Hammering Hard Drive

Hi,
Thanks again for your input. Below are the results of chkdsk.
D:\>chkdsk /r /v
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N) y
Volume dismounted. All opened handles to this volume are now invalid.
Volume label is

CHKDSK is verifying files (stage 1 of 5)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 5)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 5)...
Cleaning up 2 unused index entries from index $SII of file 9.
Cleaning up 2 unused index entries from index $SDH of file 9.
Cleaning up 2 unused security descriptors.
Fixing mirror copy of the security descriptors data stream.
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

58613120 KB total disk space.
221108 KB in 184 files.
112 KB in 20 indexes.
0 KB in bad sectors.
68488 KB in use by the system.
65536 KB occupied by the log file.
58323412 KB available on disk.

4096 bytes in each allocation unit.
14653280 total allocation units on disk.
14580853 allocation units available on disk.

D:\>
Still showing 68mb being used but nothing showing on drive. Tried to delete partition through windows managenment system but it would not let me. Tried to reformat drive through windows but it just raced through format (in 2 seconds) and even though I rebooted it still states that 68mb is being used. Is there any way that I can format this drive outside of windows? You say about a disc wipe utilities. Where could I get hold of that utility
I have just noticed that in the results above it states that 68488 kb is in use by the system and 65536kb is occupied by the log file. Any ideas please.
Hope to hear from you soon,
Chalkie

 

I'm still very interested in finding out what exactly all those files are and maybe where they came from. If you are willing to poke around a little more and try a couple things:

Back to www.sysinternals.com and download 2 programs

NTFSDOS v3.02 which will allow you to boot to DOS (any bootable floppy and best if DOS7.x so a ME created one or 98 if you can't get to a ME system) and have read-only access to NTFS drives. The file that are hiding so well now may not hide from DOS since it looks at things very differently.

SDelete v1.1 which is a secure-deletion program. It not only removes the listing from the file tables but also overwrites the space occupied by the file and will make as many passes as you ask. Good to have with any system since it really frees up your "free disk space" and may work to blow away whatever files you have on the drive now.

And a question I should have asked earlier. Is D: IDE or SCSI? Also, a basic partition or dynamic (basic is the default)? Any sort of fault tolerance set up?

 

Hi Again,
Have downloaded those two utilities.
NTFS DOS returned the following:
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.

C:\>ntfsdos

NTFS File System Driver for DOS/Windows V3.02R (read-only)
Copyright (C) 1996-2001 Bryce Cogswell and Mark Russinovich
Sysinternals - www.sysinternals.com

No NTFS drives recognized - exiting

C:\>
and on drive DMicrosoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-1999.

C:\>ntfsdos>d:
Access is denied.

C:\>ntfsdos>c:
Access is denied.

C:\>

As for SDELETE I need you to talk me through that one if you could.

Have looked at disk management and for both drives (C & D) they show as layout = partition, type = basic and file system = ntfs.

Any ideas please.
Bye,
Chalkie

 

Hi Again Newt,
I think that I have found out what the missing 68mb on drive D is. I ahave another computer that I installed Windows XP on today. I noticed that 68mb had been retained on the drive for the purpose of converting it to NTFS. I did a format on C drive and a clean install of XP. I noticed that when I told it that I wanted NTFS that 68 mb had been reserved for that purpose. Must be the same for my D drive on my main computer, again on the NTFS system. Would you agree?
Chalkie

 

chalkie - reserved space is certainly possible I suppose but seems like a lot of space somehow. But maybe not. Only a small fraction of a large drive. You can look at Q174619 for some details about the MFT (master file tables) that NTFS uses and how to get information on them.

And if you do and if it does appear this is what you are dealing with, please post back. It will be interesting. I honestly have not dealt much with this before - probably because I don't pay as close attention to drive information as you have.

sdelete (secure delete) - now that you got it, might as well use it. Simple enough but is a command-line thing which can be confusing if you don't use them often.

Run it from a cmd window. The idea is that if you really want stuff deleted from your drive, the normal "delete" from the operating system won't do it. All that does is remove a pointer in the MFT so the system knows it can re-use space. But the file information is still there and still in perfect condition until something over-writes all or part.

With sdelete, that isn't the case. It not only removes the pointer but also writes over the entire physical drive space the file occupied. So with sdelete, gone is gone.

I like to use it to make sure my free space is really free & empty. To do that -
sdelete -z which will write over all the space marked as free. Or you can do
sdelete -p 2 -z which will force 2 passes over the free space (or 3, 4, whatever).

sdelete c:\somefile.txt will do a secure delete of somefile.txt.

sdelete -s c:\somefile.txt will do any file by that name in c:\ or any of the existing sub-directories (recursive).

