repair-bde.exe
- File Path:
C:\WINDOWS\system32\repair-bde.exe - Description: BitLocker Drive Encryption: Repair Tool
Hashes
| Type | Hash |
|---|---|
| MD5 | 653C80BB84A48F2D31375DEA3D35B003 |
| SHA1 | 0D3F764E97EC0F4B6D57A462E89FAFE2D4B2EE50 |
| SHA256 | E9F88DCAAD82AFB7DDE4AE1674D7987725ADAB608B392A11F7FF07F49623E1B2 |
| SHA384 | B14CF0CC392572CA82C3DE7793883E9EC8734BB74F69925A563793861083F9E440253B7C9065CB1F0D0315DF80DB1BDC |
| SHA512 | AA711B4C98FA48B83D89FBA2118B5EC1E2E587FEAAA091D7512C6C9E97AD52AF6F74486FFC7E5183D235CB286D75807260FEDC02B8223BD904098C5884ACE368 |
| SSDEEP | 3072:Wswsmu9MQfkXaBmwnVS570M9kdatGCO+xmBc+hMPhPsx:Nwsmu9nkSVs7nyatGt+SYF |
| IMP | C367E5351E6B578F24E96CE56960C8A1 |
| PESHA1 | 618F85306D01A4E48D9F96D26F80C5E36BEF555A |
| PE256 | A4259D388270B1353373DFD8751FFDC651DAA35420FCBD5FFE2607AF7290C92D |
Runtime Data
Usage (stdout):
BitLocker Drive Encryption: Repair Tool version 10.0.22000
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Usage:
repair-bde[.exe] InputVolume
{ OutputVolumeOrImage }
{ {-RecoveryPassword|-rp} NumericalPassword |
{-RecoveryKey|-rk} PathToExternalKeyFile |
{-Password|-pw} }
[{-KeyPackage|-kp} PathToKeyPackage]
[{-LogFile|-lf} PathToLogFile]
[{-?|/?}]
Description:
Attempts to repair or decrypt a damaged BitLocker-encrypted volume using the
supplied recovery information. If BitLocker was in the process of encryption
or decryption or had been suspended prior to volume failure a clear key will
be present on the volume. Repair-bde attempts to use this clear key by
default if another key is not specified.
WARNING! To avoid additional data loss, you should have a spare hard drive
available. Use this spare drive to store decrypted output or to back up the
contents of the damaged volume.
Parameters:
InputVolume
The BitLocker-encrypted volume to repair.
Example: "C:",
"\\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}".
OutputVolumeOrImage
The volume to store decrypted contents, or the file
location to create an image file of the contents.
Examples: "D:", "D:\imagefile.img".
WARNING! All information on this output volume will be
overwritten.
-rk or -RecoveryKey
Provide an external key to unlock the volume.
Example: "F:\RecoveryKey.bek".
-rp or -RecoveryPassword
Provide a numerical password to unlock the volume.
Example: "111111-222222-333333-...".
-pw or -Password
Provide a password to unlock the volume.
-kp or -KeyPackage
Optional. Provide a key package to unlock the volume.
Example: "F:\ExportedKeyPackage"
If this option is blank, the tool will look for the key package
automatically. This option is needed only if required by the tool.
-lf or -LogFile
Optional. Provide a path to a file that will store progress
information. Example: "F:\log.txt".
-f or -Force
Optional. When used, forces a volume to be dismounted even if
it cannot be locked. This option is needed only if required by
the tool.
-? or /?
Shows this screen.
Examples:
repair-bde C: D: -rk F:\RecoveryKey.bek -Force
repair-bde C: D: -rp 111111-222222-[...] -lf F:\log.txt
repair-bde C: D: -kp F:\KeyPackage -rp 111111-222222-[...]
repair-bde C: D:\imagefile.img -kp F:\KeyPackage -rk F:\RecoveryKey.bek
repair-bde C: D: -pw
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\system32\repair-bde.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: repair-bde.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/e9f88dcaad82afb7dde4ae1674d7987725adab608b392a11f7ff07f49623e1b2/detection
File Similarity (ssdeep match)
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
repair-bde
Attempts to reconstruct critical parts of a severely damaged drive and salvage recoverable data if the drive was encrypted by using BitLocker and if it has a valid recovery password or recovery key for decryption.
[!IMPORTANT] If the BitLocker metadata data on the drive is corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. If you used the default key back up setting for Active Directory Domain Services, your key package is backed up there. You can use the BitLocker: Use BitLocker Recovery Password Viewer to obtain the key package from AD DS.
Using the key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive, even if the disk is corrupted. Each key package works only for a drive with the corresponding drive identifier.
Syntax
repair-bde <inputvolume> <outputvolumeorimage> [-rk] [–rp] [-pw] [–kp] [–lf] [-f] [{-?|/?}]
[!WARNING] The contents of the output volume will be completely deleted and overwritten by the decrypted contents from the damaged BitLocker drive. If you want to save any existing data on the selected target drive, move the existing data to other reliable backup media first, before running the
repair-bdecommand.
Parameters
| Parameter | Description |
|---|---|
<inputvolume> |
Identifies the drive letter of the BitLocker-encrypted drive that you want to repair. The drive letter must include a colon; for example: C:. If the path to a key package isn’t specified, this command searches the drive for a key package. In the event that the hard drive is damaged, this command might not be able to find the package and will prompt you to provide the path. |
<outputvolumeorimage> |
Identifies the drive on which to store the content of the repaired drive. All information on the output drive will be overwritten. |
| -rk | Identifies the location of the recovery key that should be used to unlock the volume. This command can also be specified as -recoverykey. |
| -rp | Identifies the numerical recovery password that should be used to unlock the volume. This command can also be specified as -recoverypassword. |
| -pw | Identifies the password that should be used to unlock the volume. This command can also be specified as -password |
| -kp | Identifies the recovery key package that can be used to unlock the volume. This command can also be specified as -keypackage. |
| -lf | Specifies the path to the file that will store Repair-bde error, warning, and information messages. This command may also be specified as -logfile. |
| -f | Forces a volume to be dismounted even if it cannot be locked. This command can also be specified as -force. |
| -? or /? | Displays Help at the command prompt. |
Limitations
The following limitations exist for the this command:
-
This command can’t repair a drive that failed during the encryption or decryption process.
-
This command assumes that if the drive has any encryption, then the drive has been fully encrypted.
Examples
To attempt to repair drive C:, to write the content from drive C: to drive D: using the recovery key file (RecoveryKey.bek) stored on drive F:, and to write the results of this attempt to the log file (log.txt) on drive Z:, type:
repair-bde C: D: -rk F:\RecoveryKey.bek –lf Z:\log.txt
To attempt to repair drive C: and to write the content from drive C: to drive D: using the 48-digit recovery password specified, type:
repair-bde C: D: -rp 111111-222222-333333-444444-555555-666666-777777-888888
[!NOTE] The recovery password should be typed in eight blocks of six digits with a hyphen separating each block.
To force drive C: to dismount, attempt to repair drive C:, and then to write the content from drive C: to drive D: using the recovery key package and recovery key file (RecoveryKey.bek) stored on drive F:, type:
repair-bde C: D: -kp F:\RecoveryKeyPackage -rk F:\RecoveryKey.bek -f
To attempt to repair drive C: and to write the content from drive C: to drive D:, where you must type a password to unlock drive C: (when prompted), type:
repair-bde C: D: -pw
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.