Re: Found the chkdsk log [STOP error, data unviewable etc...]



I ended up using DFSee to get the files back...it found nearly everything
except the important stuff...it seemed like this random swath of corruption
ran through Documents and Settings as well as some of my music files. And of
course everything in the Recycle Bin was intact...go figure. So anyway, I
found the log file that had the chkdsk run that originally destroyed my drive.

So I'm guessing what happened is somehow a corrupted entry was made that
reflected an enormously huge USN Journal. The system, naturally, gave the
single entry precedence over everything else and decided to lengthen the Usn
Journal by the equivalent amount, incidentally cutting a huge swath of
corruption through important things such as the MFT and the files mentioned
above. Then it noticed, hey, the MFT is different from the mirror. So what
does it do? It decides the MIRROR is wrong and "updates" it. This explains
why I wasn't able to repair it by restoring from the backup.

I'm just guessing from what the log says, I really have no clue. It's a bit
late now I suppose, but I'd love to know why this happened.

-- Joren

Checking file system on C:
The type of the file system is NTFS.
Volume label is The Bucket.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
The multi-sector header signature in file 0x7e39 is incorrect.
42 41 41 44 ff 07 88 38 69 83 e2 07 f8 f3 10 05 BAAD...8i.......
54 44 74 64 00 de 61 02 00 00 00 00 00 00 00 00 TDtd..a.........
Deleting corrupt file record segment 32313.
The record length 0x90 is too large for attribute of type 0x400
and instance tag 0x72585600 in file 0x1c5. The maximum value is 0x1c1ae90.
Truncating badly linked attribute records
from file record segment 65181.
Index entry kbdhela3.dll of index $I30 in file 0x44fc points to unused file
0x7e39.Deleting index entry kbdhela3.dll in index $I30 of file 17660.
Unable to locate the file name attribute of index entry BE8C76~1.WAV
of index $I30 with parent 0xfe90 in file 0xfe9d.
Deleting index entry BE8C76~1.WAV in index $I30 of file 65168.
Unable to locate the file name attribute of index entry BerserkRunFoot2.wav
of index $I30 with parent 0xfe90 in file 0xfe9d.
Deleting index entry BerserkRunFoot2.wav in index $I30 of file 65168.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Cleaning up 4 unused index entries from index $SII of file 0x9.
Cleaning up 4 unused index entries from index $SDH of file 0x9.
Cleaning up 4 unused security descriptors.
Inserting data attribute into file 65181.
CHKDSK is verifying Usn Journal...
The USN Journal length 0x2dfa94c28 in file 0x2271 is less the
largest USN encountered, 0x1c1ae9072585600, plus eight in file 0xfe9d.
Repairing Usn Journal $J data stream.
CHKDSK is resetting Usn information...
Usn Journal verification completed.
The MFT mirror is different from the MFT.
Correcting errors in the Master File Table (MFT) mirror.
Correcting errors in the master file table's (MFT) BITMAP attribute.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

33013543 KB total disk space.
26201332 KB in 62066 files.
21176 KB in 4340 indexes.
0 KB in bad sectors.
173447 KB in use by the system.
65536 KB occupied by the log file.
6617588 KB available on disk.

4096 bytes in each allocation unit.
8253385 total allocation units on disk.
1654397 allocation units available on disk.

Windows has finished checking your disk.
Please wait while your computer restarts.

---------

"Joren" wrote:

No, I do not. It's just a vanilla NTFS partition without too much other
stuff on it. Would have been cool, though.

<back from spring break; thinking about giving in and buying something to
fix it>

It just seems sad; all the data's there, it's just some little thing
prevents the computer from believing it is there. I'd love to know what the
USN journal is for, why it was reset, why that killed the access to the
partition, etc. Oh well...

Thanks,

-- Joren

"John John" wrote:

You don't by any chance have drive overlay or GoBack kind of software on
that drive?

John

Joren wrote:

Hey, sorry for the short reply; I was off to midterms :)

Hard drive 1
IDE 1 - Master
Partition 1
(C:)
C:\WINNT - Win2k Prof w/SP4 - This is my main install with all my important
files and a three-month-old backup (uh...oops?)

Hard drive 2
IDE 2 - Master
Partition 1
(D:)
D:\WIN2K - Win2k Prof w/SP4 -- this is my backup install in case stuff goes
wrong. This drive is not normally plugged into the computer; it is plugged
in now or else I would not be able to type this reply :).

So I guess what you're saying is buy some utility that will examine/rewrite
the partition table? Is it possible to do this manually? (I'm stingy! :P)
Also, you mentioned DiskEdit in the past tense...I guess they don't make that
anymore?

Anyhow, thanks for your input. I hope my description is a little clearer now.

-- Joren

"Joren" wrote:


The other installation is Win2k, on a different hard drive that was not in
the original configuration. I plugged it in to check out what was wrong. I
had my bios boot up that disk on it's own, without any sort of multi-boot.
Yes, C is on the first hard drive, first partition, the one that is corrupted
(this other installation is D:, and D:\Win2k is the installation).

-- Joren

"R. C. White" wrote:


Hi, Joren.

Here's where you lost me:


So then I go to my other installation; the drive appears as "Local Disk
(C:)"...that's not good! I try to open it up, and I get this error:

c:\ is not accessible. There is not enough space on the disk.

