I am running Ubuntu on my file server and noticed in dmesg a load of the following errors (there are a lot of other lines per instance but this seems to be the main one)
blk_update_request: I/O error, dev sdb, sector 5621815688 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
The line is always the same so assumed there is one sector which is giving a problem. I run badblocks and it found 4 bad blocks as follows
2810907844
2810907845
2810907846
2810907847
They are contiguous so thought this seemed to align with the previous error found. Looking online people seem to say that the linux tools are poor and to use Windows chkdsk. So...I found an old Win 7 rescue CD so booted it with this and tried running chkdsk. This gave me loads of "attribute list for file x is corrupt" (where x is a different number each time).
Now unsure whether the disk is actually in worse state than I thought or maybe the chkdsk errors are because the ntfs disk is accessed only via Ubuntu and there is some sort of "compatibility" issue between them or something.
I have an external USB HDD that was formatted with NTFS on Windows, which I've used extensively on both Ubuntu and Raspberry PiOS. Both Linuxes have been able to read *and write* perfectly and I've never had any bad blocks in about 3 years of daily usage (the Pi runs TVHeadend video-recorder software which writes all its recordings to the NTFS drive). But even with NTFS, errors can occur. Almost always, when "chkdsk" does report errors, "chkdsk /f" repairs them, no errors are reported on a subsequent chkdsk (without /f), and files all seem to be intact. But I may just have been very lucky...
I'm inclined to trust Windows chkdsk more than a Linux equivalent, because NTFS is native to Windows. If you don't have confidence in the HDD's filesystem, I suggest you bite the bullet and copy everything off it onto another drive on a Windows computer, do a full (not "quick") format of the drive and then copy everything back again. You may manage with just "chkdsk /f" to repair the filesystem, but you may want to play it safe and reformat.
The question is: is it better to copy the contents and *then* do "chkdsk /f" or to do the chkdsk first and then copy the data? Depends whether chkdsk /f will make things any worse. My gut feeling is copy first then try to repair. Then if you are real glutton for punishment, copy again to another folder structure and compare file for file ;-)
This could be one physical 4k block which contains several logical
512byte sectors, particularly as they're all in the same 4k block number, if the disk is formatted like this.
The block will stay bad until it's rewritten which will generate a good checksum, possibly remapping it if the disk media is bad at that point.
If it was a ZFS filesystem, it would tell you which file is corrupt, or it would have corrected it if in the metadata or if RAID level provided redundancy.
Yes. So there may be irrecoverable file corruption at those points. But at least reformatting the drive should map out those sectors (any others that are starting to fail) so they don't get used in future.
The safest option with a drive that is getting bad blocks is to copy all the data off, hoping that the data loss is negligible, and copy it onto a *new* drive - and then destroy (*) and discard the old one. Hopefully the new drive is not a very expensive large-capacity one. The other month I accidentally dropped a 4 TB USB drive that I use as a backup drive. It still spins (surprisingly) but the shock must have damaged the head-tracking mechanism because it shuts down a few seconds later. I didn't lose any data, but I lost £80 to buy a new copy, and many hours (unattended) to create a new full backup from the SATA drives in my "server" PC.
(*) Hammering a 6" nail through the platters, slightly off-centre, is a pretty sure-fire way of making sure that nobody will ever read the data again ;-) And it's *so* satisfying, especially if the patters are ceramic and you can hear the tinkling of broken platters when you shake the drive ;-)
CHKDSK is a repair-in-place utility. This is dangerous to the health of the data.
You definitely do not want to run CHKDSK on any drive which is weak. For example, one person discovered (the hard way), that the ribbon cable on their IDE drive was loose and not all the pins were making proper contact. A run of CHKDSK concluded "everything was damaged" and it then attempts to write the disk to make corrections, and of course every write attempt causes further corruption (because the cable isn't touching). That's an example where "non-functional storage", an inability to do a write properly, leads to destruction.
You need "safety backups" to proceed, and known-good drives that are not themselves a hazard to life and limb.
duff ----- safety ---- candidate drive backup new storage with corrected content
The transfer from the left to the center, captures all the good sectors it can.
Once the data is on the center drive, we expect that media to be "reliable while making copies". We can copy, as many times as we like, from center to right disk. (Center to right, you can use ddrescue if you want, because if you use ntfsclone of partclone fame, it might become wobbly if encountering bad NTFS structures. It should only take one pass, with an empty log for output.)
Once the data is on the right-hand disk, we apply
chkdsk /f RightHandDiskLetter
If it goes poorly, if you think you've lost files, you may have to change strategies. But since the center drive still has a copy, you can use as many questionable techniques on the right hand drive, as you could wish. Just keep cloning from center to right, before each attempt.
