[Novalug] SOT: Fixing NTFS file system with Linux

Anthony Soucek monkeywrenchit at gmail.com
Fri Dec 7 23:42:07 EST 2007 

A recent study by google showed that drives have an average of 8%
chance of failure per year,  so even if you are clever enough to fix
your corrupted file system (maybe) you still wound up deleting some
offending directory(s) so data was lost.  I'm thinking a backup is a
good thing.  Thanks for sharing your trick.

On Dec 6, 2007 11:53 PM, Ken Kauffman <kkauffman at headfog.com> wrote:
> Ah -- how did I deduce it "existed".   I could see the directory in the
> directory listing, however, when I tried to change to it, remove it or
> change permissions on it, I received errors.  This led me to be believe that
> it was a file system table issue.  The windows utilities could not deal with
> it in this odd state, but the Linux utilities allowed me to remove it.  I'm
> assuming the Linux tools are move capable of dealing with this particular
> invalid state.
>
> There's many valuable people on this list who help when they can. :)  Thanks
> for the kudo shout though.
>
> Ken
>
>
>
> On 12/6/07, Jay Hart < jhart at kevla.org> wrote:
> > Ken,
> >
> > Not busted my chops at all. I commend you for your excellent problem
> solving
> > skills.  You lost me on the "There is a directory that "exists"" which
> since
> > you don't tell us what it is, I was wondering how on earth you knew it was
> > there, how you spotted it, and how you know it was your problem.
> >
> > Ken, once again you you prove your worth to this list.
> >
> > Jay
> >
> > > Smug little tekkies with their "where's your backup?" comments don't
> address
> > > cost effectiveness.  (grin)
> > >
> > > The reality is that I recovered it within one day (total time investment
> of
> > > about 5-6 hours).  I also know that unless it's a physical disk failure
> and
> > > unencrypted, I can recover it.  I may not know how long -- but I know I
> can.
> > >
> > > I have had ZERO hard drive/controller physical failures in over 20 years
> of
> > > dealing with my own computers.  That said, my mother had one drive fail
> > > which I still was able to recover the majority of important data
> (admitadly
> > > that was partially lucky).  So -- my 'hoops vs. risk' ratio has always
> > > worked in my favor.
> > >
> > > I attribute my high success rate with computers to my religious use of
> UPS
> > > units.  Not only do they keep the power supply stable, they also
> condition
> > > it and keep it clean.
> > >
> > > BOOYAH!
> > >
> > > Have a nice day ...
> > >
> > > (You smilin Jay?  You know I'm busting your chops with this right?)
> > >
> > > K
> > >
> > > On 12/6/07, Jay Hart < jhart at kevla.org> wrote:
> > >>
> > >> Ken,
> > >>
> > >> Had you had another backup source of your files, would you still have
> had
> > >> to
> > >> jump through these hoops?
> > >>
> > >> Jay
> > >>
> > >> > Can I just say -- holy crap --
> > >> >
> > >> > I am merely sharing an experience here in case you run into the same
> > >> issue
> > >> > for those that have to play in the <sarcasm>WWoW[tm]  (Wonderful
> World
> > >> of
> > >> > Windows)</sarcasm>
> > >> > This is also not intended to trigger the non-constructive
> contributors
> > >> that
> > >> > live in the realm of M$/Vista/Windows flame bashing either. ;)
> > >> >
> > >> > This is my take away from this scenario --
> > >> > If your system seems to hang with NT Kernel at 50% (dual core) or
> 100%
> > >> > (single core), you might have a corrupt NTFS file system that Vista
> can
> > >> not
> > >> > deal with.
> > >> > I absolutely had to use XP and Linux to fix it.
> > >> >
> > >> > 1) I must use Windows because of my job - so let's get that out of
> the
> > >> way.
> > >> > 2) I do run Linux for non work stuff.
> > >> >
> > >> > /// Actors
> > >> > - One AMD dual core X2 4400+ desktop running Vista X64 Home Premium
> > >> > - One laptop running dual boot Vista X64 Home Premium and Xubuntu
