Jump to content











Photo

files now think they're directories


  • Please log in to reply
21 replies to this topic

#1 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 04 July 2017 - 01:30 AM

i have a usb hard drive formatted with NTFS that is giving me trouble. I have a media player connect to my tv that, via the network, accesses this drive on my laptop. i believe the player is linux based.

i tried moving some files on the usb drive using the media player and now most of those files are corrupted. for some reason files such as .txt and .avi now are showing as directories. if i try to delete them i get errors like 'cannot delete, invalid directory name'. the files all now have folder icons.

 

anyone know of a way to fix this? i downloaded a MFT editor but i don't know what to edit to let the system know that this IS a file and not a directory (or vice versa).

 

thanks in advance,

andy


  • Nuno Brito likes this

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 July 2017 - 07:46 AM

Strange case. :unsure:

 

A $MFT editor (which one BTW?, maybe a hex/disk editor with $MFT templates?) won't likely help you.

 

Which OS does the laptop run?

 

In most cases of (bland) NTFS filesystem corruption all is needed is to run a CHKDSK on the volume, it should either delete the invalid entries or modify them (either back to file or as valid directories) so that you can later delte them directly.

 

Can you set the OS to show extensions and post a screenshot?

Or even better, can you run a DIR listing those files and run an ATTRIB on a couple of them to see how they show?

 

:duff:

Wonko



#3 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 04 July 2017 - 06:43 PM

Thanks for the response.

the editor i was trying to use was active @ disk editor. i was hoping that i could change some attribute in the MFT to tell the system that it wasn't a directory but a file. I can't figure out where to do that.

 

The OS is winxp and the drive is formatted in NTFS. I'm unable to attach pics to this post. is there a drop box or something somewhere I can put them for you?



#4 Zoso_The_Internet_Tard

Zoso_The_Internet_Tard

    Silver Member

  • Advanced user
  • 545 posts
  • Interests:An investigation is underway to determine whether Trump has any ties to America.

Posted 04 July 2017 - 08:52 PM

Well, technically, all directories are files (at least in Linux), but not the other way around.

#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 July 2017 - 07:23 AM

You can use *any* free data/picture hosting service, upload there the images (or a .zip containing them) and post a link.

One among the many (that needs no registration):
http://www.zippyshare.com/

 

:duff:

Wonko



#6 RoyM

RoyM

    Frequent Member

  • .script developer
  • 415 posts
  • Interests:"Booting and Owning".
  •  
    United States

Posted 06 July 2017 - 01:45 AM

Le'me see if I got this right.
 
usb hard drive formatted with NTFS, connected to laptop, running XP. 
Media device to tv, (connects to laptop) --> wireless --> Samba --> usb/NTFS, samba share,
"I assume".
"Tried moving files with media player", 
(from where, to where, what media player, using media players File Manager or another ???).
What Media Device, What OS, What Player.
More info please.
Regards.
RoyM


#7 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 07 July 2017 - 04:52 PM

here is a link to the screenshots

http://www3.zippysha...Xp4Lh/file.html

and to answer RoyMs questions

-yes, usb drive connected to laptop running xp, drive formatted ntfs

-not sure how the media device connects (software-wise) - its a WD media player and it logs itself into the network... donno if its samba or some other protocol but i believe its using linux underneath so i would guess samba

-the media player has a function that allows me to delete or move files. i tried to move them. that is what screwed up the files on the network drive (usb connected to laptop)

 

in the zip file there are 2 images. one shows the content of a directory that has the offending files. the Readme.txt directory within is the bad one. its used to show as a txt file then suddenly started showing as a dir and i can't do anything with it



#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 07 July 2017 - 05:21 PM

Have you tried running CHKDSK on the volume?

 

At first try run CHKDSK without parameters (apart the drive letter).

 

Then try running it with the /F parameter.

 

:duff:

Wonko



#9 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 07 July 2017 - 06:27 PM

i had run one before and just ran another. still same issue. it did say that it fixed to sparse file errors, but the files are still shown as directories and i cannot delete them



#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 07 July 2017 - 07:17 PM

i had run one before and just ran another. still same issue. it did say that it fixed to sparse file errors, but the files are still shown as directories and i cannot delete them

Wait a minute.

