34
16
I have a hard drive with 3 bad sectors. I know the sector numbers and the computer can still boot into Windows. I want to run sector repair from an HDD diagnostics tool from the manufacturer, but before I do that, I'd like to know what files are affected. Is there a way to figure out what file or files are occupying those sectors?
22
Here's the process using WinHex, a handy hex editor that can examine and edit drives directly. Be very careful; this tool can damage your system if used inappropriately. Open disks read-only whenever possible.
Since you have the bad sector locations already, you can open the drive in WinHex directly ("Open Disk" toolbar button) and then navigate to the sector to view the data ("Go to Sector" toolbar button). Assuming your sector locations are physical sector addresses, you need to open your physical drive in this step.
This won't identify the file directly, but the left-hand pane should identify the partition that contains this sector and its corresponding relative sector address.
If the partition you've identified is an NTFS or FAT partition, we can open the partition directly ("Open Disk" again). This will open the partition in a new tab, so you can switch back and forth as needed. In the partition tab, use the "Go to Sector" function again, but this time input the translated sector (the "relative sector" identified in the drive view).
Now, in the left-hand pane, you should see a section on "Alloc. of visible drive space". Under this is the cluster #, physical sector #, logical (relative) sector #, and the filename if this sector actually belongs to a file.
If these steps don't give you an immediate answer, your bad sectors may not be in use. If the results are unclear, you may have to do some more digging to find your answer.
quack quixote
Posted 2010-01-19T15:04:45.710
Reputation: 37 382
1
the downloadable version claims to be an evaluation version, but seems very capable. i'm not sure what the trial period is. see here for license options: http://www.x-ways.net/winhex/order.html
– quack quixote – 2010-01-21T07:49:24.717Can the user interface be coerced into revealing this information without reading the sector? I am performing recovery on a disk that shuts down (detaches and powers off) when I read particular sectors. – sheldonh – 2014-12-16T19:29:25.627
winhex website appears down/unavailable (http://i.imgur.com/1FAX5cN.png) try the nfi solution below. straight and simple. free. "immediate answer" ;)
– Costin Gușă – 2015-09-25T13:11:02.123WinHex was the bomb....Found what files where affected by the bad sectors (absolute sectors from surface scan) in minutes. Awesome tutorial. Thanks I would vote u up "quack quixote" but I don't have the 15 reputation necessary...... – None – 2011-10-21T06:03:05.193
21
Try nfi.exe - Windows NT File System (NTFS) File Sector Information Utility. Download from Microsoft OEM Support Tools Phase 3 SR2.
> nfi.exe
Dumps information about an NTFS volume, and optionally determines
which volume and file contains a particular sector.
Usage: nfi drive-letter [logical-sector-number]
Drive-letter can be a single character or a character followed
by a colon (i.e., C or C: are acceptable).
Logical-sector-number is a decimal or 0x-prefixed hex
number, specifying a sector number relative to the volume
whose drive letter is given by drive-letter. If not
specified, then information about every file on the volume
is dumped.
nfi NT-device-path physical-sector-number
Determines which volume a given physical sector on a drive is
within, and then which file on the volume it is in.
NT-device-path is the NT-style path to a physical device.
It must not include a partition specification.
Physical-sector-number is a decimal or 0x-prefixed hex
number, specifying a sector number relative to the physical
drive whose device path is given by NT-device-path.
nfi full-win32-path
Dumps information about a particular file. full-win32-path
must start with a drive letter and a colon.
Note you must omit the "\\?" prefix of the block device path. Example:
C:\Users\admin\Downloads>nfi \Device\Harddisk0\DR0 28521816
NTFS File Sector Information Utility.
Copyright (C) Microsoft Corporation 1999. All rights reserved.
***Physical sector 28521816 (0x1b33558) is in file number 5766 on drive C.
\IMAGES\win7HDD.vhd
$DATA (nonresident)
physical sectors 32863720-34098663 (0x1f575e8-0x2084de7)
physical sectors 28519912-32863719 (0x1b32de8-0x1f575e7)
physical sectors 25727944-26291143 (0x18893c8-0x1912bc7)
physical sectors 95163976-115106143 (0x5ac1648-0x6dc615f)
Robert Collier
Posted 2010-01-19T15:04:45.710
Reputation: 679
I logged in just to upvote this. this should be marked as answer! – Costin Gușă – 2015-09-25T12:56:32.860
If you don't know NT-device-path, you can try to find it with dd --list. (Attention to users with Unix tools in PATH: the dd here is C:\WINDOWS\system32\dd.exe, you may need to use the full path) – user – 2016-01-18T09:27:43.763
Windows 10 doesn't have this utility in system32. c:\Windows\System32>dd.exe 'dd.exe' is not recognized as an internal or external command, operable program or batch file. – Aen Sidhe – 2016-07-17T06:51:37.837
Oh, sorry, it isn't a system tool, it's from here: http://www.chrysocome.net/dd (@Aen, thanks for reporting)
– user – 2016-12-25T18:24:10.8571The download link on microsoft site is dead – basin – 2017-06-10T07:00:41.073
Those OEM support tools are not easy to find, but you can still get them here: http://www.jumpjet.info/Application-Software/Windows/win2k.htm nfi.exe seems to still work on Windows 7
– EM0 – 2017-08-12T11:44:22.9371
Can also be found on the wayback machine https://web.archive.org/web/20150329185738/http://download.microsoft.com/download/win2000srv/utility/3.0/nt45/en-us/oem3sr2.zip
– mkey – 2017-12-28T13:37:01.5178
Most defragmenting programs show a disk-map displaying all the clusters on the disk which you can then click (look for the ones marked as bad) to view the file(s) located in that cluster.
