Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my HDD RAW or NTFS file system?


  • Please log in to reply
19 replies to this topic

#1 Marinesct

Marinesct

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 04 January 2016 - 03:54 AM

I'm troubleshooting an internal HDD because of sporadic I/O errors (cables/SATA ports already checked out). Windows 10 recognizes the 3TB drive as being NTFS, so I run chkntfs /C e: to schedule a boot time scan.

Weird thing is, it wont query it. So I run chkdsk /scan e: and it returns that the HDD is RAW. That can't be right.

I run wmic logicaldisk get,caption,filesystem and it returns that e: is NTFS.

What gives? My end goal is to maintain the files in tact and either recover from RAW to NTFS and/or fix any bad sectors that exist.


I initially started this investigation because my wife received an I/O error when trying to copy pictures to the drive. It seems to be running fine (so far) since replacing the SATA cable.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 PM

Posted 04 January 2016 - 09:53 AM

There's a good chance the hard drive is failing. I've rarely seen it be just a bad SATA cable (maybe once or twice in 8 years of IT work).

 

You can first try some data recovery tools from Windows. I recommend Recuva. Past that, we may have to look into some Linux recovery tools like PhotoRec/TestDisk.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 04 January 2016 - 10:14 AM

It seems to be running fine (so far) since replacing the SATA cable.

Are you still experiencing any of the previous problems after replacing the cable?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 04 January 2016 - 09:22 PM

I replaced the cable because it was loose, but it didn't fix the problem.

 

I previously ran TestDisk, but the scan didn't pick up any partitions on the drive. I went ahead and invested in a replacement drive today. Fortunately, the files are still accessible and I keep regular backups to an Ubuntu server.

 

Which again, I'd like to understand why each of my scans (wmic, chkdsk, TestDisk) produced different results.



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,491 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:04 PM

Posted 04 January 2016 - 09:41 PM

They do each work in different ways with different purposes. I don't know the exact intricacies of each, but I know chkdsk more-so cares about Windows system files (I've had it destroy customer data before), and TestDisk is for rebuilding the partition table or recovering data. I can't comment on the wmic command, haven't used it much, but it possibly uses different low-level commands than chkdsk.

 

If you have all of your data backed up, I would definitely run a hard drive test on it with the HDD manufacturer's test. I otherwise recommend Seagate Seatools for any brand if there isn't already a specific test for it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 05 January 2016 - 10:36 AM

@Demonsly335

 

chkdsk scans the hard drive for bad sectors on the hdd.  If you use the /r switch (chkdsk /r) it will scan for bad sectors and recovers any readable information.  What you are confusing this with is sfc /scannow.  The sfc /scannow command scans all protected system files and replaces corrupted and incorrect versions with correct Microsoft versions.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 05 January 2016 - 10:44 AM



Which again, I'd like to understand why each of my scans (wmic, chkdsk, TestDisk) produced different results.

What command/s are you running in WMIC?

 

I addressed chkdsk in my previous post.

 

Please download and install Speccy to provide us with information about your computer.  Clicking on this link will automatically initiate the download. 
 
When Speccy opens you will see a screen similar to the one below.
 
speccy9_zps2d9cdedc.png
 
Click on File which is outlined in red in the screen above, and then click on Publish Snapshot.
 
The following screen will appear, click on Yes.
 
speccy7_zpsfa02105f.png
 
The following screen will appear, click on Copy to Clipboard.
 
speccy3_zps1791b093.png
 
In your next post right click inside the Reply to Topic box, then click on Paste.  This will load a link to the Speccy log.
 
 

Please download and run SeatTools for Windows.
 
Before the installation begins you will be prompted to either Decline or Accept the terms of the installation, click on I Accept.
 
Once the installation begins you will see an image similar to the one below.
 
seagate3_zps1fa1f71c.jpg
 
1.  SeaTools for Windows will search for HDDs and SSDs on your computer.  Please remove any external storage devices connected via USB ports.
 
2.  Detected Drives will list the HDDs and SSDs found.  Place a check mark in the drive box you want to run the scan on.
 
3.  You will see Basic Tests above Detected Drives, move the mouse pointer over this.
 
4.  A menu will open with options for the different scans, please click on Long Generic Test
 
5.  This will start the scan.  When the scan is complete you will see the result under Test Status , please post the results in your topic.
 
 seatools4_zpsd7balf76.png
 
6.  Post the results of the scan in your topic.
 
7.  Click on Help, then click on View Log File.  If the scan failed take a screen shot of the Log File and post it in your topic.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 05 January 2016 - 01:07 PM

 
I had to reboot to get SeaTools to see the Seagate SATA drive. 
 
From the log file:
Long Generic - Started 1/5/2016 10:11:53 AM
Long Generic - FAIL 1/5/2016 10:12:00 AM
SeaTools Test Code: F09B97DD
 
I've downloaded SeaTools for DOS as the Fail Info recommended. The scan didn't detect the drive from DOS, which prevented me from any further tests.


#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 05 January 2016 - 01:22 PM

Your C: drive is on the Western Digital hdd.  This is the hdd you need to run the test on.

