Windows Defender wiped out my OpenSuse partition?

Hi all.

On my machine I’m running (was running!) a dual boot setup with Windows 10 and OpenSuse Leap on the same physical disk. Everything has been working great like this on both of my machines, until yesterday. For some reason I decided to let Windows Defender do a full scan on my laptop.

After the scan, both Windows and an OpenSuse live USB see my previous OpenSuse partition as free space/unallocated.

There is nothing in the Windows Defender history about it detecting any threats.

I have no idea how this partition could just wipe itself clean other than that I just so happened to have run Windows Defender before it happened.

Is it actually possible that Windows Defender nuked my OpenSuse partition? It left the /boot partition alone. Grub works and attempts to boot OpenSuse but it can’t find the disk that it was installed on, and doesn’t go into recovery mode. All other partitions on the disk are fine.

Has anyone had this happen to them before? Is it a known problem I just wasn’t aware of? Is there an easy way to repair the damage other than a full reinstall? I’m not sure how to check if the data is still present on the machine or not.

Thanks!

Never come across it
It sounds unlikely, as windows can’t access Linux file systems.

Hi
Boot from a rescue system and check the output from;


gdisk -l /dev/sdX

Where X is the device eg sda.

Thanks for the response!

It turns out that it wasn’t Windows Defender. I’ve been experimenting today though. I started by reinstalling OpenSuse with a btrfs file system back to the original partition. Then I rebooted to Windows and back a couple times to make sure everything was good.

Then I set the active partition back to the Windows partition and booted back into windows, skipping GRUB. I ran Windows Update and it seems Windows did a fairly major update. During that process it “Scanned and repaired drive C:” which obviously my OpenSuse partition is not on, however it was on the same disk.

Once again, my OpenSuse partition and the swap partition I created are gone, or converted to free space. The /boot partition which is ext4 is still there.

OpenSuse doesn’t boot.

I’m going to try installing everything OpenSuse related onto a different physical disk and hopefully this prevents it from happening again.

I have one machine that dual-boots Windows 10 Pro and openSUSE 13.1, both 64-bit, and another machine that dual-boots Windows 10 Home 32-bit and openSUSE 13.2 64-bit. Both have legacy BIOS and MBR partition tables. On both machines, / and /home are ext4. GrUB2 boots from the extended partition.

Both systems did the recent major Windows 10 update without any issue like you encountered. Both continue to dual-boot properly.

I expect your machine has a GUID Partition Table (GPT). Maybe Windows just modified the partition table, but did not format the missing partitions. If so, maybe something like gparted could repair the partition table and restore the function. It is odd that btrfs and swap files systems disappeared, but ext4 survived.

Regards,
Howard

Please show output of gdisk before and after Windows update.

Ok, I’ll see if I can figure out what partition table I’m using, and I’ll try using Gparted to fix it. I did click on it before and all I got for an option was “new” but at this point its worth a shot to see where that gets me.

I’ll get you an after shot soon.

Here is the output of the gdisk command for sda. This is the current state as I haven’t installed OpenSuse back onto the machine yet.

The 217.2gb of free space is what used to be the linux partition.


linux:/home/linux # gdisk -l /dev/sda
GPT fdisk (gdisk) version 0.8.7

Partition table scan:
  MBR: MBR only
  BSD: not present
  APM: not present
  GPT: not present


***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format
in memory. 
***************************************************************

Disk /dev/sda: 976773168 sectors, 465.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 99AFFC35-94A9-46DF-BB6E-CA0F075D1978
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 976773134
Partitions will be aligned on 2048-sector boundaries
Total free space is 455575533 sectors (217.2 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          718847   350.0 MiB   0700  Microsoft basic data
   2          718848       252377087   120.0 GiB   0700  Microsoft basic data
   3       252377088       253425663   512.0 MiB   8300  Linux filesystem
   5       708997120       976771071   127.7 GiB   0700  Microsoft basic data

Perhaps testdisk can recover your lost partition http://www.cgsecurity.org/wiki/TestDisk

A classic generic MBR system like yours has up to 4 partitions, including primary and extended partitions. Extended partitions act as container for subpartitions within. Your printout shows only 4 primary partitions. So the remainder of the disk is deemed unallocated.

