Troubleshooting Disk Problems
There are various causes of disk problems and means of recovering from them. The following are tools that you can use to troubleshoot disk problems:
DiskProbe can be used to examine and change information on individual disk sectors.DiskMap can be used to display the layout of partitions and logical volumes on your disk.
Neither of these tools is designed for use with dynamic disks because they cannot read the dynamic Disk Management database. DiskProbe can change the values of individual bytes in any sector on a dynamic disk, but it cannot navigate the structure of a dynamic disk, so it might be impossible to find the sector that you want to view or edit. Therefore it is generally recommended that these tools only be used on basic disks.DiskProbe is part of the Support Tools collection in the SupportTools folder on the Windows 2000 product CD. For more information about using DiskProbe, see the document Dskprtrb.doc in the C:Program FilesSupport Tools folder.DiskMap is one of the Resource Kit tools on the Windows 2000 Resource Kit companion CD. For more information about using DiskMap, see the document Diskmap.doc, installed with the Resource Kit tools into the C:Program FilesResource Kit folder.
WARNINGWith careful use of such disk tools as DiskProbe, you can solve problems whether they occur through human error, hardware problems, power outages, or other events. It is a good idea to familiarize yourself with these tools in a test situation. Testing is especially important if your configuration has legacy spanned or striped sets.
Be extremely cautious about making any changes to the structures of your hard disk! DiskProbe does not validate the proposed changes to records. Incorrect values in key data structures can render the hard disk inaccessible or prevent the operating system from starting.
You can easily make changes that have serious consequences, resulting in the following error messages:
You cannot start any operating system.A volume is no longer accessible.You have to recreate and reformat all of the partitions and logical
volumes.
DiskProbe displays a messages asking you to verify any change that you want recorded to disk. Please carefully consider any changes before accepting them.
NOTE
Using DiskProbe, you can save, restore, find, examine, and change the bytes of any sector on the disk, including the MBR and the boot sector. The MBR of disk 0 is used to start Windows 2000-based computers, and the system and boot volumes of disk 0 must be defined in the partition table, making the boot sectors easily located, regardless of the disk configuration used. As a result, DiskProbe can be used to back up and restore these disk structures on computers using dynamic disk.
Viruses
It is always important to take precautions to protect your computer and the data on it from viruses. Many computer viruses exploit the disk structures that your computer uses to start up by replacing, redirecting, or corrupting the code and data that start the operating system.
MBR Viruses
MBR viruses exploit the master boot code that runs automatically when the computer starts up. MBR viruses are activated when the BIOS activates the master boot code, before the operating system is loaded. Many viruses replace the MBR sector with their own code and move the original MBR to another location on disk. Once the virus is activated, it stays in memory and passes the execution to the original MBR so that startup appears to function normally. Some viruses do not relocate the original MBR, causing all volumes on the disk to become inaccessible. If the active, primary partition's listing in the partition table is destroyed, the computer cannot start. Other viruses relocate the MBR to the last sector of the disk; if that sector is not protected by the virus, it might be overwritten during normal use of the computer, preventing the system from being restarted.
Boot Sector Viruses
As with the master boot code, the boot sector's executable code also runs automatically at startup, creating another vulnerable spot exploited by viruses. Boot sector viruses are activated before the operating system is loaded and run when the master boot code in the MBR identifies the active, primary partition and activates the executable boot code for that volume. Many viruses update the boot sector with their own code and move the original boot sector to another location on disk. Once the virus is activated, it stays in memory and passes the execution to the original boot sector so that startup appears normal. Some viruses do not relocate the original boot sector, making the volume inaccessible. If the affected volume is the active, primary partition, the system cannot start. Other viruses relocate the boot sector to the last sector of the disk. If that sector is not protected by the virus, it might be overwritten by normal use of the computer, rendering the volume inaccessible or preventing the system from restarting, depending upon which volume was affected.
