[Novalug] SOT: Fixing NTFS file system with Linux

Thu Dec 6 10:55:11 EST 2007

Can I just say -- holy crap --

I am merely sharing an experience here in case you run into the same issue
for those that have to play in the <sarcasm>WWoW[tm]  (Wonderful World of
Windows)</sarcasm>
This is also not intended to trigger the non-constructive contributors that
live in the realm of M$/Vista/Windows flame bashing either. ;)

This is my take away from this scenario --
If your system seems to hang with NT Kernel at 50% (dual core) or 100%
(single core), you might have a corrupt NTFS file system that Vista can not
deal with.
I absolutely had to use XP and Linux to fix it.

1) I must use Windows because of my job - so let's get that out of the way.
2) I do run Linux for non work stuff.

/// Actors
- One AMD dual core X2 4400+ desktop running Vista X64 Home Premium
- One laptop running dual boot Vista X64 Home Premium and Xubuntu
- External 250Gb My Book Basic
- OEM Vista x64 disc
- OEM Windows XP Pro disc

/// Scenario
NTFS on the MyBook has been corrupted and chkdsk utilities will not fix
it.   There is a directory that "exists" but every took I have tells me it
does not.  Sounds like an entry in NTFS but no on disc.  I want to clean up
the disc.  My entire music library is also on this external disc so I must
tread with caution.

---
/// Attempt #1
Run chkdsk in Vista.  Supposedly fixed the issues.  Did not actually.

/// Attempt #2
Boot of XP OEM disc and try and remove directory.  Fail.

/// Attempt #3
Boot laptop into Xubuntu, ensure that I am running ntfs-3g and ntfsfix.
Also ensure that ntfsprogs is greater than 1.13.1-1 which supports Vista
NTFS.
Mount drive using ntfs-3g.  Remove offending directory.  No problem.
Unmount drive.
Run ntfsfix on said drive.  (This triggers windows to do a chkdsk by marking
it dirty).
Plug the drive back into workstation running Vista.
The disc is recognized as shown by the "eject" icon however VISTA HANGS HARD
with the kernel jumping to 50% saturation on one core.  Full system
instability ensues.
Disk manager hangs and becomes inaccessible, explorer crashes, can't be
relaunches, all utilities are rendered useless while the kernel goes into
overdrive to do nothing but something (evidently).  I could launch task
manager to show that it was the NT Kernel hanging.

/// Attempt #4
Boot laptop into Vista
Plug drive in.
Drive kills Vista on laptop as well.  Same symptoms as in #2.
In case vista was trying to repair and was simply doing it poorly and
hanging, I let the laptop sit with the disc overnight for 8 hours.
When I woke up, it will still uber-borked.

/// Attempt #5
Boot laptop into Vista OEM disc recovery console with drive plugged in (for
detection purposes)
RECOVERY CONSOLE dies hard with same CPU hanging symptoms

/// Attempt #6
Boot laptop into XP Pro (OEM) CD recovery console with drive plugged in (for
detection purposes)
No hanging.
Run chkdsk /p  (chkdsk /f does not exist for CD boot recovery)
XP detects errors and resolves them.  (This takes time because /p also
implies block check)
Reboot back into console and run vanilla chkdsk just to double check.

----
Boot back into vista on desktop and the drive mounts just fine no hangs, no
issues.
Boot into vista on laptop, drive mounts just fine no hangs, no issues.

\\\ Final solution for Vista "unfixable" NTFS file system structure \\\
- use linux/ntfs-3g to remove offending directory(s)
- run ntfs-fix
- use XP to run chkdsk
- now drive will re-mount in fixed condition inside Vista

Really an unacceptable solution given I have 3 operating systems involved,
but when you must fix this scenario this is what I found works.
This might be of interest to you forensic-istas as well.

Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20071206/57073b43/attachment.html 