You can specify -p for the number of passes with any of the paramteters. -s for subdirectories with any except the -z for free space where it wouldn't make sense. And -q is simply quiet mode where activity is not reported in detail.

 

HI Again Newt,
Have run all sorts of tests on drive D. Will just have to put down the missing 68mb as reserved space for NTFS system.
Thanks for all your help over the past couple of weeks. Your assistance has been invaluable.
I'm off on Friday for a two week vacation right away from computers. So hope to have your assistance on other matters at a later date.
Take Care,
Chalkie

 

Cheers chalkie. I agree with your idea.

 

hi newt

asking for you to do a bit of a memory rewind here, please....

in response to chalkie, who had stated that his hard drive was being hammered by his os, you commented,

i have a somewhat similar problem, and would like to look a little further into your remark, as the hammering, or churning i am getting seems to be happening on start up, right around when win2k says it is checking network connections or settings. so when i saw your question to chalkie, i took notice.

what networking tab, newt? and what would i be looking for?

the churning i am getting lasts about 2 minutes beyond the point i just mentioned. indexing service is disabled and i don't have any auto-updating configured for any applications. i don't have any norton scans scheduled for start up, nor any checks for recent virus defs.

like chalkie, i have compared running processes both during the churning and after it stops. only thing that looks suspicious (as far as using more mem during the churning stage as compared to the after the churning stops) is LSASS.EXE (4332k vs. 932k).

in addition, i see from a boot log that i have about a dozen drivers that are not loading (very surprised to learn that), and of those, only 4 are missing from my hd.

i have also grabbed some event viewer logs and three events that seem to repeat a lot are these...

***************************
Event Type: Error
Event Source: BrSerial
Event Category: None
Event ID: 8
Date: 11/24/2002
Time: 6:40:58 PM
User: N/A
Computer: BLANK
Description:
The description for Event ID ( 8 ) in Source ( BrSerial ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: .
Data:
0000: 00 00 08 00 01 00 62 00 ......b.
0008: 00 00 00 00 08 00 06 c0 .......À
0010: 05 00 00 00 35 00 00 c0 ....5..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: f8 03 00 00 00 00 00 00 ø.......
___________________________________________________

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 11/24/2002
Time: 6:40:58 PM
User: N/A
Computer: BLANK
Description:
The IPSEC driver service failed to start due to the following error:
Insufficient system resources exist to complete the requested service.
____________________________________________________

Event Type: Error
Event Source: IPSEC
Event Category: None
Event ID: 4281
Date: 11/24/2002
Time: 6:40:58 PM
User: N/A
Computer: BLANK
Description:
Unable to allocate required resources. Initialization failed.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 b9 10 00 c0 ....¹..À
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

***************************

i know i've put a bunch of info out there, but this churning is a real annoyance. it seems connected with networking.

thanks!



mark

 

It is network related.

The first error usually happens when you try to run an app from a network share and you don't have the proper files loaded locally.

The second (7000 & 4281 are the same failure) should be fixed by SP3.

The churning you are seeing is probably from the system trying hard to make the app run and to properly start the Service Control Manager but only having partial success with the network security piece failing.

 

thank you for your reply.

what would you recommend that i do?

as for SP3 ( "The second (7000 & 4281 are the same failure) should be fixed by SP3. "), i have it installed. knowing that, would you recommend an uninstall and reinstall of SP3?

i seem to recall you once saying it took you three shots at SP3 to get it to work right?

also, still curious to know more about "Have you looked at the networking tab while this is going on? "....

what networking tab? where? sorry so dense, but i'm here primarily to ask and learn.



mark

 

hi newt

just some follow up from where you last posted to me. i DO have SP3 installed since august. because you indicated that a couple of the probs in event viewer should be corrected by SP3, i started to uninstall, then reinstall, but early in the uninstall process i got a warning dialog saying quite a few programs might not work if i uninstalled. so i cancelled the uninstall, and instead opted for a reinstall.

sad to report that the churning on boot up has not changed. it happens right after i get the prompt that says "checking network connections ".

newt, is there a way for me to identify the app that is behind all of this hard drive churning? i don't know what to work on next?

a couple of things that may pertain...

1. i dual boot on this machine with win2k (the os where i'm having this prob), and w98se (both on separate partitions, of course). w98se has none of this churning. would converting NTFS to FAT32 do anything to alleviate this churning?

