Hello,
I’ve run into a big, desperate problem and I require your help.
The problem (altered MFTs on all my NTFS volumes) appeared while I was trying to make Comodo Program Manager run properly in Win 8.
Because I’ve used it for such a long time in Window 7 and considered it to be the best software for what it does (the filter drivers don’t use much resources, etc) I really wanted to see if
I could make it work in Windows 8.
I have monitored CPM installation using Mirekusoft Install Monitor v1098 so that I could track the changes it makes in a Windows 7 virtual machine (VMware).
With that software I could see exactly which file produces what changes (file and registry) so that I could replicate that in Windows 8, as well.
Doing this I was able to understand what it goes wrong with a Win8 installation (drivers files are not copied, registry keys not created because CPM executables all check for a supported
Windows version)
So what I made in Win8 before the problem happened was:
I had run ComodoProgramsManager installation in Compatibilty Mode, so that it would install. It did without problems.
Then I had run CPM.exe /driver_install which installs the CPMService.exe and the two filter drivers, cumon and evdd in registry.
But it does not copy the 3 driver files in \Windows\System32\Drivers, because there are more then a few drivers for different windows versions and CPM.exe checks exactly what
version it need and then copies the expected files. So I had to manually copy cumon.sys evdd.sys and cpnat.exe in Drivers folder.
I hopped it would work, so I rebooted. I was expecting that fileimage.dat would be created in the root of the system drive, and that cumon.sys would monitor any installations.
I have looked for the file but there was none created. I presumed something was not yet right.
I then checked another important registry key CPM needs HKLM\System\CurrentControlSet\Software\Comodo and compared it with a normal Win7 installation.
And indeed there were differences:
“DevicePath”=“C:\\fileimage.dat” was the same
but “DeviceName”= " " instead of “\\.\CPMEvdd1”
“EncodedStamp”, “InstallDate” were missing (and maybe 1 more, but I don’t remember exactly)
so I also manually coppied those missing registry keys from my other Win7 (older installation, not the Win7 in VM).
I also saw from Mirekusoft Install Monitor that CPM_FVol.exe was responsible for creating those registry keys, so I thought maybe I had to run it (+ command line arguments).
Ran CPM_FVol.exe and then CPM_FVol.exe /mount (i just figured /mount parameter which I had found in the program strings would do somenthing)
I rebooted a 2nd time and boom … the problem happened.
I first noticed some of the folders from root were missing and that volumes showed a lot of free space. I have two 1TB Sata HDDs, which were almost full. And now they are almost 1/2
free.
I realized that something terrible had happened, and shut down the PC.
Unfortunatelly I don’t have any backups of my data.
I guess now you understand in what terrible sitation I am in, and how desperate I am to resolve it.
Is there anything I can do to reverse what CPM has done to my volumes MFT (all volumes are NTFS)?
other than using standard file recovery software?
Does it have to do with Volume Shadow Snapshots?
So If anybody can tell me what cold have happened and what is the best action to take from here on, please do it.
Thank You.
