Re: remove zombie MFT entry

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"Peter Gründler" <usenetspam@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ofpzxdxutyqa.dlg@xxxxxxxxxxxxxxxx
Am Thu, 16 Jul 2009 15:20:32 +0200 schrieb Pegasus [MVP]:

"Peter Gründler" <usenetspam@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1d1g3171weknn$.dlg@xxxxxxxxxxxxxxxx
Hi everyone!

I found a weird zombie file in a user profile directory (Windows
XPpro/NTFS); it has the following properties:

* zero bytes.
* File properties box under windows has no security and no fileinfo
tabs.
* cannot be deleted, even the recovery console displays it but tells me
the
system cant find it when I try to delete it.
* cacls tells me the file isn't there.
* checkdisk /F doesn't touch it either.

Runtime's NTFS Disk Explorer finds the MFT entry ok, screenshot here:
http://gruendler.org/temp/zombiefile.png

I'd like to know what properties of this MFT entry lead to this
behaviour.
Where (byte offset) is the "deleted" flag in the MFT structure?
Can I get rid of the file by setting the deleted flag and running chkdsk
/F?

regards
Peter

Seeing that this file consumes no disk space and does not cause any
problem,
I would be most reluctant to interfere with the MFT and set/reset certain
flags without fully knowing what their effect might be. There is a
considerable risk of doing some real damage whereas the benefit of fixing
the problem appears to be tiny to non-existent. Who cares about a rogue
file
buried deep inside a temp folder?

Only scientific interest ;-)


Have you tried the much safer method of deleting the whole temp folder,
then
recreating it?

Yes - the delete process stopped like with a file in use when it came to
this rogue entry.

but - most weirdly - meanwhile a simple trick did it:

context menu -> open with... -> Notepad "asks: "File not found, dou you
want to create a new one?" -> yes -> save -> delete -> voilà.

So, although even administrative and recovery tools or linux (which I also
tried) displaed the file but resisted deleting it or changing its rights,
the bad entry could be simply replaced by a valid entry through saving a
file under the same name.

Any idea?

thx, peter

The only suggestion I can make is that the NTFS driver fixed the problem
when faced with two seemingly identical file names.


.

Relevant Pages

  • Re: remove zombie MFT entry
    ... File properties box under windows has no security and no fileinfo tabs. ... I'd like to know what properties of this MFT entry lead to this behaviour. ... Where is the "deleted" flag in the MFT structure? ...
    (microsoft.public.windows.file_system)
  • Re: remove zombie MFT entry
    ... File properties box under windows has no security and no fileinfo tabs. ... I'd like to know what properties of this MFT entry lead to this behaviour. ... Where is the "deleted" flag in the MFT structure? ... Have you tried the much safer method of deleting the whole temp folder, ...
    (microsoft.public.windows.file_system)
  • Re: Executable enty points incorrectly documented
    ... All these things are correct but this is more specific and related to the .NET Framework than to Windows API and the C++ linker and does not mention the actual entry point signatures either. ... The documentation problem to which you allude is that it is the CRT entry point that calls one of the versions of main / WinMain that is defined in your program. ... This is the signature of the managed entry point that has nothing to do with native executables/DLLs. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Executable enty points incorrectly documented
    ... You wrote that WinMain is not a starting function in CRT, but an user-defined entry point for a Windows application. ... I believe that the fact that this function is called by the C/C++ runtime clearly backs my opinion that WinMain has nothing to do with the operating system. ... Even if WinMain documentation remains in Windows SDK it would be wise to explicitly state that support for this entry point is provided by the C/C++ runtime rather than Windows itself. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: The system file cannot be specified
    ... entry has magically reappeared. ... just an entry in the MFT. ... But when it tried to delete the file, Windows ... from Windows Explorer and dropping it at the command prompt command? ...
    (microsoft.public.windowsxp.help_and_support)