> > >> > - External 250Gb My Book Basic
> > >> > - OEM Vista x64 disc
> > >> > - OEM Windows XP Pro disc
> > >> >
> > >> > /// Scenario
> > >> > NTFS on the MyBook has been corrupted and chkdsk utilities will not
> fix
> > >> > it.   There is a directory that "exists" but every took I have tells
> me
> > >> it
> > >> > does not.  Sounds like an entry in NTFS but no on disc.  I want to
> clean
> > >> up
> > >> > the disc.  My entire music library is also on this external disc so I
> > >> must
> > >> > tread with caution.
> > >> >
> > >> > ---
> > >> > /// Attempt #1
> > >> > Run chkdsk in Vista.  Supposedly fixed the issues.  Did not actually.
> > >> >
> > >> > /// Attempt #2
> > >> > Boot of XP OEM disc and try and remove directory.  Fail.
> > >> >
> > >> > /// Attempt #3
> > >> > Boot laptop into Xubuntu, ensure that I am running ntfs-3g and
> ntfsfix.
> > >> > Also ensure that ntfsprogs is greater than 1.13.1-1 which supports
> Vista
> > >> > NTFS.
> > >> > Mount drive using ntfs-3g.  Remove offending directory.  No problem.
> > >> > Unmount drive.
> > >> > Run ntfsfix on said drive.  (This triggers windows to do a chkdsk by
> > >> marking
> > >> > it dirty).
> > >> > Plug the drive back into workstation running Vista.
> > >> > The disc is recognized as shown by the "eject" icon however VISTA
> HANGS
> > >> HARD
> > >> > with the kernel jumping to 50% saturation on one core.  Full system
> > >> > instability ensues.
> > >> > Disk manager hangs and becomes inaccessible, explorer crashes, can't
> be
> > >> > relaunches, all utilities are rendered useless while the kernel goes
> > >> into
> > >> > overdrive to do nothing but something (evidently).  I could launch
> task
> > >> > manager to show that it was the NT Kernel hanging.
> > >> >
> > >> > /// Attempt #4
> > >> > Boot laptop into Vista
> > >> > Plug drive in.
> > >> > Drive kills Vista on laptop as well.  Same symptoms as in #2.
> > >> > In case vista was trying to repair and was simply doing it poorly and
> > >> > hanging, I let the laptop sit with the disc overnight for 8 hours.
> > >> > When I woke up, it will still uber-borked.
> > >> >
> > >> > /// Attempt #5
> > >> > Boot laptop into Vista OEM disc recovery console with drive plugged
> in
> > >> (for
> > >> > detection purposes)
> > >> > RECOVERY CONSOLE dies hard with same CPU hanging symptoms
> > >> >
> > >> > /// Attempt #6
> > >> > Boot laptop into XP Pro (OEM) CD recovery console with drive plugged
> in
> > >> (for
> > >> > detection purposes)
> > >> > No hanging.
> > >> > Run chkdsk /p  (chkdsk /f does not exist for CD boot recovery)
> > >> > XP detects errors and resolves them.  (This takes time because /p
> also
> > >> > implies block check)
> > >> > Reboot back into console and run vanilla chkdsk just to double check.
> > >> >
> > >> > ----
> > >> > Boot back into vista on desktop and the drive mounts just fine no
> hangs,
> > >> no
> > >> > issues.
> > >> > Boot into vista on laptop, drive mounts just fine no hangs, no
> issues.
> > >> >
> > >> > \\\ Final solution for Vista "unfixable" NTFS file system structure
> \\\
> > >> > - use linux/ntfs-3g to remove offending directory(s)
> > >> > - run ntfs-fix
> > >> > - use XP to run chkdsk
> > >> > - now drive will re-mount in fixed condition inside Vista
> > >> >
> > >> > Really an unacceptable solution given I have 3 operating systems
> > >> involved,
> > >> > but when you must fix this scenario this is what I found works.
> > >> > This might be of interest to you forensic-istas as well.
> > >> >
> > >> > Ken
> > >> > _______________________________________________
> > >> > Novalug mailing list
> > >> > Novalug at calypso.tux.org
> > >> > http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
> > >> >
> > >>
> > >>
> > >>
> > >
> >
> >
> >
>
>
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
>



-- 
Anthony Soucek

More information about the Novalug mailing list