But primary concern is to rescue all your valuable data before tinkering around!!

IIRC, partition numbers 1 through 4 are for primary and primary plus extended partitions. Partition numbers 5 and above are for logical partitions within an extended partition.

Your partition table looks like three primary partitions labelled 1 and 2 (MS) and 3, (Linux), then an extended partition. I take it 3 is your /boot partition. gdisk does not list an entire extended partition. YaST2 partitioner would show it as /dev/sda4 containing all the volume beyond the third primary partition. The reported free space (217.2 GiB) looks like it is physically between primary partition 3 and logical partition 5, and would have been one or more logical partitions. Running

fdisk -l /dev/sda

should show /dev/sda4 as Type W95 Ext’d (LBA).

Somehow the Linux logical partition(s) got taken out of the partition table. Hopefully the data is intact and can be recovered as Akko suggests, or others who respond later.
Regards,
Howard

I would be extremely interested in seeing partition table before Windows changed it (and also raw data). How did you create logical partition on this space - using Windows or Linux?

But yes, I agree - data is most likely still there, you just need to create partition for it. It is a bit tricky, because logical partition entries are written inside extended partition, so one has to be careful to not overwrite data.

That would be true for a DOS MBR partition table.

GPT partitioning allows a lot more partitions without the need for secondaries in extendeds.:wink:

… and, yes, the OP appears to have MBR partitioning, but I thought I would point out this distinction for anyone going through this thread.

If the drive has ever had GPT partitioning then there can be leftover tables that DOS/MS/legacy partitioning does not use but may cause confusion in programs.

gdisk gives better info for GPT and fdisk is better for legacy.

This is what I get from gpt on a DOS partitioned disk


linux:/home/gogalthorp # gdisk /dev/sda -l
GPT fdisk (gdisk) version 0.8.10

Partition table scan:
  MBR: MBR only
  BSD: not present
  APM: not present
  GPT: not present


***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format
in memory. 
***************************************************************

Disk /dev/sda: 234441648 sectors, 111.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 25EE153F-72CE-412A-819F-2247EB078317
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 234441614
Partitions will be aligned on 2048-sector boundaries
Total free space is 171533165 sectors (81.8 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048        62910463   30.0 GiB    8300  Linux filesystem
l

Thanks to everyone for the responses!

Yes, this is how I had set it up. 1 and 2 were added by Windows. I created partition 3 as my /boot partition and then created an extended partition with the rest of the disk. Within the extended partition I created a swap and root partition for Linux, and then finished the disk off with ntfs storage within the extended partition.

I’m not concerned about the data at this point since it was a fresh install that got wiped out. I didn’t really lose anything the first time either, as I had recently done a fresh install from 13.2 to Leap.

I’ll reinstall OpenSuse tonight and I can post the output of the gdisk and fdisk commands for you.

The basic steps I took for setting up my system were:

  1. Install Windows, letting it do it’s thing.
  2. Shrink the Windows partition down to make room for Linux. I believe I did this within Windows.
  3. Install Opensuse. Create the /boot partition within the installer as a logical partition
  4. Create extended partition to install opensuse into. I also put an ntfs partition in the extended partition.
  5. Set Opensuse to boot from /boot partition
  6. Reboot back into Windows. Use Diskpart utility to set partition 3 as active
  7. Reboot again, this time GRUB2 displays and I finish setting up Opensuse.

If there is a better way to set this up, I’m all ears!

Thanks!