2. also, i have a ntbtlog file handy, and i see that about a dozen drivers are not loading (very surprised to learn that), and of those, 4 are missing from my hd. can this be contributing to the churning?

any advice or direction you or anyone can provide is greatly appreciated!



mark

 

update II...

i thought i might have gotten lucky with a fix when i reset the start properties on the IPSEC Policy Agent from manual to automatic. Automatic is default, so i must have changed it to manual, perhaps per BlackViper's page .

but no joy on restart, the same churning occurs.

since i have tweaked these services here and there, now and then, it's probably a good bet that i stopped a process that should be running, or vice versa.

does it seem like a plan to put all services back to win2kpro default condition, and see if that helps my hard drive churning problem?

thanks



mark

 

update III...

i just finished resetting start up types for about 11 services back to w2kpro default.

reboot still produced hd churning, but noticably less... say about 1 minute of churning instead of 2-2 1/2 minutes.

fwiw



mark

 

Hi There,
I still get problems with Windows 2000 Professional but have learnt to accept it. My hammering hard drive problems have now turned into a complete lock up of the system for about ten to fifteen seconds at a time. During this stage everything stops and the drive light glows constantly. After the system returns to normal and I check in Event Viewer I see that I get a code 9 problem, and it states "The device,\Device\Ide\Ideport0, did not respond within the time out period." I have moved the hard drive onto a diffent Ide cable and completely changed it's configeration but still the problem persists. I have formatted the drive and used Windows 2000 on fat32 file system and then I don't get any problem. It is only after converting to NTFS system that I get any problem. I put up with it because I like the extra security features in NTFS. Hope this has been of some assistance you you.
Chalkie

 

hi chalkie

thanks for posting back with that info.

i'm sorry that you are still getting the hd prob, and it sounds like it's worse. have you checked out EventID.Net ? sometimes their event info helps a lot. other times, (like when one of the contibuting experts says that the description is, "Self explanatory "), you just get led in a few more circles. i'm sure that to some folks, these things may be "self explanatory ", but to many of us who are looking under every rock for an answer, a response like that doesn't do much to enlighten us.

i noted that you said the hammering stopped when you converted to FAT32... or did i read that wrong? were you using FAT and things were fine, then upon converting to NTFS it seemed to go bad? question is, did you then convert back to FAT32 and the prob was alleviated?

one process that seems to cause hanging on my system is a refresher web site. i use excite.com for a homepage, and keep it open on my desk top all the time. i have the refresher set to the minimim (i think 5 minutes) in order to receive the most current news headlines. i notice that while the refresher is refilling the page, some tasks (like my email client) really slow down or stop... but it doesn't disturb me too much because i know what's causing it, and the duration is short... about 5-10 seconds. maybe if i was running a more powerful chip (this machine has only a 500mhz cpu, with 384mb ram), this hanging would not occur.

anyway, hope the site i linked above helps a little.

good luck, and happy holidays



mark

 

mr. mark - with the SPs, you reapply them rather than remove and apply. It is possible that some tweak or new piece you added after SP3 replaced a file with an older version.

I'd suggest a DOS prompt, running sfc /scannow, and after it has finished, applying SP3 again. Can't hurt. May help.

If that does not fix your problem, you will just have to look for a problem with network connections when you first start up. May be as simple as trying to reconnect to a network share that is slow responding. Or may be something that is looking for either a network share or possibly an internet update when you start. Lots of the internet based apps do try to find updates online at boot up time and if the timing isn't good, they can certainly thrash around a while. I like the option most have to look for an update when the app is started or maybe just when you tell it to check for one.

 

hi newt

i followed your sfc advice, then applied SP3 again. no joy.

i recall now that i ran sfc /scannow two months ago when trying to troubleshoot my missing Confirm File Replace dialog.

and this time, like last time, when i ran sfc, i didn't note anything being singled out for replacement, and i'm left to wonder if the process replaces corrupt files automatically?

it ran for perhaps 10+ minutes, asked for my win2000 cd, and stayed very busy until ultimately stopping without showing any file replacement activity log.

so i'm just assuming that something occured.

anyway, now i'll have to begin focusing on looking "for a problem with network connections when you first start up. ".

i'm not sure how/where to begin doing that, but i'll keep plugging away.

the other day i noted that after changing about 11 of the windows services back to default start up type, the thrashing had been reduced by nearly half..... well, that lasted a grand total of one boot up. now i'm back to about 2 1/2 minutes of thrashing right after the screen prompts that windows is preparing network connections.

thank you for your thoughtful replies, newt.



mark