• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1369
  • Last Modified:

Is there a Tool that Can Erase a File Record from the MFT?

There is a file on my computer's second drive that the Win XP system cannot delete.  (Actually, there are several such problematic files on that drive, but suffice it to discuss one of them.)  Let me explain the problem in more detail.  On the second drive (an NTFS partition named volume F) there is a shortcut file named "TD AmeriTrade.URL." This shortcut does not work and cannot be deleted.  The operating system indicates that it is corrupt or unreadable.  

The full path to the subject file is "F:\TD AmeriTrade.url"

If I try to delete it through Explorer, the system returns the following error:
"Error Deleting File or Folder - cannot delete TD AmeriTrade:
The file or directory is corrupt and unreadable."
If I try to delete it from a command prompt like so:
          F:\>DEL "TD AmeriTrade.url"
I get the following error:
               The file or directory is corrupted and unreadable.
I have executed "CHKDSK F: /X" on the subject drive, but that has not fixed the problem (see below) .  I have executed CHKDSK with the /F and /R switches, also with no resolution to this problem.
On the Microsoft Support website I found a knowledge base article that describes this problem very well (Q246026 - Cannot Delete or Repair Corrupted File on NTFS Volume):
            "SYMPTOMS - When you try to delete a file on an NTFS volume, you may receive the following
              error message:
                   'Cannot delete file name: The file or directory is corrupt and
                    unreadable.  The file system structure on disk is corrupt and
                    unreadable. Please run the Chkdsk utility on the device&'
              If you run Chkdsk against the volume, Chkdsk may or may not make repairs,
              but afterwards you still cannot delete the corrupted file."

            "CAUSE - This behavior can occur if the NTFS volumes' Master File Table (MFT)
              is corrupted. The short and long file name pairs that are stored in the directory
              index record and the file names that are stored in the associated File Record
              Segment (FRS) contain case-sensitive characters that do not match. NTFS supports
              case-sensitive (POSIX) file names, but Chkdsk does not check file names in
              case-sensitive mode. For example, assume that the directory index record has
              a BADFILe.TXT entry but the FRS has a BADFILE.TXT entry for the file name.
              NTFS views this as being invalid or corrupted, but Chkdsk compares only the
              names and ignores the case. It does not make repairs."

I think that the cause may be something a little different.  I think that while an entry for it exists in the MFT, the subject file no longer actually physically exists on the drive.  In other words, the MFT has a file pointer for the subject file that points to nothing.  That's my hypothesis.  
In any case, it seems to me that if one could remove all reference to the subject (absent or corrupt) file in the MFT then the problem would go away.  
However, the solution that Microsoft recommends is somewhat drastic:

           "RESOLUTION - To resolve this issue, back up the volume that contains the
            corrupted file(s) and exclude the corrupted file(s) from the backup job.
            Reformat the volume, and then restore from the backup. "
Could you please shed some light on this problem and how to resolve it without having to reformat the drive?
CHKDSK Results
          C:\>CHKDSK F: /X          
          The type of the file system is NTFS.
          Volume dismounted.  All opened handles to this volume are now invalid.
          Volume label is Data.
          CHKDSK is verifying files (stage 1 of 3)...
          File verification completed.
          CHKDSK is verifying indexes (stage 2 of 3)...
          Index verification completed.
          CHKDSK is verifying security descriptors (stage 3 of 3)...
          Security descriptor verification completed.
          CHKDSK is verifying Usn Journal...
          Usn Journal verification completed.
           117186110 KB total disk space.
            88352220 KB in 69205 files.
               23212 KB in 5598 indexes.
                   0 KB in bad sectors.
              281398 KB in use by the system.
               65536 KB occupied by the log file.
            28529280 KB available on disk.
                4096 bytes in each allocation unit.
            29296527 total allocation units on disk.
                       7132320 allocation units available on disk.
  • 11
  • 7
  • 4
  • +2
1 Solution
Hi there, have you tried firstly turning off Windows XP system restore, then rebooting to safe mode with command prompt, and then trying to delete the file?

Also, have a look at some of these tools and see if they can remove it for you:


i meant BCWIPE from http://www.jetico.com/
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

sbracsoAuthor Commented:
kgreeneit: and nobus: thanks for your quick responses!  I will try your tips and get back to you in a by this afternoon.    
sbracsoAuthor Commented:
I haven't tried your suggestion of "turning off Windows XP system restore, then rebooting to safe mode with command prompt" yet because I have system restore points that I don't want to erase yet.  However, I will try your suggestion last, if necessary.

