Solved

How to examine hiberfil.sys

Posted on 2009-05-12
8
876 Views
Last Modified: 2012-05-06
I have had an issue booting by system vista x64 from hibernation, it appears to go through the process of restoring the hibernation status but does not restore and starts a new session,
I had a not pad file open but not savaed the contents how can examine the hiberfil.sys in order to recover my notes.
0
Comment
Question by:bourneisp_
  • 3
  • 3
  • 2
8 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24369657
I don't think you're going to do it.  This is not a common practice.  The time and expense to get it done would probably be far more costly then reconstructing notes.

In short, I expect you'd need to use a byte level editor like WinHex and scan through it for text.  Good luck... it will be like finding a needle in a hay stack.
0
 
LVL 11

Expert Comment

by:kyodai
ID: 24369681
Well what leew said is somehow right. If you have the file just open it in some hex editor and enter a word or phrase you remember in the search dialog. However - as the hex editor does this for you you just need to wait for a minute and cross thumbs. I don't see why you shouldn#t give it a try. I use HxD as a hex editor which also works quite well for such large files.
0
 

Author Comment

by:bourneisp_
ID: 24369733
what about forceing windows to load the hiberfil.sys state.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24369735
"somehow right"?  Strange, considering I don't have much experience...   8-)
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 24369749
If you don't make a backup of it first, you could lose ALL chance of recovery.  Then (after the backup) I would hibernate the system so it knows it should resume again and then boot the system to a boot CD and replace the existing hiberfil.sys file with the one that wouldn't load.  But it's possible it's corrupt too... and simply won't load.

NOte: to make the backup, you may need to shutdown (not hibernate, boot to a boot CD and make the backup, since the file may well be locked while booted into windows).
0
 

Author Comment

by:bourneisp_
ID: 24369970
from what i can see it looks like when it has booted up it has created a new hiberfil.sys file at the created date and time if of my last boot up rather that the last time it was saved :(
0
 
LVL 11

Assisted Solution

by:kyodai
kyodai earned 250 total points
ID: 24370413
Yes if you have not saved that file it is unfortunately lost forever. As windows just overwrites the file you would need extended forensics to even have a remote chance of ever getting that content again. Sorry to say that, wish i could do more!
0
 

Author Closing Comment

by:bourneisp_
ID: 31580738
there was no solution to this as windows re-creates this file at start up
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now