How MBR and Boot Sector Viruses Affect Windows 2000
A computer can contract an MBR or boot sector virus by one of two common methods: by starting up from an infected floppy disk; or by running an infected program, causing the virus to drop an altered MBR or boot sector onto the hard disk. The function of an MBR or boot sector virus is typically contained once Windows 2000 has started. If a payload is not run during system startup and the virus preserved the original MBR or boot sector, Windows 2000 prevents the virus from self-replicating to other disks.Windows 2000 is immune to viruses infecting these disk structures during normal operation, because it only accesses physical disks through protected mode disk drivers. Viruses typically subvert the BIOS INT 13h disk access routines, which are ignored once Windows 2000 has started. However, Windows 2000 computers that are multiple-booted with MS-DOS, Windows 95, or Windows 98 can become infected when Windows 2000 is not running the computer.If a multiple-boot computer on which Windows 2000 has been installed becomes infected by an MBR or boot sector virus while running another operating system, Windows 2000 is vulnerable to damage. Once the protected mode disk drivers have been activated, the virus cannot copy itself to other hard disks or floppy disks because the BIOS mechanism on which the virus depends is not used for disk access. However, viruses that have a payload trigger that executes during startup are a threat to computers that are running Windows 2000 because the trigger process is initiated before the control during the computer startup process passes to Windows 2000.
Treating an MBR or Boot Sector Virus Infection
To remove a virus from your computer, use a current, well-known, commercial antivirus program designed for Windows 2000, and update it regularly. In addition to scanning the hard disks in your computer, be sure to scan all floppy disks that have been used in the infected computer, in any other computers, or with other operating systems in an infected multiple-boot computer. Scan them even if you believe they are not infected. Many infections recur because one or more copies of the virus were not detected.If the computer is already infected with a boot sector virus when Windows 2000 is installed, standard antivirus programs might not completely eliminate the infection because Windows 2000 copies the original MS-DOS boot sector to a file called Bootsect.dos and replaces it with its own boot sector. The Windows 2000 installation is not infected, but if the user chooses to start MS-DOS, Windows 95, or Windows 98, the infected boot sector is reapplied to the system, reinfecting the computer. Antivirus tools that are not specifically designed for Windows 2000 do not know to check Bootsect.dos for viruses. AVBootMicrosoft provides a customized antivirus tool that can be used for these types of viruses. AVBoot is located in the Valueadd3rdpartyCa_antiv folder of the Windows 2000 Setup CD. Insert an empty, high-density, 3.5-inch floppy disk, and use Windows 2000 Explorer to locate and double-click Makedisk.bat to create a startup floppy disk that automatically runs AVBoot. AVBoot scans the memory as well as the MBR and all boot sectors of every locally installed disk. If a virus is found, it offers to remove the virus.
IMPORTANTFdisk/mbr commandDo not depend on the MS-DOS command Fdisk /mbr, which rewrites the MBR on the hard disk, to resolve MBR infections. Many newer viruses have the properties of both file infector and MBR viruses, and restoring the MBR does not solve the problem if the virus immediately reinfects the system. In addition, running Fdisk /mbr in MS-DOS on a system infected by an MBR virus that does not preserve or encrypt the original MBR partition table permanently prevents access to the lost partitions. If the disk was configured with a third-party disk management program, running this command eliminates the program overlay control and you cannot start up from the disk.
Whether you use a third-party antivirus program or AVBoot, be sure to regularly update the virus signature files. Once you install an antivirus program, immediately update the signature files, usually through an Internet connection. Check with the software manufacturer's documentation for specific instructions. AVBoot includes update instructions in the installation folder and on the AVBoot floppy disk.
It is extremely important that you regularly update your antivirus program. In most cases, antivirus programs are unable to reliably detect and clean viruses of which they are unaware. False negative reports can result when using an out-of-date virus scanner. Most commercial antivirus software manufacturers offer monthly updates. Take advantage of the latest download to ensure that your system is protected with the latest virus defenses.
IMPORTANTFixmbr commandThe Recovery Console, a new troubleshooting tool in Windows 2000, offers a feature called Fixmbr. However, it functions identically to the Fdisk /mbr command, replacing only the master boot code and not affecting the partition table. For this reason, it is also unlikely to help resolve an infected MBR.For more information about the Recovery Console, see "Troubleshooting Tools and Strategies" in this book.