I downloaded and Installed Killbox and ran it.  I entered the "Full Path of the File to Delete" and, with the default "Standard File Kill" option selected, I clicked the button with the white "X" inside a red circle.  A "Confirm Delete" popup window appeared and I clicked "Yes."  Then a message window popped up stating "File Error - This file does not seem to exist."  

This confirms my hypothesis that the subject file in reality does not exist; only its Master File Table (MFT) pointer remains. So it would seem that to kill this phantom file, one should delete all the information to it in the MFT.  But, how does one do that?

I found one tool (DiskExplorer for NTFS, by Runtime Software) that can display the MFT and write to it, but I do not have enough knowledge to edit the MFT.

Based on this result, I do not think that any of the typical tools that eraser or shredder files will work in this case.

Could you please comment and suggest other solutions, particularly on how to rid the MFT of its pointer to the subject file, and would do so work?
did you try bcwipe yet?
sbracsoAuthor Commented:
I now have installed BCWIPE, and am reading its instructions.  Are you familiar with its functions?
Also, Unlocker (http://ccollomb.free.fr/unlocker/), IceSword (http://www.antirootkit.com/software/IceSword.htm), and scan for errors with TuneUp Utilities (http://www.tune-up.com/)
you checked if you are the owner for that file, because some times different files lose the owner. if not add, the  run chkdsk  with reboot. On this way you can delete the file.
Also, here are other HD error checkers:
TestDisk (http://www.cgsecurity.org/wiki/TestDisk)
HD Tune (http://www.hdtune.com/)
HDD Regenerator (http://www.dposoft.net/)
Zero Assumption Recovery (http://www.z-a-recovery.com/)
SpinRite (http://www.grc.com/spinrite.htm)
sbracsoAuthor Commented:
orangutang and cristides:
Thanks for your ideas.  Before I try them I need to get back to nobus.

Here are the results of my attempt to use BCWipe, which you suggested, to delete the phantom files:  It didn't work.

Below are my notes that I wrote as I proceeded using BCWipe to attempt to wipe one of the files ('F:\Temp\c\License.xbin') that has resisted erasure.  Here is an excerpt from the BCWipe log file regarding this attempt:

          BCWipe - Error in opening file F:\Temp\c\License.xbin
           The file is damaged or is busied by system!
           Press Yes button to continue wiping,
           Press No button to stop this operation.

BCWipe reported essentially the same issue that Windows did when I attempted to remove this file with the Windows Delete command, namely, "The file or directory is corrupted and unreadable.."

BCWipe then presented this follow-up offer:

          BCWipe - One or more items were not wiped because they are
           busied by system.  Do you want to wipe this folder at startup again?
           Folder name: F:\Temp\c\License.xbin 

I pressed Yes to give it a shot.  

Then I restarted the computer, and after I logged back into my Windows account I found that the subject file F:\Temp\c\License.xbin was still there.  No luck.

Lastly, I ran BCWipe against the entire volume F to wipe to release all of its free space.  I hoped that doing so might kill these phantom files (like F:\Temp\c\License.xbin) in the process.  
Well, unfortunately, 30 minutes into the process, an error occurred that stopped BCWipe and the following error message appeared"

          "BCWipe command line utility  has encountered a problem and needs to close.  
            We are sorry for   the inconvenience.  If you were in the middle of something,
            the information you were working on might be lost.  Please tell Microsoft about
            this problem.  We have created an error report that you cans send to us.  
            We will treat this report as confidential and anonymous

I chose the Send Error Report option.

This is all I have now.  

This is driving me insane.  

Why hasn't someone written a user-friendly, system-safe application that one can use to search for a particular file in the Master File Table, display and confirm the full path to that file, and then allow the user to delete or void that file's MFT record, and thereby create, in a sense, amnesia in the MFT so that it no longer remembers the subject file?  This seems to me the simplest solution to the problem of "deleting" non-existent files that still have false records in the MFT?
sbracsoAuthor Commented:
You wrote: have "you checked if you are the owner for that file, because some times different files lose the owner. if not add, the  run chkdsk  with reboot. On this way you can delete the file."

Yes, I tried to do what you suggested.

The bad news, however, is that when I looked in the file properties context menu there was only one tab visible:  the "General" tab.  The "Security" tab was missing.    Therefore, I could not even view the files ownership or access permissions.  This confirms my guess that these are "Phantom Files."  

