 pagefile.sys everywhere and nowhere, Is there a way to delete a phantom pagefile.sys? |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 Jan 1 2009, 04:44 PM
Post
#16
|
|
|
New Member  Group: Members Posts: 9 Joined: 29-December 08 Member No.: 275,478  |
QUOTE(Galadriel @ Dec 29 2008, 10:05 PM)  So my question relating to this is the following, have you run checkdisk with the fix option? (start - run chkdsk /f or better yet, chkdsk /r) If not, I suspect this may clear the issue. I really took this comment to heart and was sure to run chkdsk frequently. In the old days of FAT volume organization/optimization (anyone remember an old IBM PC tool called VOO-DOO?), it was critical to have a clean chkdsk before starting a defrag. QUOTE(Galadriel @ Dec 29 2008, 10:05 PM) Are you sure the D drive is indeed the recovery partition? Yeah, this is a screwy thing about how Compaq/HP set up my laptop, and it is why I use scare quotes around "recovery partition." The "recovery partition" on my laptop is mounted as a regular FAT32 D: drive. The only thing that "protects" it is a dorky autorun.inf that pops up a warning window when you double click on D:. As long as that autorun.inf is there, you have to right click and select Explore to look at it. It actually does nothing to prevent the system from writing there. I renamed mine "autorun.inf.stopbotheringme" Unfortunately, during the course of thrashing around on this problem, I had one case where the laptop shutdown due to overheating right in the middle of defragging D:. So the next chkdisk on D: recovered a few files. So I suspect my "recovery partition" is now toast. No matter. If C: really dies someday, I'll just repartition/reformat/reinstall everything from scratch, and get rid of the useless "recovery partition." QUOTE(usasma @ Dec 30 2008, 05:23 AM) You can access and delete directories from outside of Windows by using a boot disk. This is the most likely way to locate and delete the C:\pagefile.sys that's hiding on your drive. This was the key suggestion that got the problem solved. Thank you very much! NTFS4DOS must have a slightly different NTFS implementation from Windows, which was actually able to delete the phantom pagefile.sys. I also was able to see the phantom pagefile.sys with Active@ NTFS reader. But that tool didn't allow me to actually delete the file. QUOTE(usasma @ Dec 30 2008, 05:23 AM) I would also check in your Event Viewer for errors. To do this, go to Start...Run...and type in "eventvwr.msc" (without the quotes) and press Enter. Click on the System log file item in the left hand pane, then scroll down the right hand pane to look for the errors. Well, it's always scary to go around turning over rocks, and this is no exception. The event log contains lots these: CODE Event Type: Error Event Source: Disk Event Category: None Event ID: 7 Date: 12/29/2008 Time: 2:10:34 PM User: N/A Computer: CRAIG-LAPTOP3 Description: The device, \Device\Harddisk0\D, has a bad block. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 03 00 68 00 01 00 b6 00 ..h...¶. 0008: 00 00 00 00 07 00 04 c0 .......À 0010: 00 01 00 00 9c 00 00 c0 ....Å“..À 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 f6 d4 e8 14 00 00 00 .öÔè.... 0028: cb 45 00 00 00 00 00 00 ËE...... 0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ.... 0038: 40 00 00 84 02 00 00 00 @..„.... 0040: ff 20 0a 12 40 03 20 00 ÿ ..@. . 0048: 00 00 01 00 0a 00 00 00 ........ 0050: 00 a0 ea 85 f0 58 04 86 . ê…ðX.†0058: 00 00 00 00 c0 56 04 86 ....ÀV.†0060: 02 00 00 00 7b 6a 74 0a ....{jt. 0068: 28 00 0a 74 6a 7b 00 00 (..tj{.. 0070: 80 00 00 00 00 00 00 00 €....... 0078: f0 00 03 00 00 00 00 0b ð....... 0080: 00 00 00 00 00 00 00 00 ........ 0088: 00 00 00 00 00 00 00 00 ........ There were dozens of them from the beginning of the log up to December 27. The event on December 29 pasted above is the last occurrence. I'm in the process of doing chkdsk /x /r on both volumes of the affected drive, and will do another long test using SeaTools. After that, I'll pay closer attention to the log, and if it keeps throwing these bad block errors, I'll replace the drive. So thanks a second time for pointing out another thing to look at. QUOTE(usasma @ Dec 30 2008, 05:23 AM) - Have you let Windows manage the pagefile? If so, what results do you get? Yep. Same result. It filled up the D: drive with a pagefile.sys, even though the configuration had it going to C:. QUOTE(usasma @ Dec 30 2008, 05:23 AM) - I believe it was HP/Compaq systems with AMD processors that had issues with SP3 - due to the loading of an Intel processor driver. Have you check to see if this is disabled? I saw this point being made elsewhere also, but it looks like this was corrected before I took the SP3 upgrade. I don't remember the details, but it sounded like the error brought systems to a dead stop, which didn't happen here. QUOTE(usasma @ Dec 30 2008, 05:23 AM) - I would suggest finding the exact model of your video card and visiting the nVidia website to download the latest drivers from there. Once you've downloaded them, uninstall the HP/Windows drivers from the Control Panel...Add/Remove Programs applet. In the past I've had issues with HP drivers from HP and Windows Update - the nVidia drivers work without fail. I was scared off from doing this by some verbiage on the nVidia web site saying that these were "reference drivers" and that I should get actual drivers from the PC manufacturer directly. Good to know your experience for future reference. QUOTE(usasma @ Dec 30 2008, 05:23 AM) - Your system specs from MSINFO32 reveal the pagefile on D: to be 1.68 gB - is this correct, or is it another quirk? No, that was a correct indication, and another clue to something being wrong. There really was a pagefile.sys of that size on D:, even though the configuration was pointing to C:. QUOTE(usasma @ Dec 30 2008, 06:00 PM) I'm gonna have to do some reading about the details of the MFT before I can even start to comment on your work - this is way beyond anything that I know! Yep, it was beyond anything I knew at the time also. The info at http://sourceforge.net/project/showfiles.p...ackage_id=16543 was extremely useful here. Turns out the MFT starts at cluster 10 on an NTFS drive. I used Disk Investigator to dump the contents of the volume at that location. The file records were pretty easy to spot, since they begin with "FILE" and end with a sequence of four bytes equal to FF. Using the info from the Sourceforge project docs, it was fairly straightforward to decode the file entry for the phantom pagefile.sys. Here is a scan of the chicken scratch decode job I did:  This was enough for me to conclude that there really was a pagefile.sys on the C: drive, although I never did figure out what is wrong with its MFT entry. QUOTE(Galadriel @ Dec 31 2008, 09:37 AM) The only thing I would caution users about is the use of CCleaner. If any use it, I strongly recommend against the use of the Issues tab/button. The registry is a very fickle area, and one automated tools really shouldn't attempt to "clean". For more info on the reasoning behind this caution, I strongly recommend this read: XP Myth: Registry Cleaners. Another good comment, which I incorporated back into the how-to post. Of course, I ran CCleaner before seeing the comment, and did let it "clean" my registry. There have been no ill effects so far, so I'll keep my fingers crossed. I have belatedly taken dc3's suggestion to back up the registry with Erunt. Better late than never! QUOTE(Grinler @ Dec 31 2008, 12:53 PM) Would you mind if I downloaded the images and hosted them here so they do not eventually disappear? Absolutely, Grinler. Please do that. As I was getting all this typed up, I was telling my wife that when I'm stumped by a problem, I am almost always able to find the solution online somewhere. The last major occurrence of this was when the HVAC blower in her car quit working. I found the solution here. For this problem with the page file, I was truly surprised not to be able to find a solution. So I took the opportunity to write it up for others to use some day. Anything you can do to make sure it is not lost is welcome and appreciated. And of course, thanks for the entire BleepingComputer site. I wouldn't have solved my problem without it! |
 |
 
|
|
Jan 1 2009, 05:23 PM
Post
#17
|
|
 Bleepin Elf Group: Study Hall Admin Posts: 2,312 Joined: 11-November 04 From: Missouri, USA Member No.: 4,912 |
