0

This one really drives me around since a year or so:

Having a public Windows 2008 Web Server (behind a firewall) that runs perfectly smooth, I have lots of troubles when rebooting this server (e.g. after a Windows Update).

Nearly every time when I shut it down, it boots again and then it has a corrupted NTFS file system on the C: drive.

The event log says:

Event Type: Error
Event Source: NTFS
Event ID: 55
Description: The file system structure on disk is corrupt and unusable. Please run the chkdsk utility on the volume "System"

Until now I was always able to do a chkdsk with the repair option to fix these issues. I'm praying that the day will never come where this fails.

We already did a check of the hardware RAID, a deep memory test, both with no error.

So my question is:

Are you aware of any circumstances that could cause the above error?

Additional information: the latest results from chkdsk today (after a reboot that causes the error 55 again) were:

Checking file system on C:
The type of the file system is NTFS.
Volume label is System.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
281152 file records processed.
File verification completed.
835 large file records processed.
0 bad file records processed.
0 EA records processed.
188 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
Deleting index entry ntdll.dll in index $I30 of file 3467.ssed)
Deleting index entry schannel.dll in index $I30 of file 3467.
Deleting index entry mciseq.dll in index $I30 of file 4364.sed)
Deleting index entry ntdll.dll in index $I30 of file 4364.
Deleting index entry schannel.dll in index $I30 of file 4364.
Deleting index entry mcicda.dll in index $I30 of file 140572.d)
Deleting index entry mciseq.dll in index $I30 of file 140572.
Deleting index entry mciwave.dll in index $I30 of file 140572.
350052 index entries processed.
Index verification completed.
CHKDSK is recovering lost files.
Recovering orphaned file mciseq.dll (137912) into directory file 4364.
Recovering orphaned file ntdll.dll (138001) into directory file 4364.
Recovering orphaned file mcicda.dll (138006) into directory file 140572.
Recovering orphaned file ntdll.dll (138009) into directory file 3467.
Recovering orphaned file mciseq.dll (138017) into directory file 140572.
Recovering orphaned file mciwave.dll (138024) into directory file 140572.
Recovering orphaned file schannel.dll (140765) into directory file 4364.
8 unindexed files processed.
Recovering orphaned file schannel.dll (140771) into directory file 3467.
CHKDSK is verifying security descriptors (stage 3 of 5)...

Addition 1: The comments on EventID.net for this error didn't seem to help me further.

Uwe Keim
  • 2,370
  • 4
  • 29
  • 46

1 Answers1

1

I have only seen things like this when there were multiple NTFS filter drivers installed (EG SEP + NetIQ change guardian + something else I can't remember caused this). We removed one of them and everything was fine.

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • Thanks, Jim. Is there any way to find out the applications that installed those filter drivers? Looking at Autoruns.exe doesn't seem to tell me (or I cannot identify). – Uwe Keim Jan 13 '12 at 21:06
  • 1
    You might try a memory dump. I got "lucky" and my machines would bluescreen after a certain application ran (disk intensive), and then be fine. this didn;t happen in test adn teh only differences were the drivers. A memory dump confirmed they were what caused the bluescreen (and the corrupted FS). Filter drivers are things like antivirus and change monitoring software so if you have those on there try removing them and see. – Jim B Jan 13 '12 at 21:24