0

Recently, I encountered an unknown problem causing particular folder in NTFS folder to be corrupted in multiple computers. I need to detect if the folder is corrupted and perform actions like relocate the folder or send notifications. However I do not know how to do it yet. The normal APIs, like OpenFile/CreateFile seems to be malfunctioning with the corrupted folder and I can not use them to determine if a Folder is corrupted. So I plan to parse MTF structure and check for problem directly.

Therefore, I began to study the NTFS MFT structure. I found that $Volume has a dirty flag to determine if a drive needs chkdisk. But it is not directly related to file corruption and will be set if Windows is shutdown unexpectedly. DI failed to find a particular flag or anything to determine if an INDEX or FILE is corrupted in MFT structure.

Could I know if there is a way to determine a corrupted NTFS Folder?

Any help is appreciated!

ncite
  • 533
  • 1
  • 4
  • 19
  • Taking a step back: why do you think the folder is corrupted? If it were one time on one computer, it could be blamed on bad hardware. But if the same problem occurs across multiple computers, that'd have to be a bug in the NTFS driver, which seems unlikely. – Wyzard Jun 16 '12 at 01:21
  • I am not so sure of it, but I think the corruption is caused by something physical like unexpected reboot or power surge during Read/Writes. – ncite Jun 16 '12 at 01:31
  • But you haven't provided any information about the symptoms you're seeing, so the best advice anyone can probably give you is to run chkdsk. What you're asking about here is basically going to be writing your own chkdsk. – Wyzard Jun 16 '12 at 01:36
  • Yes, this is very close what I am looking for. I want to implement something like the chkdsk to determine if a file or folder is corrupted. – ncite Jun 16 '12 at 01:42

1 Answers1

0

I found 3 things that are related with NTFS disk corruption issues. It is incomplete; however, without updated NTFS source code, it is very hard to find out what Microsoft was really doing in chkdisk. I will just post what I found it in case if anyone needs to know it.

1 Dirty Flag in $BadClus of "File Records" section

If the flag in $BadClus is set to ON, then the operating system will perform a disk scan at boot-up. I believe NTFS module would set the flag to ON if encounter disk operation.

2 "BAAD" in identification field of a file record

If there is something wrong with file record, for example USA/USN unmatched, then MFT may replace "FILE" with "BAAD" in identification field of a file record structure. It can be used to identify corrupted file/directory quickly.

3 Compare USA/USN in every FILE/INDX record

Both FILE/INDX structure contains USA/USN for corruption check. Scan through the system and compare USA and USN could help you discover corruption issue.

ncite
  • 533
  • 1
  • 4
  • 19