Solved

Is there a Tool that Can Erase a File Record from the MFT?

Posted on 2008-10-11
24
1,322 Views
Last Modified: 2012-08-14
There is a file on my computer's second drive that the Win XP system cannot delete.  (Actually, there are several such problematic files on that drive, but suffice it to discuss one of them.)  Let me explain the problem in more detail.  On the second drive (an NTFS partition named volume F) there is a shortcut file named "TD AmeriTrade.URL." This shortcut does not work and cannot be deleted.  The operating system indicates that it is corrupt or unreadable.  

The full path to the subject file is "F:\TD AmeriTrade.url"

If I try to delete it through Explorer, the system returns the following error:
 
"Error Deleting File or Folder - cannot delete TD AmeriTrade:
The file or directory is corrupt and unreadable."
 
If I try to delete it from a command prompt like so:
          F:\>DEL "TD AmeriTrade.url"
I get the following error:
               The file or directory is corrupted and unreadable.
 
I have executed "CHKDSK F: /X" on the subject drive, but that has not fixed the problem (see below) .  I have executed CHKDSK with the /F and /R switches, also with no resolution to this problem.
 
On the Microsoft Support website I found a knowledge base article that describes this problem very well (Q246026 - Cannot Delete or Repair Corrupted File on NTFS Volume):
 
            "SYMPTOMS - When you try to delete a file on an NTFS volume, you may receive the following
              error message:
                   'Cannot delete file name: The file or directory is corrupt and
                    unreadable.  The file system structure on disk is corrupt and
                    unreadable. Please run the Chkdsk utility on the device&'
              If you run Chkdsk against the volume, Chkdsk may or may not make repairs,
              but afterwards you still cannot delete the corrupted file."

            "CAUSE - This behavior can occur if the NTFS volumes' Master File Table (MFT)
              is corrupted. The short and long file name pairs that are stored in the directory
              index record and the file names that are stored in the associated File Record
              Segment (FRS) contain case-sensitive characters that do not match. NTFS supports
              case-sensitive (POSIX) file names, but Chkdsk does not check file names in
              case-sensitive mode. For example, assume that the directory index record has
              a BADFILe.TXT entry but the FRS has a BADFILE.TXT entry for the file name.
              NTFS views this as being invalid or corrupted, but Chkdsk compares only the
              names and ignores the case. It does not make repairs."

I think that the cause may be something a little different.  I think that while an entry for it exists in the MFT, the subject file no longer actually physically exists on the drive.  In other words, the MFT has a file pointer for the subject file that points to nothing.  That's my hypothesis.  
 
In any case, it seems to me that if one could remove all reference to the subject (absent or corrupt) file in the MFT then the problem would go away.  
 
However, the solution that Microsoft recommends is somewhat drastic:

           "RESOLUTION - To resolve this issue, back up the volume that contains the
            corrupted file(s) and exclude the corrupted file(s) from the backup job.
            Reformat the volume, and then restore from the backup. "
 
Could you please shed some light on this problem and how to resolve it without having to reformat the drive?
 
CHKDSK Results
=============
 
          C:\>CHKDSK F: /X          
          The type of the file system is NTFS.
          Volume dismounted.  All opened handles to this volume are now invalid.
          Volume label is Data.
         
          CHKDSK is verifying files (stage 1 of 3)...
          File verification completed.
          CHKDSK is verifying indexes (stage 2 of 3)...
          Index verification completed.
          CHKDSK is verifying security descriptors (stage 3 of 3)...
          Security descriptor verification completed.
          CHKDSK is verifying Usn Journal...
          Usn Journal verification completed.
         
           117186110 KB total disk space.
            88352220 KB in 69205 files.
               23212 KB in 5598 indexes.
                   0 KB in bad sectors.
              281398 KB in use by the system.
               65536 KB occupied by the log file.
            28529280 KB available on disk.
         
                4096 bytes in each allocation unit.
            29296527 total allocation units on disk.
                       7132320 allocation units available on disk.
0
Comment
Question by:sbracso
  • 11
  • 7
  • 4
  • +2
24 Comments
 
LVL 10

Expert Comment

by:kgreeneit
ID: 22696686
Hi there, have you tried firstly turning off Windows XP system restore, then rebooting to safe mode with command prompt, and then trying to delete the file?

Also, have a look at some of these tools and see if they can remove it for you:

http://downloads.zdnet.com/search.aspx?q=eraser

http://downloads.zdnet.com/search.aspx?q=shredder
0
 
LVL 91

Expert Comment

by:nobus
ID: 22696891
0
 
LVL 91

Expert Comment

by:nobus
ID: 22696892
i meant BCWIPE from http://www.jetico.com/
0
 

Author Comment

by:sbracso
ID: 22697317
kgreeneit: and nobus: thanks for your quick responses!  I will try your tips and get back to you in a by this afternoon.    
0
 

Author Comment

by:sbracso
ID: 22697675
kgreeneit:
I haven't tried your suggestion of "turning off Windows XP system restore, then rebooting to safe mode with command prompt" yet because I have system restore points that I don't want to erase yet.  However, I will try your suggestion last, if necessary.

nobus:
I downloaded and Installed Killbox and ran it.  I entered the "Full Path of the File to Delete" and, with the default "Standard File Kill" option selected, I clicked the button with the white "X" inside a red circle.  A "Confirm Delete" popup window appeared and I clicked "Yes."  Then a message window popped up stating "File Error - This file does not seem to exist."  

