[Novalug] SOT: Fixing NTFS file system with Linux

greg pryzby greg@pryzby.org
Thu Dec 6 11:10:18 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for sharing.... I am sure someone else will run into this at some
point.

Ken Kauffman wrote:
> Can I just say -- holy crap --
> 
> I am merely sharing an experience here in case you run into the same
> issue for those that have to play in the <sarcasm>WWoW[tm]  (Wonderful
> World of Windows)</sarcasm>
> This is also not intended to trigger the non-constructive contributors
> that live in the realm of M$/Vista/Windows flame bashing either. ;)
> 
> This is my take away from this scenario --
> If your system seems to hang with NT Kernel at 50% (dual core) or 100%
> (single core), you might have a corrupt NTFS file system that Vista can
> not deal with. 
> I absolutely had to use XP and Linux to fix it.
> 
> 1) I must use Windows because of my job - so let's get that out of the way.
> 2) I do run Linux for non work stuff.
> 
> /// Actors
> - One AMD dual core X2 4400+ desktop running Vista X64 Home Premium
> - One laptop running dual boot Vista X64 Home Premium and Xubuntu
> - External 250Gb My Book Basic
> - OEM Vista x64 disc
> - OEM Windows XP Pro disc
> 
> /// Scenario
> NTFS on the MyBook has been corrupted and chkdsk utilities will not fix
> it.   There is a directory that "exists" but every took I have tells me
> it does not.  Sounds like an entry in NTFS but no on disc.  I want to
> clean up the disc.  My entire music library is also on this external
> disc so I must tread with caution.
> 
> ---
> /// Attempt #1
> Run chkdsk in Vista.  Supposedly fixed the issues.  Did not actually.
> 
> /// Attempt #2
> Boot of XP OEM disc and try and remove directory.  Fail.
> 
> /// Attempt #3
> Boot laptop into Xubuntu, ensure that I am running ntfs-3g and ntfsfix. 
> Also ensure that ntfsprogs is greater than 1.13.1-1 which supports Vista
> NTFS.
> Mount drive using ntfs-3g.  Remove offending directory.  No problem.
> Unmount drive.
> Run ntfsfix on said drive.  (This triggers windows to do a chkdsk by
> marking it dirty).
> Plug the drive back into workstation running Vista.
> The disc is recognized as shown by the "eject" icon however VISTA HANGS
> HARD with the kernel jumping to 50% saturation on one core.  Full system
> instability ensues.
> Disk manager hangs and becomes inaccessible, explorer crashes, can't be
> relaunches, all utilities are rendered useless while the kernel goes
> into overdrive to do nothing but something (evidently).  I could launch
> task manager to show that it was the NT Kernel hanging.
> 
> /// Attempt #4
> Boot laptop into Vista
> Plug drive in.
> Drive kills Vista on laptop as well.  Same symptoms as in #2.
> In case vista was trying to repair and was simply doing it poorly and
> hanging, I let the laptop sit with the disc overnight for 8 hours.
> When I woke up, it will still uber-borked.
> 
> /// Attempt #5
> Boot laptop into Vista OEM disc recovery console with drive plugged in
> (for detection purposes)
> RECOVERY CONSOLE dies hard with same CPU hanging symptoms
> 
> /// Attempt #6
> Boot laptop into XP Pro (OEM) CD recovery console with drive plugged in
> (for detection purposes)
> No hanging. 
> Run chkdsk /p  (chkdsk /f does not exist for CD boot recovery)
> XP detects errors and resolves them.  (This takes time because /p also
> implies block check)
> Reboot back into console and run vanilla chkdsk just to double check.
> 
> ----
> Boot back into vista on desktop and the drive mounts just fine no hangs,
> no issues.
> Boot into vista on laptop, drive mounts just fine no hangs, no issues.
> 
> \\\ Final solution for Vista "unfixable" NTFS file system structure \\\
> - use linux/ntfs-3g to remove offending directory(s)
> - run ntfs-fix
> - use XP to run chkdsk
> - now drive will re-mount in fixed condition inside Vista
> 
> Really an unacceptable solution given I have 3 operating systems
> involved, but when you must fix this scenario this is what I found works. 
> This might be of interest to you forensic-istas as well.
> 
> Ken
- --
greg pryzby                              greg at pryzby dot org
fingerprint: 8A1A DB90 869F 5DD1 D6E9 EEB6 C156 6B04 849F A86F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHWB7qwVZrBISfqG8RAueIAJ9zR1PqNH92is+Lv+rk381ozNwyRACfdlWv
NpW752foR4WkAcuI/fyAQEY=
=sSI0
-----END PGP SIGNATURE-----



More information about the Novalug mailing list