Microsoft quietly created a Windows 10 File Recovery tool,
Microsoft has created a Windows 10 File Recovery Tool that recovers deleted files and forgot to tell anyone.
Everyone has deleted a file by accident and then realized that they had no backup. If this file was critical, then you may get lucky using a third-party file recovery, or undelete, program to recover the deleted data.
Windows sleuth WalkingCat recentlydiscovered a program created by Microsoft called the ‘Windows Recovery Tool.’
This tool states it is a file recovery program that allows you to undelete files on a hard drive, USB drive, and even an SD card.
“Accidentally deleted an important file? Wiped clean your hard drive? Unsure of what to do with corrupted data? Windows File Recovery can help recover your personal data.”
Microsoft’s Windows File Recovery Tool supports three modes of operation: ‘Default,’ ‘Segment,’ and ‘Signature.’
Each of these modes attempts to recover deleted files from a storage device in a different way, as described below.
Default mode:This mode uses the Master File Table (MFT) to locate lost files. Default mode works well when the MFT and file segments, also called File Record Segments (FRS), are present.
Segment mode: This mode does not require the MFT but does require segments. Segments are summaries of file information that NTFS stores in the MFT such as name, date, size, type and the cluster/allocation unit index.
Signature mode: This mode only requires that the data is present and searches for specific file types. It doesn’t work for small files. To recover a file on an external storage device, such as a USB drive, you can only use Signature mode.
When installed, the program will be installed as a command-line tool called winfr.exe.
Below we have provided some examples of how to use the winfr tool in Windows 10.
In the command prompt, you can type winfrand press enter to see a list of the available commands.
Windows File RecoveryCopyright (c) Microsoft Corporation. All rights reservedVersion: 0.0.11761.0----------------------------------------------------------USAGE: winfr source-drive: destination-folder [/switches]/r - Segment mode (NTFS only, recovery using file record segments)/n [filter] - Filter search (default or segment mode, wildcards allowed, trailing \ for folder)/x - Signature mode (recovery using file headers)/y:[type(s)] - Recover specific extension groups (signature mode only, comma separated)/# - Displays signature mode extension groups and file types/? - Help text/! - Display advanced featuresExample usage - winfr C: D:\RecoveryDestination /n Users\[username]\Downloads\ winfr C: D:\RecoveryDestination /x /y:PDF,JPEG winfr C: D:\RecoveryDestination /r /n *.pdf /n *.jpgVisit https://aka.ms/winfrhelp for user guideFor support, please email email@example.com
Winfr also includes advanced options, which can be viewed by typingwinfr /!.
These advanced options, shown below, allow you to fine-tune the recovery process by specifying what sectors to scan, how the recovery should perform, and disabling specific file extensions.
Windows File RecoveryCopyright (c) Microsoft Corporation. All rights reservedVersion: 0.0.11761.0----------------------------------------------------------USAGE: winfr source-drive: destination-folder [/switches]/p:[folder] - Specify recovery log destination (default: destination folder)/a - Accepts all user prompts/u - Recover non-deleted files (default/segment mode only)/k - Recover system files (default/segment mode only)/o:[a|n|b] - Overwrite (a)lways, (n)ever or keep (b)oth always (default/segment mode only)/g - Recover files without primary data stream (default: false, default/segment mode only)/e - Disable extension exclusion list (default/segment mode only)/e:[extension] - Disable specific extension(s) (default extension list no longer applies) (default/segment mode only)/s:[sectors] - Number of sectors in volume (segment/signature mode only)/b:[bytes] - Number of bytes in cluster (segment/signature mode only)/f:[sector] - First sector to scan (segment/signature mode only)
When using the Windows 10 File Recovery Tool, you need to specify the source drive, the drive files will be recovered, and any filters that fine-tune what files are recovered and the file recovery mode.
For example, to use the ‘default’ mode to recover all deleted .JPG files on the D: drive and restore them to the E: drive, you would use the following command:
winfr D: F: /n *.JPG
To use the ‘default’ mode to recover all deleted files from the E:\temp folder, you would use the command:
winfr E: F: /n \temp\*.PNG
To use the ‘segment’ mode to search the C: drive for deleted files whose filename contained the string ‘statement’ and recover them to the E: drive, you would use the following command.
winfr C: E: /r /n *statement*
Finally, to use the ‘signature’ mode to recover Word documents (.docx) from the C: drive, you would use the following command:
winfr C: D:\RecoveryDestination /x /y:DOCX
It should be noted that when using filters that match a folder name, you should leave off the drive letter.
For example, if you set your source drive to C: and want to recover files from C:\ test, you would use a filter of/n \test\.
Unfortunately, in our tests, many of the recovered files were not actually usable. When attempting to recover .txt files from our E:, the recovered files were corrupt, as shown below.
We will continue to use the tool in real-life recovery tests to see how well it performs.
For now, though, you may have better success using tools likePhotorec orRecuva to recover any deleted files.
Hello, Myself Bhabesh, living in Bengaluru, Karnataka, India. I’m a Penetration Tester, Cyber Security Analyst, Threats hunter, Vulnerability founder, Bug Bounty hunter, System Hacker, Exploiting expert, Android hacker, Reverse Engineer, Malware Analyst, SIEM or UTM & SOC Analyst, Security Researcher with great innovation and latest technology gadgets.
View all posts by B4cKD00₹