This confirms my hypothesis that the subject file in reality does not exist; only its Master File Table (MFT) pointer remains. So it would seem that to kill this phantom file, one should delete all the information to it in the MFT.  But, how does one do that?

I found one tool (DiskExplorer for NTFS, by Runtime Software) that can display the MFT and write to it, but I do not have enough knowledge to edit the MFT.

Based on this result, I do not think that any of the typical tools that eraser or shredder files will work in this case.

Could you please comment and suggest other solutions, particularly on how to rid the MFT of its pointer to the subject file, and would do so work?
0
 
LVL 91

Expert Comment

by:nobus
ID: 22697698
did you try bcwipe yet?
0
 

Author Comment

by:sbracso
ID: 22698201
nobus:
I now have installed BCWIPE, and am reading its instructions.  Are you familiar with its functions?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22698204
Also, Unlocker (http://ccollomb.free.fr/unlocker/), IceSword (http://www.antirootkit.com/software/IceSword.htm), and scan for errors with TuneUp Utilities (http://www.tune-up.com/)
0
 
LVL 1

Expert Comment

by:cristides
ID: 22698273
Hi,
you checked if you are the owner for that file, because some times different files lose the owner. if not add, the  run chkdsk  with reboot. On this way you can delete the file.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22698280
Also, here are other HD error checkers:
TestDisk (http://www.cgsecurity.org/wiki/TestDisk)
HD Tune (http://www.hdtune.com/)
HDD Regenerator (http://www.dposoft.net/)
Zero Assumption Recovery (http://www.z-a-recovery.com/)
SpinRite (http://www.grc.com/spinrite.htm)
0
 

Author Comment

by:sbracso
ID: 22699162
orangutang and cristides:
Thanks for your ideas.  Before I try them I need to get back to nobus.

nobus
Here are the results of my attempt to use BCWipe, which you suggested, to delete the phantom files:  It didn't work.

Below are my notes that I wrote as I proceeded using BCWipe to attempt to wipe one of the files ('F:\Temp\c\License.xbin') that has resisted erasure.  Here is an excerpt from the BCWipe log file regarding this attempt:

          BCWipe - Error in opening file F:\Temp\c\License.xbin
           The file is damaged or is busied by system!
           Press Yes button to continue wiping,
           Press No button to stop this operation.

BCWipe reported essentially the same issue that Windows did when I attempted to remove this file with the Windows Delete command, namely, "The file or directory is corrupted and unreadable.."

BCWipe then presented this follow-up offer:

          BCWipe - One or more items were not wiped because they are
           busied by system.  Do you want to wipe this folder at startup again?
           Folder name: F:\Temp\c\License.xbin 

I pressed Yes to give it a shot.  

Then I restarted the computer, and after I logged back into my Windows account I found that the subject file F:\Temp\c\License.xbin was still there.  No luck.

Lastly, I ran BCWipe against the entire volume F to wipe to release all of its free space.  I hoped that doing so might kill these phantom files (like F:\Temp\c\License.xbin) in the process.  
Well, unfortunately, 30 minutes into the process, an error occurred that stopped BCWipe and the following error message appeared"

          "BCWipe command line utility  has encountered a problem and needs to close.  
            We are sorry for   the inconvenience.  If you were in the middle of something,
            the information you were working on might be lost.  Please tell Microsoft about
            this problem.  We have created an error report that you cans send to us.  
            We will treat this report as confidential and anonymous

I chose the Send Error Report option.

This is all I have now.  

This is driving me insane.  

Why hasn't someone written a user-friendly, system-safe application that one can use to search for a particular file in the Master File Table, display and confirm the full path to that file, and then allow the user to delete or void that file's MFT record, and thereby create, in a sense, amnesia in the MFT so that it no longer remembers the subject file?  This seems to me the simplest solution to the problem of "deleting" non-existent files that still have false records in the MFT?
0
 

Author Comment

by:sbracso
ID: 22699901
cristides,
You wrote: have "you checked if you are the owner for that file, because some times different files lose the owner. if not add, the  run chkdsk  with reboot. On this way you can delete the file."

Yes, I tried to do what you suggested.

The bad news, however, is that when I looked in the file properties context menu there was only one tab visible:  the "General" tab.  The "Security" tab was missing.    Therefore, I could not even view the files ownership or access permissions.  This confirms my guess that these are "Phantom Files."  

orangutang:
Being "Phantom Files," the subject files cannot be deleted by any of the usual file manipulation utilities such as those that you and others have mentioned above:
Killbox, Unlocker, IceSword, TuneUp Utilities, TestDisk, HD Tune, HDD Regenerator, Zero Assumption Recovery, SpinRite, and BCWipe

I need a tool that gets into the MFT, finds the record of a given frickin "Phantom File", and zeroes its contents so that all reference to the file is erased from the MFT and the space allocated to the file is released.