Are those sparse files?

What is the actual message from CHKDSK?

What do you get running fsutil sparse queryflag <file> and fsutil sparse queryrange <file>?

 

:duff:

Wonko



#11 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 07 July 2017 - 08:39 PM

first command gives me 'this file is set as sparse'

second gives 'sparse range [0] to [258]



#12 RoyM

RoyM

    Frequent Member

  • .script developer
  • 415 posts
  • Interests:"Booting and Owning".
  •  
    United States

Posted 08 July 2017 - 01:51 AM

Malwarebytes didn't like the link to screenshot.
I must respect Malwarebytes, Sorry for the inconvenience.
 
What Media Device, What OS, What Player. ???
 
Firstly, The media device must connect to laptop/usb 'somehow'.
The top Media devices are likely to be ARMs, running a linux variant/flavor.
With that said, and no other info to go on.
I will assume Media device --> ISP router --> samba share on xp laptop to usb.
* Try formatting laptop/usb as fat32, maybe ext?, or exfat. *
XP will understand fat32, but that's it, without additional software.
 
A more specific answer can be provided with more detailed info.
Regards
RoyM


#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 08 July 2017 - 12:14 PM

@RoyM
With all due respect :), the issue at hand is to (hopefully) fix the NTFS filesystem, not anything else (that may useful once the filesystem has been fixed).

@andyrew
It is not like you are going to consume your keyboard by pressing too many keys.
You posted a screenshot with two files, one which *seems* a directory with "Readme.txt" name and one that *seems* like a normal file with "War.avi" as name.
Which of the two is the "sparse file"?
The Readme.txt?
Or War.avi?
Or both?

To better check use:
fsutil usn readdata <file>

on the line "File Attributes" there will be a number *like* 0xnnnn if the second n is a 2, then the file is sparse, if it is 0 it is not.

Unfortunately there are no (AFAIK) working tools to make a file "non sparse", so you might really need a hex/disk editor (and you will need to access the volume from another booted OS, I don' think it is possible to hexedit directly a $MFT of a booted system volume) :unsure:

Check (right click in explorer->properties) the EXACT (in bytes) size of the file(s) BOTH the file size and the fle size on disk.

Before resolving to hex edit the $MFT I would rather try to overwrite/fill the file and/or use sdelete or similar.

:duff:
Wonko

#14 RoyM

RoyM

    Frequent Member

  • .script developer
  • 415 posts
  • Interests:"Booting and Owning".
  •  
    United States

Posted 08 July 2017 - 03:10 PM

No disrespect was assumed.
I see the topic is toward fixing the filesystem.
What I was trying to get at, was that this is a Linux based Media device, 
communicating thru samba,  (Still Mostly assumed)
to an NTFS filesystem.
I have my doubts that the media device understands NTFS.
You may me trying to fix something unfixable.
 
Regards
RoyM


#15 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 09 July 2017 - 12:35 PM

the 'readme.txt' is the offending file that i cannot delete.

if i check the properties on the file, both size and size on disk are 0

running the fsutil command that you posted i get the below response

 

 

Major Version    : 0x2
Minor Version    : 0x0
FileRef#         : 0x09a2000000002b9f
Parent FileRef#  : 0x098e000000002b63
Usn              : 0x0000000007091460
Time Stamp       : 0x0000000000000000 12:00:00 AM 1/1/1601
Reason           : 0x0
Source Info      : 0x0
Security Id      : 0x115
File Attributes  : 0x2210
File Name Length : 0x14
File Name Offset : 0x3c
FileName         : Readme.txt



#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 09 July 2017 - 03:31 PM

File attributes show (0x200) it as sparse, the (0x2000) should mean "not indexed" and the (0x10) means a directory:
File Attributes : 0x2210
https://msdn.microso...5(v=vs.85).aspx

So it is confirmed, *somehow* you have a sparse directory :w00t: :ph34r:.