Running Fdisk /mbr in MS-DOS overwrites only the first 446 bytes of the MBR, the portion known as the master boot code, leaving the existing partition table intact. However, if the signature word, the last two bytes of the MBR, has been deleted, the partition table entries are overwritten with zeroes. If an MBR virus overwrites the signature word, access to all partitions and logical volumes is lost.
Damaged MBRs and Boot Sectors
When you start a computer from the hard disk, the system BIOS code identifies the startup disk and reads the MBR. The master boot code in the MBR searches for the active, primary partition on the hard disk. If the first hard disk on the system does not contain an active partition, or if the master boot code cannot locate the system partition's boot sector to start the operating system, the MBR displays one of the following error messages:
Invalid partition table.
Error loading operating system.
Missing operating system.
There might not be an active partition on the hard disk that you want to use to start the computer, or the wrong partition might be identified as the active partition. In this case, use an MS-DOS startup floppy disk to start the computer and use the MS-DOS tool Fdisk to set or change the active partition.
NOTE
Fdisk can only set primary partitions as the active partition. If MBR corruption prevents Fdisk from setting or changing the active partition, you might need to use a third-party, low-level disk editor that can work under MS-DOS to make this change manually. The partition table field that needs to be changed is the System ID field. For more information about the fields in the partition table, see "Master Boot Record" earlier in this chapter.
Restoring the MBR
Occasionally the MBR can becomecorrupted. This can be caused by human error, hardware problems, power fluctuations, viruses, and other factors.Replacing the MBR with a Disk EditorYou need to replace the MBR if it becomes corrupted and you can no longer access any volumes on that disk. If you have backed up the MBR using a tool such as DiskProbe, you can use it to restore the MBR on a non-startable disk. Restoring the backup MBR rewrites the entire sector, including the partition table. However, DiskProbe only runs under Windows 2000 and Windows NT. It does not run under MS-DOS, Windows 95, or Windows 98. If the MBR on the startup disk is corrupted, you will likely not be able to start Windows 2000 or DiskProbe. For more information about restoring backed up MBRs with DiskProbe, see the document Dskprtrb.doc in the folder C:Program FilesSupport Tools. If DiskProbe is not available to you, you can use an MS-DOS-based, third-party, low-level disk editor to restore the backup MBR. Replacing the MBR with the Recovery ConsoleYou can also use the Recovery Console to rewrite the MBR to resolve a corrupted MBR on a startup disk. To start the Recovery Console, start the computer from the Windows 2000 Setup CD or the Windows 2000 Setup floppy disks. If you do not have Windows 2000 Setup floppy disks and your computer cannot start from the CD, use another Windows 2000-based computer to create the setup disks. For information about creating the Windows 2000 Setup floppy disks, see Windows 2000 Professional Help.Start the computer and enter Windows 2000 Setup. Press ENTER at the Setup Notification screen to go to the Welcome to Setup screen. Press R to repair a Windows 2000 installation, and then press C to use the Recovery Console.The Recovery Console displays all valid installations of Windows 2000 on the computer. To access the hard disk, press the number key representing the Windows 2000 installation you that want to repair (typically represented as 1: C:WINNT), and then press ENTER.
NOTEThe Recovery Console then prompts you for the Administrator password.
If you press ENTER without typing a number, the Recovery Console quits and restarts the computer.
The Recovery Console may also show valid installations of Windows NT. However, the results of attempting to access a Windows NT installation can be unpredictable.
NOTETo replace the MBR, at the Recovery Console command prompt, type:fixmbrVerify if you want to proceed. Depending upon the location and the cause of the corruption within the damaged MBR, this operation can cause the data on the hard disk to become inaccessible. Press Y to proceed, or N to cancel.
To access the hard disks with Recovery Console, you must know the password for the local Administrator account. If you do not have the correct password, or if the security database for the installation of Windows 2000 you are attempting to access is corrupted, Recovery Console does not allow access to the local disks.
IMPORTANTLast Resort AlternativesAs a last resort, using a disk editor tool, you can try to copy an MBR from another disk. However, since the partition table is part of the MBR, the new MBR is not likely match the existing partition scheme of the original MBR. If you used DiskMap to save a record of the original partition table, you might be able to manually recreate the partition table in the new MBR. When you have copied an MBR from another computer of the same type (for example, another computer made by the same manufacturer with identical disk controllers), use a disk editor tool, such as DiskProbe, to edit the partition table information. Verify your work carefully.