On Mon 30 Nov 2015 02:26:01 PM CST, oapeter wrote:

arvidjaar;2740422 Wrote:
> I would be extremely interested in seeing partition table before
> Windows changed it (and also raw data). How did you create logical
> partition on this space - using Windows or Linux?
>
> But yes, I agree - data is most likely still there, you just need to
> create partition for it. It is a bit tricky, because logical partition
> entries are written inside extended partition, so one has to be
> careful to not overwrite data.

I’ll reinstall OpenSuse tonight and I can post the output of the gdisk
and fdisk commands for you.

The basic steps I took for setting up my system were:

  1. Install Windows, letting it do it’s thing.
  2. Shrink the Windows partition down to make room for Linux. I believe I
    did this within Windows.
  3. Install Opensuse. Create the /boot partition within the installer as
    a logical partition
  4. Create extended partition to install opensuse into. I also put an
    ntfs partition in the extended partition.
  5. Set Opensuse to boot from /boot partition
  6. Reboot back into Windows. Use Diskpart utility to set partition 3 as
    active
  7. Reboot again, this time GRUB2 displays and I finish setting up
    Opensuse.

If there is a better way to set this up, I’m all ears!

Thanks!

Hi
I normally pre configure the disk and set the windows partition etc.
You probably going to have fun if it upgrades to windows 10… it
needs/creates an extra partition. One wonders if that’s why you had
issues since it’s mbr. On my uefi systems it creates an extra small
partition but doesn’t interfere with anything…

I always clean out the disk first with wipefs (destructive to disk
partitions, use with caution).

My general setup goes like;


wipefs -a /dev/sdX
gisk /dev/sdX
w
gdisk /dev/sdX
x
z
Y
Y

So the above cleans out the partition information, I then use gdisk to
zap the gpt and wipe the mbr.

Then for Legacy/MBR use fdisk to create;


sdX1 100MB
sdX2 (extended - space required for linux /boot / and swap eg 150G)
sdX3 space for windows
sdX5 260M /boot
sdX6 40G /
sdX7 8G swap
sdX8 balance for /home (in my case I use /data)

In theory an update to windows X should create a partition as sdX4 (but
never tested).

For UEFI use gdisk to create (say triple boot on a 320GB
drive);


sdX1 260M type ef00
sdX2 128M type 0c01
sdX3 40G type 8300 / - openSUSE Leap
sdX4 40G type 8300 / - openSUSE Tumbleweed
sdX5 100G type 8300 /data - shared data
sdX6 8G type 8200 swap
sdX7 balance type 0700 windows

I also for my UEFI installs format sdX1 via;


mkfs.vfat /dev/sdX1

Then when I install windows (7,8 of X) I just use the custom option and
select the windows partition to install on.

I always put windows at the end of the disk, since I use it rarely…

This system (two 120GB ssd’s) I updated from windows 7 to windows 10
(it created sda5…) as well as switching from non-secure (win7) to
secure boot (winX).


lsblk

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 119.2G  0 disk
├─sda1   8:1    0   260M  0 part /boot/efi
├─sda2   8:2    0   128M  0 part
├─sda3   8:3    0    40G  0 part /
├─sda4   8:4    0  78.4G  0 part
└─sda5   8:5    0   449M  0 part
sdb      8:16   0 111.8G  0 disk
├─sdb1   8:17   0 103.8G  0 part /data
└─sdb2   8:18   0     8G  0 part [SWAP]


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 | GNOME 3.10.1 | 3.12.48-52.27-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

If Windows not for Gaming you may consider only running it in a VM

You probably misuse the “logical” here. I do not think you can set logical partition as bootable in Windows.

  1. Reboot back into Windows. Use Diskpart utility to set partition 3 as active
  2. Reboot again, this time GRUB2 displays and I finish setting up Opensuse.

Could you collect fdisk output after steps 1, 2, 5 and 6. And of course after Windows mangled it.

Sorry, yes I meant that it’s a primary partition.

I’ll get you the output tonight. Since I have yet to install OpenSuse I’ll get you the mangled output first.

Thanks!