Corrupt $MFT or $Secure
Posted on 2002-07-02
I recently attempted to resize my master XP/NTFS partition to make room for a second partition. XP seemed to be getting more unstable by the day, and I believed it was caused by file system corruption (I have a 100 GB hard drive by Maxtor which was originally formatted FAT32 and then converted to NTFS after XP installation) because it was converted, not freshly formatted NTFS. I intended to install a new copy of XP on the second partition and then move all my files/settings to second partition, then remove the first and resize the second to full size.
I used Partition magic to do it, but at first it didn't work (it asked me to reboot, but when Windows restarted and Partition magic attempted to perform its tasks in that blue "Windows XP" chkdsk screen during startup, I got "Couldn't get direct access to drive" instead). I then tried the PM boot disk. It started to resize the partition, then failed with the message "At the end of something". It reported my entire hard drive was FULL!!! Not true, I only used 25% or less of it.
I tried booting XP, but got the "STOP 0x00000024: Windows has encountered a serious problem and has been shutdown to prevent damage to your system". I put the drive into my parents' system, also running XP. Upon trying to open the drive in explorer, I get "The file or directory is corrupt and unreadable".
I used the utility R-Studio by R-Tools to verify my files are there (with the exception of some large DivX video files). I have determined that the security descriptors metafile ($secure), which R-Studio allows me to see and modify, has been zeroed out. The volume bitmap ($Bitmap) is also empty.
I have tried CHKDSK /R , but it has reported:
Replacing invalid security id with default security id for file 0.
Unable to write to attribute 16 of file 0.
Readable file record segment 0 is not writeable.
Microsoft is no help; they told me my only option is to format. I cannot copy the data off because I don't have another drive with enough size (no other drive can hold 26 GB). A preferable solution is to rebuild the $MFT or $Secure metafiles.
I have heard that Linux users, in the early NTFS driver days, encountered this problem when running the driver in RW mode and that the solution was to use a special utility (which Microsoft didn't want distributed) to change the $MFT header to pretend to be an earlier NTFS version and delete the other metafiles. XP/2000 would automatically detect the older version and "upgrade" it to the new NTFS version, thus rebuilding the metafiles/filesystem.