Windows File Recovery to the Rescue
If you can’t locate a lost file from your backup, then you can use Windows File Recovery, which is a command line app available from the Microsoft Store. Use this app to try to recover lost files that have been deleted from your local storage device (including internal drives, external drives, and USB devices) and can’t be restored from the Recycle Bin. Recovery on cloud storage and network file shares is not supported.
Note This app requires Windows 10 build 19041 or later (See which version of Windows 10 you have).
If you want to increase your chances of recovering a file, minimize or avoid using your computer. In the Windows file system, the space used by a deleted file is marked as free space, which means the file data can still exist and be recovered. But any use of your computer can create files, which may over-write this free space at any time.
How to recover and restore lost files on Windows 10
- If necessary, download and launch the app from the Microsoft Store.
- Press the Windows key, enter Windows File Recovery in the search box, and then select Windows File Recovery.
- When you are prompted to allow the app to make changes to your device, select Yes.
- In the Command Prompt window,enter the command in the following format:
winfr source-drive: destination-drive: [/switches]
The source and destination drives must be different. When recovering from the operating system drive (often C: ), use the /n <filter> and /y:<type<(s)> switches to specify the user files or folder.
Microsoft automatically creates a recovery folder for you called, Recovery_<date and time> on the destination drive.
There are three modes you can use to recover files: Default, Segment, and Signature.
Default mode examples
Recover a specific file from your C: drive to the recovery folder on an E: drive.
winfr C: E: /n \Users\<username>\Documents\QuarterlyStatement.docx
Recover jpeg and png photos from your Pictures folder to the recovery folder on an E: drive.
winfr C: E: /n \Users\<username>\Pictures\*.JPEG /n \Users\<username>\Pictures\*.PNG
Recover your Documents folder from your C: drive to the recovery folder on an E: drive.
winfr C: E: /n \Users\<username>\Documents\
Don’t forget the backslash (\) at the end of the folder.
Segment mode examples (/r)
Recover PDF and Word files from your C: drive to the recovery folder on an E: drive.
winfr C: E: /r /n *.pdf /n *.docx
Recover any file with the string “invoice” in the filename by using wildcard characters.
winfr C: E: /r /n *invoice*
Signature mode examples (/x)
When using signature mode, it’s helpful to first see the supported extension groups and corresponding file types.
Recover JPEG (jpg, jpeg, jpe, jif, jfif, jfi) and PNG photos from your C: drive to the recovery folder on an E: drive.
winfr C: E: /x /y:JPEG,PNG
Recover ZIP files (zip, docx, xlsx, ptpx, and so on) from your C: drive to the recovery folder on an E: drive.
winfr C: E:\RecoveryTest /x /y:ZIP
- When you are prompted for confirmation to continue, enter Y to start the recovery operation.
Depending on the size of your source drive, this may take a while.
To stop the recovery process, press Ctrl+C.
About modes and file systems
The following information can help you decide which file system you have and which mode to use.
There are several file systems supported by Windows that vary depending on the storage device or operating system. Recovering files from non-NTFS file systems is only supported in signature mode. To see which file system you have, right click a drive in File Explorer and select Properties.
|FAT and exFAT||SD cards, Flash or USB drives (< 4GB)|
|ReFS||Windows Server and Windows Pro for Workstations|
|NTFS||Computers (HDD, SSD), external hard drives, flash or USB drives (> 4GB)|
Deciding which mode to use
Use the following table to help you decide which mode to use. If you’re not sure, start with the default mode.
|File System||Circumstances||Recommended mode|
|Deleted a while ago||First try Segment, then Signature|
|After formatting a disk|
|A corrupted disk|
|FAT, exFAT, ReFS||Recovery file type is supported (See following table)||Signature|
Signature mode extension groups and file types
The following table summarizes the extension groups and the supported file types for each group when you use the /y:<type(s)> switch:
|Extension group||File type|
|ASF||wma, wmv, asf|
|JPEG||jpg, jpeg, jpe, jif, jfif, jfi|
|MPEG||mpeg, mp4, mpg, m4a, m4v, m4b, m4r, mov, 3gp, qt|
|ZIP||zip, docx, xlsx, pptx, odt, ods, odp, odg, odi, odf, odc, odm, ott, otg, otp, ots, otc, oti, otf, oth|
Command line syntax
The following table summarizes what each basic command line parameter and switch is used for.