Being "Phantom Files," the subject files cannot be deleted by any of the usual file manipulation utilities such as those that you and others have mentioned above:
Killbox, Unlocker, IceSword, TuneUp Utilities, TestDisk, HD Tune, HDD Regenerator, Zero Assumption Recovery, SpinRite, and BCWipe

I need a tool that gets into the MFT, finds the record of a given frickin "Phantom File", and zeroes its contents so that all reference to the file is erased from the MFT and the space allocated to the file is released.

Thats all I want.  Is that too much to ask?!
Ive already tried the utilities BCWipe by Jetico and DiskExplorer by Runtime.  BCWipe could not wipe out the bad files.  DiskExplorer, Im told by the maker, can let you manually edit file records in the MFT, but you better know what you are doing, or you can really mess it up.  
So, at this point, unless someone can guarantee that a particular tool can actually safely erase a given files MFT record, I do not want to waste my time with it.

What I need is the right MFT editing tool or a tutorial on the MFT structure.

You tried TestDisk? It's supposed to deal with MFT problem.
sbracsoAuthor Commented:

Have you used TestDisk?  If so, how do you use it to edit the MFT?  I don't have time to go on a wild goose chase.  

The website () states the followiing on what TestDisk can do:

Fix partition table, recover deleted partition
Recover FAT32 boot sector from its backup
Rebuild FAT12/FAT16/FAT32 boot sector
Fix FAT tables
Rebuild NTFS boot sector
Recover NTFS boot sector from its backup
Fix MFT using MFT mirror
Locate ext2/ext3 Backup SuperBlock
Undelete files from FAT filesystem
Copy files from deleted FAT, NTFS and ext2/ext3 partitions.

Its all about file recovery.  I don't want to recover a file.  I want to delete the freakin reference to it in the MFT.  How does TestDisk accomplish that?
Unfortunately, I don't know much about this stuff. I'm just doing research and looking for anything that might fix the problem. TestDisk says "Fix MFT using MFT mirror" but I don't know what that means.
sbracsoAuthor Commented:
orangutang,  I want to thank you and the other contributors for your efforts in trying to help me.  It seems that my idea for resolving the "Phantom File" problem is unique.  I have searched the web but have found no discussion of my idea of editing the NTFS MFT to blank-out the Phantom File's record, and thereby make it effectively vanish.  It makes sense to do this because the file is actually non-existant files.  Becasue I have been on this hunt for days with no result and am frustrated.  Sorry to sound harsh in my remarks.  
is it a recent problem ? then try a system restore
sbracsoAuthor Commented:

The phantom files are on the second hard drive of my workstation and I have no system restore point for the stuff on that drive.  

Late yesterday I sent inquiries to a number of software companies that make disk recovery programs and am awaiting their replies.
you can copy your data elsewhere, and format the drive, then put the data back
sbracsoAuthor Commented:

Thanks for your succinct statement of a solution to this problem.  Perhaps its the only practical solution.  In any case, I knew of this solution when I submitted this question, as I noted above in my statement of the problem. It's the solution Microsoft recommends.  Here's the link to the Microsoft Support article that I quoted above:


I just believed that there should be a simpler, direct way to edit out these phantom files right from their master file table.

I'll leave this problem open a little longer, though, in case someone might yet tell me of an alternative solution.
testdisk may do the job, as suggested; here's what they say :   http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

The MFT (Master File Table) is sometimes corrupted. If Microsoft Check Disk (chkdsk) failed to repair the MFT, run TestDisk and in the Advanced menu, select your NTFS partition and choose Repair MFT. TestDisk will try to repair the MFT using MFT mirror, its backup.

If both MFT and MFTMirr are damaged and thus can not be repaired using TestDisk, you might want to try commercial software as Zero Assumption Recovery , GetDataBack for NTFS or Restorer 2000.

anyhow, here a list of tools :  http://www.brothersoft.com/downloads/disk-repair-mft-freeware.html

sbracsoAuthor Commented:

I researched TestDisk and learned from a professional in the data recovery business (at Runtime Software) that TestDisk is highly problematic, as it destroys files in the process of "fixing" things half the time, I was told.  So I am going to go with the general consensus: back up and reformat.  

I'll give you 250 points for effort.

Thank you very much.
sbracsoAuthor Commented:
The answer was one I already knew.  I was looking for a different one.  
no problem !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 11
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now