QUOTE(CraigBos @ Jan 1 2009, 03:44 PM) I really took this comment to heart and was sure to run chkdsk frequently. In the old days of FAT volume organization/optimization (anyone remember an old IBM PC tool called VOO-DOO?), it was critical to have a clean chkdsk before starting a defrag. Yup. I remember having to chkdsk before defrag, in fact, it's still a good idea to do it even now, although not as critical. My entry in the PC world was late I have to say, at that time I was mostly using Apples and Amigas. I really wasn't introduced intimately with the PC world before Win98. QUOTE Yeah, this is a screwy thing about how Compaq/HP set up my laptop, and it is why I use scare quotes around "recovery partition." The "recovery partition" on my laptop is mounted as a regular FAT32 D: drive. The only thing that "protects" it is a dorky autorun.inf that pops up a warning window when you double click on D:. As long as that autorun.inf is there, you have to right click and select Explore to look at it. It actually does nothing to prevent the system from writing there. I renamed mine "autorun.inf.stopbotheringme" Unfortunately, during the course of thrashing around on this problem, I had one case where the laptop shutdown due to overheating right in the middle of defragging D:. So the next chkdisk on D: recovered a few files. So I suspect my "recovery partition" is now toast. No matter. If C: really dies someday, I'll just repartition/reformat/reinstall everything from scratch, and get rid of the useless "recovery partition." I knew of this possibility, but wasn't absolutely sure this applied. And you are right, chances are, the recovery is most likely toast indeed. Funny how a big manufacturer such as HP would consider an annoying autorun file to "protect" the recovery partition from tinkering. Especially when PCs these days don't even come with restore discs, or an OS disc at all. So much for being able to recover if you're not a geek. QUOTE Using the info from the Sourceforge project docs, it was fairly straightforward to decode the file entry for the phantom pagefile.sys. Here is a scan of the chicken scratch decode job I did: All I can say is, kudos. I've tried to decode some parts of the MFT before, but I had to stop trying, as my brains were leaking out my ears!   QUOTE Of course, I ran CCleaner before seeing the comment, and did let it "clean" my registry. There have been no ill effects so far, so I'll keep my fingers crossed. I have belatedly taken dc3's suggestion to back up the registry with Erunt. Better late than never! Glad it didn't cause any adverse effects. And as one of our HJT Team Coaches told me just last night: Erunt FTW!!!!  QUOTE For this problem with the page file, I was truly surprised not to be able to find a solution. So I took the opportunity to write it up for others to use some day. Anything you can do to make sure it is not lost is welcome and appreciated. And of course, thanks for the entire BleepingComputer site. I wouldn't have solved my problem without it! Thank you for taking the time to actually write this and include all the detail you did. There is no doubt that it will help others who may run into similar issues in the future!  Regards, Gal -------------------- I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.' Phear teh ceiling cat, for he is roofkittehd! - Basement Cat I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here Become a BleepingComputer fan: Facebook |
|
|
|
|
Jan 1 2009, 09:49 PM
Post
#18
|
|
 Bleep Bleep! Group: Admin Posts: 31,509 Joined: 24-January 04 From: USA Member No.: 3 |
Images are hosted locally. Thanks!
-------------------- |
|
|
|
|
Jan 2 2009, 07:42 PM
Post
#19
|
|
 Still visually handicapped, new avatar (a camel) :0) Group: BC Advisor Posts: 16,689 Joined: 2-October 05 From: Southeastern CT, USA Member No.: 35,824 |
Well, I'm a bit late to this - but this was a fantastic job of troubleshooting and repairing an issue without resorting to brute force tools to do the job (SFC.EXE; Repair Install, Wipe & Reinstall, etc).
Great work! Thanks for teaching us something new! 
-------------------- - John
**If you need a more detailed explanation, please ask for it. I have the Knack. ** |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th November 2009 - 04:47 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.