|Parameter or switch||Description||Supported modes|
|Source-drive:||Specifies the storage device where the files were lost. Must be different from the destination-drive.||All|
|Destination-drive:||Specifies the storage device and folder on which to put the recovered files. Must be different from the source-drive.||All|
|/r||Uses segment mode, which examines File Record Segments (FRS).||Segment|
|/n <filter>||Scans for a specific file by using a file name, file path, or wildcards. For example:File name: /n myfile.docxFile path: /n /users/<username>/Documents/Wildcard: /n myfile.*|
|/x||Uses signature mode, which examines file types and works on all file systems.||Signature|
|/y:<type(s)>||Scans for files with specific file types. Separate multiple entries by using commas. For a list of extension groups and corresponding file types, see the table, “Signature mode extension groups and file types” in the section, “About modes and file systems”.||Signature|
|/#||Shows signature mode extension groups and corresponding file types in each group.||All|
|/?||Shows a quick summary of syntax and switches for general users.||All|
|/!||Shows a quick summary of syntax and switches for advanced users.||All|
Frequently asked questions
Can you give some tips to help me use correct syntax?
Here are some suggestions:
- Always use drive letters in the source and destination path, don’t forget the colon (:) after the drive letter, and make sure there is a space between the source and destination.
- If a switch has a colon, such as /y:, don’t add a space between the colon and the rest of the value.
- When you specify just a folder name, such as /n \Myfolder\, add a backslash (\) at the end of it.
- If a file or folder name has spaces, surround it with quotes. For example:
winfr C: E: /n "\Users\<username>\Documents\Quarterly Statement.docx"
- To stop the recovery process, press Ctrl+C.
What does <username> mean in the command examples?
In the File Explorer address bar, enter C:\users to see a list of potential users on your computer. There may be several users on your computer, including you, the administrator, and the default account. When you see <username> in a file path, it is a placeholder for the current username on your computer.
Why am I getting this message: “Source and Destination cannot refer to the same physical partition?”
The source and destination drive or partition path should not be the same. If you only have one drive, use a USB or external hard drive as your destination path. Don’t create a partition after losing data, because this reduces the chance of a successful recovery.
Why does the recovery operation take so long?
Depending on the size of the disk, it may take some time to recover the file, especially if you are using signature mode.
Why are additional files recovered from my operating system drive?
Behind the scenes, Windows is constantly creating and deleting files. By default, Windows File Recovery filters out these files, but some slip through. To prevent this, use the /n <filter> switch in default and segment modes and the /y:<type(s)> switch in signature mode.
What is the $Recycle.Bin folder?
For default and segment modes, you may also see lost files recovered from the Recycle Bin (files either in the recycle bin or that were permanently deleted) with the name $files.xxx and stored in a folder called $RECYCLE.BIN.
What happens if the destination drive is full?
If you see the following message: “Destination disk is full, please free up space before resuming: (R)esume, (S)kip file, or (A)bort”, Free up drive space on the destination drive, and then choose one of the options.
I was not able to recover the file, now what?
If you used default or segment mode, try again in signature mode if the file type is supported. It’s possible that the free space was over-written, especially on a solid state drive (SSD). If you need help, contact your administrator.