Running Fixmbr overwrites only the master boot code, leaving the existing partition table intact. If the corruption in the MBR affects the partition table, running Fixmbr might not resolve the problem.
CAUTIONAfter you have replaced the MBR and edited the partition table, check that it is now functional. If the MBR is still not functional after you have verified that the edits were correct, the problem might be caused by either a hardware problem, such as incorrect SCSI termination or disk controller error, or by a virus.
Overwriting the existing MBR with one from another system and manually recreating the partition table is only recommended for the most advanced users. The likelihood for permanently losing data is very high.
Replacing the Boot Sector
You need to replace the boot sector if it becomes corrupted. The procedure you follow depends upon whether the corrupted boot sector is from the boot volume. Replacing the Boot Sector with a Disk EditorIf the boot sector is not from the boot volume on the hard disk, there are several methods that can be used to replace it. If you backed up the boot sector with DiskProbe, restoring it with DiskProbe is the fastest method. For NTFS volumes, there is another alternative. When you create or reformat an existing volume as an NTFS volume, NTFS writes a duplicate of the boot sector at the end of the volume (on volumes formatted with Windows 2000 and Windows NT 4.0) or at the logical center of the volume (on disks formatted with Windows NT 3.51 and earlier). You can use DiskProbe to locate and copy this sector to the beginning of the volume. There are also third-party MS-DOS-based disk tools that you can use to locate and copy this backup boot sector to the primary boot sector on the volume. For specifically replacing corrupted boot sectors from boot volumes, DiskProbe is not always an available option. Unless you have created a Windows 2000 startup floppy disk, you cannot start Windows 2000, which is required by DiskProbe. You can use an MS-DOS-based, third-party, low-level disk editor to restore the backup up boot sector. Replacing the Boot Sector with the Emergency Repair ProcessIf the boot sector cannot find Ntldr, Windows 2000 cannot start. This condition can be caused by moving, renaming, or deleting Ntldr, corruption of Ntldr, or corruption of the boot sector. Under these circumstances, the computer might not respond to input or might display one of the following error messages:
A disk read error occurred.
NTLDR is missing.
NTLDR is compressed.
If Ntldr is damaged or missing, or if the boot sector is corrupted, you can resolve either problem by starting the Emergency Repair Process and following the prompts for repairing the installation using the Emergency Repair Disk (ERD). For more information about running the Emergency Repair Process and using the ERD, see "Troubleshooting Tools and Strategies" in this book..Replacing the Boot Sector with the Recovery ConsoleYou can also use the Recovery Console to replace the corrupted boot sector. To replace the boot sector.If you do not specify a particular drive, the Recovery Console replaces the boot sector of the boot partition. If another volume's boot sector is corrupted, enter the Fixboot command, followed by a space, and then specify the drive letter with a colon. For more information about starting the Recovery Console, see "Replacing the MBR with the Recovery Console" earlier in this chapter. For more detailed information about the Recovery Console, see "Troubleshooting Tools and Strategies" in this book.
Checking for Disk Corruption
If key operating system data structures are damaged, they can prevent system startup. These structures include the MBR, the boot sector, and the core operating system files.
CAUTIONTo check for disk corruption with Chkdsk
Back up key data files before performing any disk repair operations. Do not run any disk tools that are not specifically designed for Windows 2000. Earlier versions of disk repair tools may not work properly. To prevent possible data loss, use a disk tool that is specifically designed for Windows 2000, such as Chkdsk.
From the command prompt, type:chkdsk c: /r
You can substitute drive C in the example for any locally installed read/writable drive in the computer.
NOTEIf corruption is detected, you might need to replace system files. For more information about using Chkdsk and replacing system files, see "Troubleshooting Tools and Strategies" in this book.
Chkdsk cannot correct errors if there are open files on the volume because Chkdsk cannot lock the volume for exclusive access. In this case, Chkdsk offers to check the volume automatically the next time the computer restarts. This is typical behavior with the boot volume. When the boot volume is checked, the computer is automatically restarted after the volume check is completed.