Thats all I want.  Is that too much to ask?!
 
Ive already tried the utilities BCWipe by Jetico and DiskExplorer by Runtime.  BCWipe could not wipe out the bad files.  DiskExplorer, Im told by the maker, can let you manually edit file records in the MFT, but you better know what you are doing, or you can really mess it up.  
So, at this point, unless someone can guarantee that a particular tool can actually safely erase a given files MFT record, I do not want to waste my time with it.

What I need is the right MFT editing tool or a tutorial on the MFT structure.

Thanks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 22

Expert Comment

by:orangutang
ID: 22699920
You tried TestDisk? It's supposed to deal with MFT problem.
0
 

Author Comment

by:sbracso
ID: 22700130
orangutang,

Have you used TestDisk?  If so, how do you use it to edit the MFT?  I don't have time to go on a wild goose chase.  

The website () states the followiing on what TestDisk can do:

Fix partition table, recover deleted partition
Recover FAT32 boot sector from its backup
Rebuild FAT12/FAT16/FAT32 boot sector
Fix FAT tables
Rebuild NTFS boot sector
Recover NTFS boot sector from its backup
Fix MFT using MFT mirror
Locate ext2/ext3 Backup SuperBlock
Undelete files from FAT filesystem
Copy files from deleted FAT, NTFS and ext2/ext3 partitions.

Its all about file recovery.  I don't want to recover a file.  I want to delete the freakin reference to it in the MFT.  How does TestDisk accomplish that?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22700153
Unfortunately, I don't know much about this stuff. I'm just doing research and looking for anything that might fix the problem. TestDisk says "Fix MFT using MFT mirror" but I don't know what that means.
0
 

Author Comment

by:sbracso
ID: 22700261
orangutang,  I want to thank you and the other contributors for your efforts in trying to help me.  It seems that my idea for resolving the "Phantom File" problem is unique.  I have searched the web but have found no discussion of my idea of editing the NTFS MFT to blank-out the Phantom File's record, and thereby make it effectively vanish.  It makes sense to do this because the file is actually non-existant files.  Becasue I have been on this hunt for days with no result and am frustrated.  Sorry to sound harsh in my remarks.  
0
 
LVL 91

Expert Comment

by:nobus
ID: 22700435
is it a recent problem ? then try a system restore
0
 

Author Comment

by:sbracso
ID: 22702299
nobus,

The phantom files are on the second hard drive of my workstation and I have no system restore point for the stuff on that drive.  

Late yesterday I sent inquiries to a number of software companies that make disk recovery programs and am awaiting their replies.
0
 
LVL 91

Accepted Solution

by:
nobus earned 500 total points
ID: 22703039
you can copy your data elsewhere, and format the drive, then put the data back
0
 

Author Comment

by:sbracso
ID: 22707181
nobus,  

Thanks for your succinct statement of a solution to this problem.  Perhaps its the only practical solution.  In any case, I knew of this solution when I submitted this question, as I noted above in my statement of the problem. It's the solution Microsoft recommends.  Here's the link to the Microsoft Support article that I quoted above:

          http://support.microsoft.com/kb/246026

I just believed that there should be a simpler, direct way to edit out these phantom files right from their master file table.

I'll leave this problem open a little longer, though, in case someone might yet tell me of an alternative solution.
0
 
LVL 91

Expert Comment

by:nobus
ID: 22709109
testdisk may do the job, as suggested; here's what they say :   http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

Repair NTFS MFT
The MFT (Master File Table) is sometimes corrupted. If Microsoft Check Disk (chkdsk) failed to repair the MFT, run TestDisk and in the Advanced menu, select your NTFS partition and choose Repair MFT. TestDisk will try to repair the MFT using MFT mirror, its backup.

If both MFT and MFTMirr are damaged and thus can not be repaired using TestDisk, you might want to try commercial software as Zero Assumption Recovery , GetDataBack for NTFS or Restorer 2000.

anyhow, here a list of tools :  http://www.brothersoft.com/downloads/disk-repair-mft-freeware.html

0
 

Author Comment

by:sbracso
ID: 22722503
nobus,

I researched TestDisk and learned from a professional in the data recovery business (at Runtime Software) that TestDisk is highly problematic, as it destroys files in the process of "fixing" things half the time, I was told.  So I am going to go with the general consensus: back up and reformat.  

I'll give you 250 points for effort.

Thank you very much.
0
 

Author Closing Comment

by:sbracso
ID: 31505396
The answer was one I already knew.  I was looking for a different one.  
0
 
LVL 91

Expert Comment

by:nobus
ID: 22722939
no problem !
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
A while back when OPSMGR 2012 was released we were very excited about getting it into our environment and upgrading our 2007 implementation,  we started our planning and we then proceeded with our implementation. All went as planned & our system …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now