Identify files using specific logical block addresses.

Windows server backup is failing with a warning that "1536 bytes have not been backed up as they could not be read". At the same time there are errors in the even log regarding read errors on 4 logical block addresses in a RAID 5 array. Is there any way to find out which files these blocks are used in?
Alan Mason
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, if you got your checkbook out than I could write a program, but it is a difficult task, if not impossible at this point.

Your filesystem hasn't been in read-only mode since this happened, so it is entirely possible that those 4 blocks that were part of file "X" are no longer associated with that file today.  

But if we assume for sake of argument that these blocks were part of a file that hasn't moved, then the code would run a program that traverses the file system and reads every block of every file and it monitors for read errors.  

There is no reverse-lookup (blocks to file) for NTFS, so it will have to be a custom bit of code.  If you booted linux and let it mount the physical drive in read-only mode, then it could be done with:

find / -type f  -exec cp {} /dev/null \;

This copies every file into the bitbucket and when you see a read-error, you have an unreadable file.  It may not be the same block number, but once you know the file name you can then use a utility like sys internals to monitor the block numbers used by a program. So then copy the file from windows and you'll know for sure.
David Johnson, CD, MVPOwnerCommented:
a chkdsk will do the same if you use /r .. You should have many disk events in your system event log.. Actually you should have a failed drive somewhere in your raid-5 array.  Which raid-5 controller are you using? Windows software Raid? the motherboard $2 fake-raid chip? or a real raid controller?  You are using server quality drives and not drives rated for consumer useage i.e. green drives.. you should be using WD RE  / Seagate constellation drives
Chkdsk /r doesn't give you file names.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

solplusAuthor Commented:
I know the logical block numbers of the blocks which give read errors. Does this make it easier to identify the files using them?
Nope.  Somebody would have to write a program to cross reference blocks to files.  There is no native windows utility that does that.
But ... you have a 99.999% chance of getting the right files by using a binary editor on the HDD.   Go to the block numbers immediately before and after the bad blocks and examine the raw contents.

Then you can tell the O/S to search for files that have those strings in them.   It might take a day or so to run (and I hope the blocks before and after have recognizable unique patterns, and not all zeros or ones) ... but this will work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.