A few weeks ago my home lost power while my computer is on. Recently I have encountered some problems.
So I did a full system check, I used SeaTools for Windows and all drives passed S.M.A.R.T check, Short Drive Self check and Short Generic check, CrystalDiskInfo also showed all my drives have no hardware errors, and I used CrystalDiskMark and found the drives have good performance.
I have even used DiskGenius to perform bad sector check, it scans whole drive sector by sector to determine if there were bad sectors. There weren't bad sectors.
I am perfectly sure my drives don't have physical problems, but filesystem errors...
I have run chkdsk /f X: on all of the drives, and below is what I have found:
Checking file system on D:The type of the file system is NTFS.Chkdsk cannot run because the volume is in use by anotherprocess. Chkdsk may run if this volume is dismounted first.ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.Would you like to force a dismount on this volume? (Y/N) Volume dismounted. All opened handles to this volume are now invalid.Volume label is Tremillia.Stage 1: Examining basic file system structure ...Attribute record of type 0x80 and instance tag 0x4 is cross linkedstarting at 0x9383fc2 for possibly 0xfe clusters.Some clusters occupied by attribute of type 0x80 and instance tag 0x4in file 0x46c4 is already in use.Deleting corrupt attribute record (0x80, "")from file record segment 0x46C4.Attribute record of type 0x80 and instance tag 0x4 is cross linkedstarting at 0x93840c0 for possibly 0x95 clusters.Some clusters occupied by attribute of type 0x80 and instance tag 0x4in file 0x46c5 is already in use.Deleting corrupt attribute record (0x80, "")from file record segment 0x46C5.Attribute record of type 0x80 and instance tag 0x4 is cross linkedstarting at 0x9384489 for possibly 0xc5 clusters.Some clusters occupied by attribute of type 0x80 and instance tag 0x4in file 0x4706 is already in use.Deleting corrupt attribute record (0x80, "")from file record segment 0x4706.Attribute record of type 0x80 and instance tag 0x4 is cross linkedstarting at 0x938454e for possibly 0x90 clusters.Some clusters occupied by attribute of type 0x80 and instance tag 0x4in file 0x470b is already in use.Deleting corrupt attribute record (0x80, "")...There were a lot of records like this. I am pretty sure these files got corrupted.
I want to determine which files were affected.
I opened eventvwr.msc Windows logs > Application and Ctrl+F"chkdsk" and found the record for it.
That is how I got the file record segments.
You can see it if you want.
I Googled for a way to find a way to determine file by file record segment using a variety of permutations and found absolutely nothing relevant, all are about chkdsk, I then searched for a way to identify file by file address and found ntfscluster which is a Linux utility.
I then Googled ntfscluster Windows and found NtfsProgs for Windows which is ancient and haven't been updated since 2004. I downloaded it and upon opening it is missing libintl3.dll, after downloading said .dll and put to its directory it is missing libiconv2.dll.
After all the trouble I got this:
PS C:\Users\Xeni> C:\Users\Xeni\Downloads\ntfsprogs-1.9.0-bin\bin\ntfscluster.exe -I 154681282 D:Failed to set locale, using default '(null)'.win32_io.c(199): ntfs_device_win32_open The handle is invalid. ioctl failedCouldn't mount device 'D:': Invalid argumentIt won't work.
I then tried many other keywords and finally found what I was looking for: nfi.exe
PS C:\Users\Xeni> D:\downloads\nfi\nfi.exe D: 154681282NTFS File Sector Information Utility.Copyright (C) Microsoft Corporation 1999. All rights reserved.***Logical sector 154681282 (0x9383fc2) on drive D is in file number 551312.\Games\Saints Row 4\packfiles\pc\cache\dlc3.vpp_pc $STANDARD_INFORMATION (resident) $FILE_NAME (resident) $FILE_NAME (resident) $DATA (nonresident) logical sectors 154625064-154690687 (0x9376428-0x938647f)I can write a Python script to iterate through the lines of the record and filter by "from file record segment " and then use index slicing to get the addresses and call nfi.exe asynchronously to get the affected files. It is really easy. I don't even need to use regex for this.
But the problem is the data is incomplete, when I ran the chkdsk commands there were so many records that the console screen buffer got overwritten many times. I have restarted the computer of course because chkdsk can only be run on C: during wininit.
How can I then get all the addresses affected by chkdsk?