As Walter said, any disk and OS combo from the past decade or so will make sure to relocate files from bad sectors automatically (drive firmware usually handles this, but disk tools like chkdsk or defragmenters will usually do this as well).
Defraggler:
Defrag-a-File:
Vopt:
Synetech
Posted 2010-01-19T15:04:45.710
Reputation: 63 242
Looks promising, I'll give it a go. – ChrisWue – 2012-01-25T21:13:23.160
6
DiskView from Sysinternals performs exactly this function: to display a diskmap of the drive and let you see what files occupy what clusters.
Unfortunately, there does not seem to be a way of displaying the names of system files.
Synetech
Posted 2010-01-19T15:04:45.710
Reputation: 63 242
It only works with NTFS partitions – eadmaster – 2013-12-05T05:08:06.157
That’s why I posted it as a separate answer, because it is a tool made specifically for this purpose, so it answers the question, but it is limited (I still use FAT32 extensively), so it is not the be-all-end-all solution. (Yet?) – Synetech – 2013-12-05T06:09:04.337
5
You may use fsutil from Administrator command prompt. Subcommand volume has querycluster subsubcommand.
See Windows Command-line Reference Fsutil.
Fsutil takes cluster number in Logical drive as input argument, instead of sector number. But it should be easy to calculate this number:
cluster# = (absolute_sector - start_of_partition_sector) / sectors_per_cluster.
Example output:
c:\tmp> fsutil volume querycluster C: 5235
Cluster 0x0000000000001473, verwendet von
----D \Program Filesx86)\LibreOffice 4\program\fwilo.dll::$DATA
NorbertM
Posted 2010-01-19T15:04:45.710
Reputation: 151
3
as far as i know when a drive hits a certain number of read errors on a sector it gets marked as bad and its contents are copied away to another place on the drive. this usually happens before the data on that sector has become completely unreadable.
I try to dig up a source for that, just read it yesterday but cannot remember where.
from man hdparm (8)
Note also that the --repair-sector flag can be used to restore (any) bad sectors when they are no longer needed, including sectors that were genuinely bad (the drive will likely remap those to a fresh area on the media).
Bottom line: you don't have to care about bad sectors, the harddrives firmware does that for you. only thing you have to do is get a new drive before there are too many of them and your drive dies.
Baarn
Posted 2010-01-19T15:04:45.710
Reputation: 6 096
I'm pretty sure that reallocation happens on write and not on read. The SMART data of the drive seems confirms that. The number of pending sectors is high (larger than 0) while the Sector Reallocation Count is 0. For me that means: There are bad sectors marked for reallocation but they have not yet been reallocated. – ChrisWue – 2012-01-25T20:54:48.417
look at the /r option – Baarn – 2012-01-25T21:02:21.733
getting info out about the files stored in that sector seems to be not possible though. – Baarn – 2012-01-25T21:05:28.523
2
RunTime's DiskExplorer allows you to examine a drive by sector. It's payware ($70 for the NTFS version) but free to try. They have versions for NTFS, FAT and Linux (ext2/3).
quack quixote
Posted 2010-01-19T15:04:45.710
Reputation: 37 382
i expect there's a configuration step you're missing if it shows that for all sectors, but i haven't used this tool in a long time so i can't give you direct instructions with it. i'll add another answer with a separate tool; perhaps someone else will chime in with proper usage of this one. – quack quixote – 2010-01-21T07:41:21.583
It’s not a configuration problem, it’s that Disk Explorer is just very complicated and hard to use. It is not automatic enough. (The old DOS program Norton Disk Doctor was similar, but much easier to use because it automatically read and adjusted to file-system structures. Shame it didn’t support NTFS and was discontinued.) – Synetech – 2013-12-05T06:11:03.390
This looked promising, but sadly it doesn't work. DiskExplorer displays "Invalid MFT entry" for every sector of the drive. – None – 2010-01-20T01:26:47.060
1
I know thread is old but for the record for everyone having such issue there is way to check it from linux. One can always use some live linux on cd/usb stick, like slax which is super easy to run. Anyway, back to business.
I had found today some smartd deamon logs with unreadable sectors warnings and decided to investigate that. After research I eventually run (# is prompt indicating root privileges, sudo can be used instead if one is running as ordinary user):
# smartctl -H /dev/sda2
SMART overall-health self-assessment test result: PASSED
Which indicates that that drive is somewhat healthy, which is good.
But I followed and investigated further and run badblocks.
# badblocks -v /dev/sda2 > ~/log/sda2.badsectors
# cat ~/log/sda2.badsectors
271521948
So there was some badblock which I wanted to know which file it belongs to and found
that it could be done with debugfs, the problem was that my partition was ntfs so I used ntfstools which is the key:
# ntfscluster -s 271521948 /dev/sda2 > 271521948.secinfo 2>&1
# cat 271521948.secinfo | grep -v "extent"
Searching for sector 271521948
Inode 142427 /tmp/dl/setup_torch_2.exe/$DATA
* one inode found
/ grep -v "extent" is to get rid off lot of useless information displayed by ntfscluster /
So in case of ntfs all one needs is ntfscluster -s $SECTOR.
tansy
Posted 2010-01-19T15:04:45.710
Reputation: 11
See also How to find out what file is on a particular sector - the same question, but for an NTFS filesystem accessed from Linux.
– sleske – 2016-02-13T17:54:14.4371roadkil's sector editor might go part of the way, just doesn't list programs. – barlop – 2013-01-08T16:04:29.687