 

The Seagate hdd is what is showing as being in trouble.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 05 January 2016 - 01:30 PM

If the E: drive (Seagate) is the one in trouble, why would I run the diagnostic on my primary?



#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 05 January 2016 - 01:51 PM

The  drive letter C: is usually assigned to the partition which the operating system is installed on.  This is why you want to run the SeaTools scan on this drive.  

 

Are you aware that you will not see the whole 3TB size of you hdd, without using the UEFI firmware BIOS you will only see 2.2TB of the 3TB.  There is a very good article at PCWorld.

 

http://www.pcworld.com/article/235088/everything-you-need-to-know-about-3tb-hard-drives.html

 

It looks like the E: drive is being used for storage, if the data there isn't backed up you should move the data to removable media, such as an external hdd, Cloud, flash drive/s, DVDs, etc.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 05 January 2016 - 02:21 PM

i was already familiar with the 2.2/3TB issue. UEFI is in place.

Regular backups are made with a manual full being performed yesterday.

Not sure how the primary would affect my secondary since they are both physically separate drives


Edited by hamluis, 05 January 2016 - 02:43 PM.


#13 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,460 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:04 PM

Posted 05 January 2016 - 02:52 PM

The fact that you have a Western Digital and Seagate hdd it's obvious that these are separate drives.

 

In order for a computer to recognize a hdd it must be formatted.  The two types used are NTFS and FAT32.  This is why both drives show that they have NTFS file system.  As I stated previously, the C: letter is drive usually contains the operating system.  

 

Autochk.exe in Windows 2000 distinguishes between a volume check that has been manually scheduled and one that is automatically scheduled because the file system found the volume to be in a "dirty" state, and then write an appropriate message in the application event log.
.

 

Why are you running autochk (chkntfs) rather than chkdsk /f or /r?

 

I suspect that you could benefit by reading this article.https://support.microsoft.com/en-us/kb/218461


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 05 January 2016 - 03:26 PM

I ran both chkntfs and chkdsk previously, which both failed at the time.

 

I just ran chkdsk (again) on e: and came up with the following results:

C:\Windows\system32>chkdsk e:
The type of the file system is NTFS.

WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.

Stage 1: Examining basic file system structure ...
  231680 file records processed.
File verification completed.
  1 large file records processed.
  0 bad file records processed.

Stage 2: Examining file name linkage ...
  248288 index entries processed.
Index verification completed.
  0 unindexed files scanned.
  0 unindexed files recovered to lost and found.

Stage 3: Examining security descriptors ...
Security descriptor verification completed.
  8305 data files processed.
CHKDSK is verifying Usn Journal...
  8392544 USN bytes processed.
Usn Journal verification completed.
Detected bad clusters in logfile.
Found 5 bad clusters.
The master file table's (MFT) BITMAP attribute is incorrect.
The Volume Bitmap is incorrect.
Windows has checked the file system and found problems.
Please run chkdsk /scan to find the problems and queue them for repair.

   2861359 MB total disk space.
 295827152 KB in 98393 files.
     36684 KB in 8306 indexes.
      6856 KB in bad sectors.
    395355 KB in use by the system.
     65536 KB occupied by the log file.
   2572037 MB available on disk.

      4096 bytes in each allocation unit.
 732508017 total allocation units on disk.
 658441506 allocation units available on disk.

Afterwards, I ran chkdsk /scan e: as prompted above.

C:\Windows\system32>chkdsk /scan e:
The type of the file system is NTFS.

Stage 1: Examining basic file system structure ...
  231680 file records processed.
File verification completed.
  1 large file records processed.
  0 bad file records processed.

Stage 2: Examining file name linkage ...
  248288 index entries processed.
Index verification completed.
  0 unindexed files scanned.
  0 unindexed files recovered to lost and found.

Stage 3: Examining security descriptors ...
Security descriptor verification completed.
  8305 data files processed.
CHKDSK is verifying Usn Journal...
  8393136 USN bytes processed.
Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

   2861359 MB total disk space.
 295827152 KB in 98393 files.
     36684 KB in 8306 indexes.
      6836 KB in bad sectors.
    395355 KB in use by the system.
     65536 KB occupied by the log file.
   2572037 MB available on disk.

      4096 bytes in each allocation unit.
 732508017 total allocation units on disk.
 658441511 allocation units available on disk.

So nothing is being reported for the MFT or clusters. I'm performing a chkdsk /R on e: now. I'll report back in about 30 mins or so.



#15 Marinesct

Marinesct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO, USA
  • Local time:05:04 PM

Posted 05 January 2016 - 08:28 PM

Its still running and is only at 44% for the current stage and has stalled on file 102998 (of 231664) for about an hour now. I'm going to say that there are quite a few files that I need to recover, which won't reflect in my backups properly.

 

 



Which again, I'd like to understand why each of my scans (wmic, chkdsk, TestDisk) produced different results.

What command/s are you running in WMIC?

wmic logicaldisk get caption,filesystem

I've also used

wmic /output: wmic.txt diskdrive get /all

Edited by Marinesct, 05 January 2016 - 08:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users