Other Disk Problems
Disk problems can occur that do not involve the MBR, partition table, extended partition table, or boot sector. Typically, the Windows 2000 disk tools cannot be used to troubleshoot these disk problems.
Stop 0x0000007B—Inaccessible Boot Device
This Stop message, also known as Stop 0x7B, indicates that Windows 2000 lost access to the system partition during the startup process. This error can be caused by a number of factors, including the failure of the boot device driver to initialize, the installation of an incompatible disk or disk controller, an incompatible device driver, disk cabling problems, disk corruption, viruses, or incompatible logical block addressing (LBA). The system BIOS allows access to fixed disks that use fewer than 1024 cylinders. Many later disks, however, exceed 1024 cylinders. LBA is used to provide support for these disks. Such support is often built into the system BIOS. However, there are potential problems with LBA, such as:
If partitions are created and formatted with LBA disabled, and LBA is subsequently enabled, a STOP 0x7B can result. The partitions must be created and formatted while LBA is enabled. Some LBA schemes are not compatible with Windows 2000. Check with your vendor.
WARNINGFor more information about Stop message 0x7B, see "Windows 2000 Stop Messages" in this book.
Changing LBA modes from one scheme to another can force you to recreate and reformat the partitions.
Volume Displays as Unknown
If you create and format a volume with NTFS, FAT16, or FAT32, but you cannot access files on it, and Disk Management displays the volume as Unknown, the boot sector for the volume might be corrupted. For NTFS volumes, there are two other possible causes for a volume to display as Unknown:
Permissions for the volume have been changed.The master file table (MFT) is corrupted.
The boot sector can be corrupted by viruses. For more information about cleaning an infected computer, see "Viruses" earlier in this chapter. Permission problems can occur when you perform the following tasks:
Create a second volume.Remove the group Everyone from the access control list (ACL). Grant access to a specific user.
The single user has normal access, but if other users log on, or if Windows 2000 is reinstalled, Disk Management shows the drive as Unknown. To correct this problem, log on as an administrator and take ownership of all folders, or return full control to the group Everyone.If the MFT file is corrupted, there is no general solution, and you need to contact Microsoft Product Support Services.
CMOS Problems
The CMOS typically stores configuration information about the basic elements of the computer, including RAM, video, and storage devices. If the CMOS is damaged or incapable of retaining its configuration data, the computer might be unable to start.Each manufacturer and BIOS vendor can decide what a user can configure on the CMOS, and what the standard configuration is. You can access the CMOS by using either a keyboard sequence at startup or a software tool, depending on the manufacturer's specifications. It is recommended that you record or print all CMOS information.The computer uses the CMOS checksum to determine if any CMOS values have been changed other than by using the CMOS Setup program. If the checksum is not correct, the computer cannot start. After the CMOS is correctly configured, any CMOS problem is usually caused by one of the following problems:
A weak battery, which can happen when the computer has been turned off for a long time.A loose or faulty connection between the CMOS and the battery.A damaged CMOS caused by static electric discharge.
Cables and Connectors
Another source of disk problems can be cabling and connectors. Cables can go bad, but if the cable works initially, it is likely to work for a long time. When new disks are added to the computer, check for cabling problems. New problems might stem from a previously unused connector on an existing cable or from a faulty, longer cable used to connect all the disks that might have replaced the working original. Also check the connections to the disk themselves. If the cables are tightly stretched, one or more connectors may work themselves loose over time, resulting in intermittent problems with the disks.If your system has small computer system interface (SCSI) adapters, contact the manufacturer for updated Windows 2000 drivers. Try disabling sync negotiation in the SCSI BIOS, checking the SCSI identifiers of each device, and confirming proper termination. For enhanced integrated drive electronics (EIDE) devices, define the onboard EIDE port as Primary only. Also, check each EIDE device for the proper master, slave, or stand-alone setting. Try removing all EIDE devices except for hard disks.To make sure that any new disks and disk controllers are supported, see the Microsoft Windows 2000 Hardware Compatibility List (HCL) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.