it for such a long time in Window 7 and considered it to be the best software for what it does (the filter drivers don’t use much resources, etc) I really wanted to see if

I could make it work in Windows 8.

I have monitored CPM installation using Mirekusoft Install Monitor v1098 so that I could track the changes it makes in a Windows 7 virtual machine (VMware).
With that software I could see exactly which file produces what changes (file and registry) so that I could replicate that in Windows 8, as well.
Doing this I was able to understand what it goes wrong with a Win8 installation (drivers files are not copied, registry keys not created because CPM executables all check for a supported

Windows version)

So what I made in Win8 before the problem happened was:
I had run ComodoProgramsManager installation in Compatibilty Mode, so that it would install. It did without problems.
Then I had run CPM.exe /driver_install which installs the CPMService.exe and the two filter drivers, cumon and evdd in registry.
But it does not copy the 3 driver files in \Windows\System32\Drivers, because there are more then a few drivers for different windows versions and CPM.exe checks exactly what

version it need and then copies the expected files. So I had to manually copy cumon.sys evdd.sys and cpnat.exe in Drivers folder.
I hopped it would work, so I rebooted. I was expecting that fileimage.dat would be created in the root of the system drive, and that cumon.sys would monitor any installations.
I have looked for the file but there was none created. I presumed something was not yet right.

I then checked another important registry key CPM needs HKLM\System\CurrentControlSet\Software\Comodo and compared it with a normal Win7 installation.
And indeed there were differences:
“DevicePath”=“C:\\fileimage.dat” was the same
but “DeviceName”= " " instead of “\\.\CPMEvdd1”
“EncodedStamp”, “InstallDate” were missing (and maybe 1 more, but I don’t remember exactly)
so I also manually coppied those missing registry keys from my other Win7 (older installation, not the Win7 in VM).
I also saw from Mirekusoft Install Monitor that CPM_FVol.exe was responsible for creating those registry keys, so I thought maybe I had to run it (+ command line arguments).
Ran CPM_FVol.exe and then CPM_FVol.exe /mount (i just figured /mount parameter which I had found in the program strings would do somenthing)

I rebooted a 2nd time and boom … the problem happened.
I first noticed some of the folders from root were missing and that volumes showed a lot of free space. I have two 1TB Sata HDDs, which were almost full. And now they are almost 1/2

I realized that something terrible had happened, and shut down the PC.
Unfortunatelly I don’t have any backups of my data.
I guess now you understand in what terrible sitation I am in, and how desperate I am to resolve it.

Is there anything I can do to reverse what CPM has done to my volumes MFT (all volumes are NTFS)?
other than using standard file recovery software?
Does it have to do with Volume Shadow Snapshots?

So If anybody can tell me what cold have happened and what is the best action to take from here on, please do it.

Thank You.

Sorry for double posting this in the General Forum,
but I was hopping to get Comodo’s admins, developers, attention, as this is a desperate situation.

Hope you understand.

Really need your help Andrei, Mihai anybody.
We could talk in private if needed as I am from your country :wink:

Hi clabr,

Apology accepted. :slight_smile:

I am sorry I have no idea and I cannot promise anything but I will have PMed a staff member to see if they can help.
Kind regards.

We’ve investigated the issue and it is caused by a module responsible for keeping the virtual disk clean of junk entries. The virtual disk wasn’t installed properly and the volumes were mixed up.
The steps for installation are merely the same as you described. But you executed them manually, separated from each other. From the setup, when one of the steps failed, the execution stopped. Manually, you continued to the next step until the issue triggered.
The problem isn’t related with the MFT, so the entries should be there, only the delete flag is on.
A good recovery software should bring most of your data back.
Currently, CPM isn’t supported on Windows 8 and this is way the incompatibility popup blocker appears in the setup phase.
I am sorry for the issue caused.

Thank you for your answer Alex.

I was expecting having to use a recovery software so I just bought a new big hard drive, and will be starting the recovery process soon.
All the worse for the better I hope!

It’s good news if only delete flag is changed, and no MFT corruption, or such.
The only problem would be is there a way to tell the older MFT (with delete flag on) from the ones that CPM module driver changed?
Because if not I would be recovering older entries and I had a lot of files.

And about installing CPM in Win8 I’ve read on the Beta corner forum that if you have CPM installed on Win7 and do an upgrade to Win8, by keeping your programs and settings, CPM will still work?

What are my other options of directly installing it in Win8?
Would global hooking GetVersion APIs from kernel32 dll suffice for the setup to execute the installation process as it should?

I don’t think the deletion date is recorded in the MFT, but maybe the last accessed attribute could be used by the recovery software.

Yes, I think it will work, because the application will be already installed.

I can’t really give you an official option because it isn’t officially supported on Windows 8.
Though, I can suggest, to perform the following steps:
For an unofficial way a simple option could be the following :
1 ) Make sure you remove every entry from your previous attempt to install CPM;
2 ) Run CPM installation in Compatibility Mode for Windows 7. Do not Reboot.
3 ) Add to CPM.exe shortcut’s target “/drivers_start” command line parameter;
4 ) Run CPM executable from the modified shortcut in Compatibility Mode for Windows 7;
5 ) Wait to finish;
6 ) Remove the command line;

Note: This method isn’t tested;

You might also need to hook GetVersionEx. But this is a unorthodox method in my opinion.

Thanks Alexandru for taking a look at this topic. :slight_smile: