[Novalug] SOT: Fixing NTFS file system with Linux

[Miguel Gonzalez Castaños]

Ken Kauffman escribió:
> Can I just say -- holy crap --
>
> I am merely sharing an experience here in case you run into the same 
> issue for those that have to play in the <sarcasm>WWoW[tm]  (Wonderful 
> World of Windows)</sarcasm>
> This is also not intended to trigger the non-constructive contributors 
> that live in the realm of M$/Vista/Windows flame bashing either. ;)
>
> This is my take away from this scenario --
> If your system seems to hang with NT Kernel at 50% (dual core) or 100% 
> (single core), you might have a corrupt NTFS file system that Vista 
> can not deal with. 
> I absolutely had to use XP and Linux to fix it.
>
> 1) I must use Windows because of my job - so let's get that out of the 
> way.
> 2) I do run Linux for non work stuff.
>
> /// Actors
> - One AMD dual core X2 4400+ desktop running Vista X64 Home Premium
> - One laptop running dual boot Vista X64 Home Premium and Xubuntu
> - External 250Gb My Book Basic
> - OEM Vista x64 disc
> - OEM Windows XP Pro disc
>
> /// Scenario
> NTFS on the MyBook has been corrupted and chkdsk utilities will not 
> fix it.   There is a directory that "exists" but every took I have 
> tells me it does not.  Sounds like an entry in NTFS but no on disc.  I 
> want to clean up the disc.  My entire music library is also on this 
> external disc so I must tread with caution.
>
> ---
> /// Attempt #1
> Run chkdsk in Vista.  Supposedly fixed the issues.  Did not actually.
>
> /// Attempt #2
> Boot of XP OEM disc and try and remove directory.  Fail.
>
> /// Attempt #3
> Boot laptop into Xubuntu, ensure that I am running ntfs-3g and 
> ntfsfix.  Also ensure that ntfsprogs is greater than 1.13.1-1 which 
> supports Vista NTFS.
> Mount drive using ntfs-3g.  Remove offending directory.  No problem.
> Unmount drive.
> Run ntfsfix on said drive.  (This triggers windows to do a chkdsk by 
> marking it dirty).
> Plug the drive back into workstation running Vista.
> The disc is recognized as shown by the "eject" icon however VISTA 
> HANGS HARD with the kernel jumping to 50% saturation on one core.  
> Full system instability ensues.
> Disk manager hangs and becomes inaccessible, explorer crashes, can't 
> be relaunches, all utilities are rendered useless while the kernel 
> goes into overdrive to do nothing but something (evidently).  I could 
> launch task manager to show that it was the NT Kernel hanging.
>
> /// Attempt #4
> Boot laptop into Vista
> Plug drive in.
> Drive kills Vista on laptop as well.  Same symptoms as in #2.
> In case vista was trying to repair and was simply doing it poorly and 
> hanging, I let the laptop sit with the disc overnight for 8 hours.
> When I woke up, it will still uber-borked.
>
> /// Attempt #5
> Boot laptop into Vista OEM disc recovery console with drive plugged in 
> (for detection purposes)
> RECOVERY CONSOLE dies hard with same CPU hanging symptoms
>
> /// Attempt #6
> Boot laptop into XP Pro (OEM) CD recovery console with drive plugged 
> in (for detection purposes)
> No hanging. 
> Run chkdsk /p  (chkdsk /f does not exist for CD boot recovery)
> XP detects errors and resolves them.  (This takes time because /p also 
> implies block check)
> Reboot back into console and run vanilla chkdsk just to double check.
>
> ----
> Boot back into vista on desktop and the drive mounts just fine no 
> hangs, no issues.
> Boot into vista on laptop, drive mounts just fine no hangs, no issues.
>
> \\\ Final solution for Vista "unfixable" NTFS file system structure \\\
> - use linux/ntfs-3g to remove offending directory(s)
> - run ntfs-fix
> - use XP to run chkdsk
> - now drive will re-mount in fixed condition inside Vista
>
> Really an unacceptable solution given I have 3 operating systems 
> involved, but when you must fix this scenario this is what I found 
> works. 
> This might be of interest to you forensic-istas as well.
>
> Ken
There is a rescuecd knoppix live cd with tools for recovering Windows 
partitions

Miguel