Command line syntax
The following table summarizes what each advanced switch is used for.
|/p:<folder>||Saves a log file of the recovery operation in a different location than the default location on the recovery drive (for example, D:\logfile).||All|
|/a||Overrides user prompts, which is useful in a script file.||All|
|/u||Recovers undeleted files, for example, from the Recycle Bin.||Default|
|/k||Recovers system files.||Default|
|/o:<a|n|b>||Specifies whether to always (a), never (n), orkeep both always(b) when choosing whether to overwrite a file. The default action is to prompt to overwrite.||Default|
|/g||Recovers files without primary data streams.||Default|
|/e||To keep your results manageable and focus on user files, some file types are filtered by default, but this switch removes that filter. For a complete list of these file types, see the information after this table.||Default|
|/e:<extension>||Specifies which file types are filtered. For a complete list of these file types, see the information after this table.||Default|
|/s:<sectors>||Specifies the number of sectors on the source device. To find sector information, use fsutil.||Segment|
|/b:<bytes>||Specifies the cluster size (allocation unit) on the source device.||Segment|
|/f:<sector>||Specifies the first sector on the source device to start the scan operation, for example, to bypass unusable sectors. To find sector information, use fsutil.||Segment|
File extension filter list
The following file types are filtered from results by default. Use the /e switch to disable this filter or the /e:<extension> filter to specify file types not to filter.
_, adm, admx, appx, appx, ascx, asm, aspx, aux, ax, bin, browser, c, cab, cat cdf-ms, catalogItem, cdxm, cmake, cmd, coffee, config, cp, cpp, cs, cshtm, css, cur, dat, dll, et, evtx, exe, fon, gpd, h, hbakedcurve, htm, htm, ico, id, ildl, ilpdb, iltoc, iltocpdb, in, inf, inf_loc, ini, js, json, lib, lnk, log, man, manifest, map, metadata, mf, mof, msc, msi, mui, mui, mum, mun, nls, npmignore, nupkg, nuspec, obj, p7s, p7x, pak, pckdep, pdb, pf, pkgdef, plist, pnf, pp, pri, props, ps1, ps1xm, psd1, psm1, py, resjson, resw, resx, rl, rs, sha512, snippet, sq, sys, t4, targets, th, tlb, tmSnippet, toc, ts, tt, ttf, vb, vbhtm, vbs, vsdir, vsix, vsixlangpack, vsixmanifest, vstdir, vstemplate, vstman, winmd, xam, xbf, xm, xrm-ms, xs, xsd, ym
As you use the Windows File Recovery app, it’s often helpful to understand what’s going on “under the hood” of a storage device.
The three modes of operation
The three modes work in the following way:
- Default mode This mode uses the Master File Table (MFT) to locate lost files. Default mode works well when the MFT and file segments, also called File Record Segments (FRS), are present.
- Segment mode This mode does not require the MFT but does require segments. Segments are summaries of file information that NTFS stores in the MFT such as name, date, size, type and the cluster/allocation unit index.
- Signature mode This mode only requires that the data is present and searches for specific file types. It doesn’t work for small files. To recover a file on an external storage device, such as a USB drive, you can only use Signature mode.
How a storage device is organized
The bytes on a storage device are organized into clusters and sectors. A cluster is the smallest amount of disk space that can be allocated for a file. A sector is a unit of storage on a storage device. NTFS organizes disks based on cluster size, which is determined by the number of sectors in a cluster. On NTFS, clusters start at 0 and are numbered sequentially from the beginning of the partition into logical cluster numbers.
The default cluster size varies depending on the capacity of the storage device:
|Device size||Cluster size||Sectors|
|7 to 512 MB||512 bytes||1|
|513 to 1,024 MB||1 KB||2|
|1,025 MB to 2 GB||2KB||4|
|2 GB to 2 TB||4 KB||8|
The NTFS file system
New Technology File System (NTFS) is the default file system in Windows. NTFS organizes files by using a well-defined structure to describe how files are stored, what information to include, and how to locate the files. A critical element is the Master File Table (MFT), which is a table made up of one row for each file and several columns of file attributes. This row is the File Record Segment (FRS). The MFT is like a table of contents for every file on the storage device. NTFS also keeps a backup of the MFT in case the original MFT becomes unusable.
|Standard information||Settings, such as read-only and archive, file creation and modification dates, and so on.|
|File name||The name of the file including the MS-DOS short name.|
|Data||The contents of the file if it’s small.|
|Index||Information about the file allocation.|
Additional attributes include file type, permissions, size, and file path.
Thank you to Microsoft