The good news :) are that I could replicate it. :smiling9:

Now, the question is, can you find - using your hex/disk editor of choice - to find the sector that hosts the $MFT record for that file?

If yes, at offset 0x70 you will find:

10 22

you can make it:

00 00

then run a CHKDSK /F on the volume.

At this point you should be able to delete the file alright.

The problem may be if the hex/disk editor will allow you to save the changes while making a direct disk editing (it should). :unsure:

You might also need to detach/reattach disk (and/or reboot).

:duff:
Wonko



#17 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 09 July 2017 - 08:23 PM

i may be looking in the wrong place but i'm unable to find that string to edit. most of the disk/hex editors i download won't let me get anywhere near that file (invalid directory name). the only one that will let me view it is the original @Active hex editor.

I am attaching a link to a screen shot of the editor. I'm going to the NTFS MFT file record. Once I go to offset 70 there is nothing there so i assume im in the wrong spot.

 

link to hex editor screen shot of file

http://www99.zippysh...VnPft/file.html



#18 alacran

alacran

    Frequent Member

  • Advanced user
  • 473 posts
  •  
    Mexico

Posted 09 July 2017 - 08:48 PM

Junction Link Magic automatically lists existing junction points, and it offers an easy interface to add, modify or remove junction points.

Junction Link Magic is freeware: http://www.rekenwond...m/linkmagic.htm

I have used this for create and delete Juntion links in XP and it worked like a charm, maybe this can be usefull for this case as it works on 7 too.

Another free tool that may be useful is Link Shell Extension: http://schinagl.priv...nkshellext.html

alacran



#19 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 July 2017 - 09:29 AM

@alacran

There is NO link, junction or mountpoint seemingly involved in this case.

 

@andyrew

It is well possible - data in a $MFT record are dynamic size that - even if I tried to recreate the situation with a Readme.txt my record has some different length.

 

BTW, your $MFT record begins with FILE* (FILE - asterisk) which is typical of a "previous" version of NTFS (2K used that) while XP uses FILE0 (FILE- zero).

 

Anyway, in Active Disk Editor open "Attribute $10", open "$Standard Information", click on "File permissions" you should have highlighted 10 20 00 00 or 10 22 00 00, in your case it could be 30 22 00 00 on the line 3266965616 + 8.

Change those to 00 00 00 00.

Then, click on "Attribute $30" -> "$FILE_NAME" ->"File Attributes", you should land to another instance of (in your case) 30 22 00 00.

Leave this alone for the moment.

Then commit the changes, and try running:

fsutil usn readdata <file> (take note of the File Attributes value)

chkdsk <volume>

you should have a message that checkdisk could not repair because run in read only mode, then run

chkdsk <volume> /F

fsutil usn readdata <file> (take note of the File Attributes value)

 

if possible dismount the volume and remount it, or reboot, etc., it depends on a number of factors, but sometimes some changes are "cached" and are not refreshed.

 

:duff:

Wonko



#20 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 10 July 2017 - 04:15 PM

Can you upload the complete MFT record, that is 1024 bytes from decimal offset 3266965504 (according to that image you posted)?



#21 andyrew

andyrew
  • Members
  • 8 posts
  •  
    United States

Posted 10 July 2017 - 07:28 PM

holy cow... that fixed it!!! it took a while... it didn't really WANT to let me change it but eventually i got it fixed and was able to delete the file. I was also able to fix the other files that had the same issue.

 

Thank you all for your help. I was about to go nuclear and just reformat the entire disk :)

Again, a big thanks to everyone.

 

Andy



#22 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13649 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 July 2017 - 06:56 AM

Good. :)

 

It is however "queer", more or less you found a bug in chkdsk. :w00t:

 

Additionally, in the experiments I made, the 22 is changed by a first run of chkdsk into 20, so I couldn't reproduce fully the situation.

 

Finally both Actve Disk Editor (the $MFT template) and DMDE (which I used) didn't "fully" or "rightly" parse the flags/attribute field.

 

:duff:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users