What "other installation"? All you've mentioned up to this point is a
single HD with a single Active primary partition with a single installation
of Win2K on it. Is the "other installation" on a second HD? Does it have
an Active primary partition on it? Are you dual-booting? Using the MS
dual-boot system or a third party boot manager? Do you switch the CMOS to
have the BIOS boot from that second HD to boot into your "other
installation"? Is that "other installation" also Win2K, or is it WinXP or
some other OS?


I went to Disk Management, and my C: partition is displayed as "(C:)
Healthy (Active)" but with no file system (and 100% free space,
ironically).

WHERE does DM say that C: is? On the first (only?) HD? How are you running
DM: from your original Win2K or from that "other installation"? What other
labels (System, Boot, etc.) does it show, and for which volumes?

My nearest experience to this was a couple of years ago when I went for a
cup of coffee while WinXP was booting and came back to find Chkdsk running -
and "fixing" things on my second HD! It "fixed" them so well on "E:Data"
that I could not read the 10 GB of files on that 25 GB volume. Since it
wasn't my boot volume, I created a substitute volume E: in spare unallocated
space on another HD, and recreated much of my "lost" data there from
backups. I was careful not to write anything to my bad volume, renamed Z:,
(I couldn't, anyhow, because it was not accessible) while I tried various
solutions. It took me about 3 months to find R-Studio from www.r-tt.com. I
downloaded that (US$70) and recovered almost all of my "lost" files with it.
As to what caused my problem in the first place, my guess is that a
momentary glitch during startup caused WinXP to think that the HD had
problems and ran Chkdsk - which misinterpreted what it saw and "fixed"
something that wasn't broken. :>( I haven't needed R-Studio recently so I
don't know about the current version.

FixMBR is a useful utility, but it does not give us the byte-by-byte control
that we had with hex editors such as DiskEdit in the original Norton
Utilities. It's not clear to me whether this does anything to the 64 bytes
of the Partition Table, or just to the 400+ bytes of code in the MBR sector.

RC
--
R. C. White, CPA
San Marcos, TX
rc@xxxxxxxxxxxx
Microsoft Windows MVP

"Joren" <Joren@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65479921-A4F9-49F5-ABFA-CC3F97517ADD@xxxxxxxxxxxxxxxx

This is easily the weirdest error I've ever seen. I'd really appreciate
any
help with this; I have been searching the 'net and these groups for some
time
looking for anything similar. I'm hoping that if a solution is found
someone
else's search will be made easier. Forgive me if this is too verbose; I
like
to include as much detail as possible to minimize the amount of replying
that
is needed :).

First, let's get the easy stuff out of the way. No, I'm not running any
SCSI setup or unique controllers; this is straight up IDE with a master
disk
on the first chain. There is a NTFS bootable partition taking up most of
the
space on the drive; the rest is unused.

I was booting Windows 2000 Professional SP4 normally; this has been a
relatively long duration install. I noticed that the system had decided
to
run chkdsk, so I let it run. It replaces a couple badly linked temporary
files, then it checks the Usn Journal. It decides it needs to be
repaired,
so first it says "repairing Usn journal" and then "Resetting Usn
Information"
or something to that effect. It definitely used the word resetting, and
at
the end of the message was a percentage, 0%, and it was taking a very,
VERY
long time! I was a little freaked out, wondering whether it was
overwriting
stuff, but decided to trust chkdsk. At the end of this, it rebooted,
Win2k
started up again, but now halfway through the logo'd boot process I get a
INACCESSIBLE_BOOT_DEVICE STOP. I find it intriguing that it had no
trouble
reading boot.ini, displaying my startup menu, yet somehow cannot access
the
partition.

So then I go to my other installation; the drive appears as "Local Disk
(C:)"...that's not good! I try to open it up, and I get this error:

c:\ is not accessible. There is not enough space on the disk.

Opening up a command prompt and switching to C: yields the last sentence
again. I went to Disk Management, and my C: partition is displayed as
"(C:)
Healthy (Active)" but with no file system (and 100% free space,
ironically).
So, I went to the command prompt and did a chkdsk /f on c:. Amazingly,
chkdsk reported my partition information correctly:

The type of the file system is NTFS.
Volume label is The Bucket.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has checked the file system and found no problem.

33013543 KB total disk space.
26201340 KB in 62068 files.
21176 KB in 4340 indexes.
0 KB in bad sectors.
173447 KB in use by the system.
65536 KB occupied by the log file.
6617580 KB available on disk.

4096 bytes in each allocation unit.
8253385 total allocation units on disk.
1654395 allocation units available on disk.

Notice, it gives my volume label, displays the file system as NTFS, and
says
I have plenty of free space. This chkdsk also took a fair amount of time
to
complete, suggesting that the directory structure/etc is still intact. I
used a demo product to view the files in the partition; and all appears to
be
there.

I have tried FIXMBR and FIXBOOT in the Recovery Console to no avail.
FIXMBR
displays a warning saying my partition table is non-standard; I told it to
overwrite anyway and nothing changed. I still get exactly the same errors
and results as above. I'm just about out of ideas; any suggestions?
Thanks
in advance,

-- Joren




.