[clue] NTFS logical structure corruption?

Jim Ockers ockers at ockers.net
Wed Mar 7 06:14:10 MST 2012 

Hi Dave,

Interesting problem. Too bad there's not a NTFS utility like debuge2fs 
that lets you dig into the filesystem internals. I've used debuge2fs to 
figure out and fix filesystem problems that I never would have solved 
without it. As an aside I don't think I would let someone who doesn't 
know what an NTFS filesystem is work on it. :) Trying to use dd is never 
going to work. In your case you have 2 possibilities:

1. The filesystem data structures themselves are corrupt
2. The filesystem data structures are fine and not in need of repair or 
anything, but you lack the tools to make the changes you want to make to 
these particular data structures.

I assume you've done CHKDSK C: /F and rebooted, and you've also tried 
all of the other likely CHKDSK options? I'm guessing that the 2nd 
possibility is likely the case if CHKDSK says the disk is fine. If you 
boot the machine from a Windows XP CD and enter the recovery console, 
can you delete the file? If you fire up Norton Ghost does it complain 
about NTFS filesystem errors on the volume? I remember a long time ago 
seeing some POSIX utilities for Windows NT that would let you create and 
manipulate hard links and the filesystem in a way that you could never 
do using the dos-ey tools. Also there were some command line utilites 
like CACLS.EXE that would let you manipulate the ACLs from the command 
line. Can you find a version of WINFILE.EXE (the old Windows NT file 
manager) from Windows NT 3.51 or whatever the last version that had 
WINFILE.EXE, and see how it works with your filesystem and manipulating 
these files/directories? Sometimes I've managed to get things done using 
WINFILE.EXE where the normal EXPLORER and other tools don't work.

Really the best suggestion I have for you is to ghost the machine, and 
then using Ghost Explorer or some image manipulation utility, remove the 
offending files/folders from the image file, and then ghost the modified 
image back to the machine. This will fix your NTFS filesystem and data 
structures and get rid of the files you don't want, while leaving the 
rest of the system more or less intact. However I expect that if the 
filesystem is corrupt, then Ghost will complain about it and maybe 
refuse to work with your filesystem.

There are some open source alternatives to Ghost, the reason I mention 
Ghost is because it's had really good NTFS support just about from the 
beginning.

Hope this helps,
Jim
-- 
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/


dshaw at famece.com wrote:
> Hi all-- sorry if this isn't the right forum for this, but there's an
> Ubuntu thread so I thought I'd give it a shot.
>
> A couple months ago my daughter's XP machine got infected with a nasty
> virus. After getting that all cleaned up, I discovered a folder/file on
> the NTFS filesystem that I can't access. Not sure if it was due to the
> virus or not. In any case, I'd like to delete it. XP won't let me enter
> the enclosing directory at all, even as administrator, working with access
> rights, etc.  I tried all the "sfc", "chkdsk", etc. approaches I knew of,
> to no avail. I also tried some surface scanners, but none of them found
> anything either.
>
> So I booted the machine from an Ubuntu live cd, mounted the NTFS
> partition, and found Ubuntu couldn't access the file either. Ubuntu lets
> me enter the enclosing folder, but when I try to rm the file, I get an
> "operation not supported" message.
>
> Looking around the filesystem a bit, I noticed a fair number of normal
> files (but not all) that have 2 hard links showing up on an "ls -l".
> Scanning the disk for the 2nd occurrence of the inode number for several
> files revealed nothing. Not sure if this is related or not.
>
> I'm thinking the file system is logically corrupt somehow, but I tried a
> few of the "ntfs..." tools on Ubuntu, and nothing changed any of this.
> Does anyone know of any tools to repair (I think) the structure of an NTFS
> filesystem. Thanks...
>
> Dave Shaw
>
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>

More information about the clue mailing list