*******
formatting link
From my notes, with notes.
sudo apt install gddrescue # [ perhaps this installs ddrescue in /sbin or /usr/bin ??? ]
# If the left disk is 500GB, the center disk, whether storing the result as a file # or cloning to the disk and making an exact copy, that's going to need 500GB # The following three commands illustrate various options with ddrescue. # The destination must be intelligently selected -- the suggestion of /root here # is silly, and it might be /mnt/media/somedisk/sdb_rescue.img .
sudo ddrescue -f -n /dev/sdb /root/sdb_rescue.img /root/rescue.log # Disk to file (500GB file) sudo ddrescue -f -n /dev/sdb /dev/sdc /root/rescue.log # Disk to disk (populate 500GB disk) sudo ddrescue -f -n /dev/sdb /dev/null /root/rescue.log # Generate log only
# The -n option means no attempt is made on the fast first pass, to get everything # The first transfer is a quick survey of the disk, getting most of the # easy to get materials.
# Examine the LOG file for details. A large log file means # there are many CRC errors.
gedit /root/rescue.log
# Now, the second pass reads the log, and concentrates only on the # not-yet-captured sectors. The -n option is removed, because now the # utility will be focusing on recovery techniques. Note that even *bad* # blocks can be recovered, with bad data in them, leading to CHKDSK doing # weird things. The error detection polynomial on the disk is only so good. # Because this operation will rely on 10 to 15 second timeouts per sector, # this can take hours and hours, depending on how sick the drive is. The size # of the damage as seen in rescue.log, hints at the potential wait. You use the # same "flavor" of command, as you selected from the above two possibilities. # You could recover to a 500GB file, and you would name the file you used # from the first step, to receive overwrites of recovered material (that did not # receive a write on the first pass.
sudo ddrescue -d -f -r3 /dev/sdb /root/sdb_rescue.img /root/rescue.log # disk to file, etc.
*******
OK, so what other utilities might we need ?
There is a tiny utility in there, nfi.exe . It dumps information about where the clusters are stored. With some arithmetic, it's possible to map the bad addresses in your rescue.log, to file names. On my bad Dell disk, two bad blocks were in "white space" so nothing harmed, two bad blocks were in the middle of files.
formatting link
formatting link
formatting link
The command is then:
nfi.exe W: > nfi_w_out.txt
notepad nfi_w_out.txt
The file will be poorly spaced, with extra lines.
The $MFT has slots, and "filenum" are stuffed in them. After a file is deleted, a filenum may no longer have a valid file, and its filenum no longer appears in nfi_w_out.txt
filenum 100 filenum 101 filenum 102 <=== The next two slots not in use filenum 105
Each filenum can either be a file or a directory. A directory is just a file, with a $I30 entry. It is possible some sort of attribute material is in the $130.
For severely fragmented files, a single file can use multiple filenum as extensions. Don't panic if "windows.edb" had 100 similar filenum entries. This is the usage of multiple slots, to hold pointers to all the fragments in the file. Some defragmenter utilities, only know how to reduce the frag list in a filenum to the one entry. Those defragmenters aren't smart enough to "squash" a hundred filenum down to just one, so the file has no true fragments. I solve this, with careful "copying" of the file :-) Obviously, not in Windows, which may fudge and not solve the problem. Linux can do that (correct the problem), because it doesn't know any better.
*******
With a fresh copy on your right-most disk, you can try this.
The author of that program, had at that point just got the NTFS version running. One person in the WinXP group, claims to have recovered some data with it. I've never used it myself, to see what kind of results it is capable of. You need the right kind of damage, to give such a test.
You would still need storage space somewhere, for the output from that program.
Personally, I'd get a new drive first and back up stuff to that as the working drive. Drives are pretty cheap these days. Then you can play about with the dodgy one in Windoze and see if it destroys the other operating system. I do know that if the errors are hard then tend to spread its a warning sign that all is not well and sooner or later it will very badly. Strangely, SSDs seem to suffer a lot from this, so I can only think its some leakage in the chip itself. Brian
Bollox. Lix is pretty damned good on chkdsk even with NTFS
So...I found an old Win 7
If its only ever accessed via Ubuntu, why is it NTFS?
Yes. the disk is toast. Don't even think about trying to map out bad blocks. Get another one, format it EXT4 and start pulling the data over with e,g. rsync. At some point that will fail when it hits the bad blocks, but it will tell you what they are part of file wise.
Thanks for all the suggestions. I have run smartctl (output below) but as far as I can see there are no reallocated sectors and SMART is not registering any errors. How would I determine which file has the bad blocks in it to force the reallocation as some have suggested? Only other info I can add is that I have noticed a file I can't seem to delete. If you do a "ls -l" on the directory I get
-????????? ? ? ? ? ? 20160913_110018.jpg.tmp
Wonder if this is the file in question?
This is the output from "smartctl -a"
smartctl 7.1 2019-12-30 r5022 [x86_64-linux-5.4.0-92-generic] (local build) Copyright (C) 2002-19, Bruce Allen, Christian Franke,
formatting link
=== START OF INFORMATION SECTION === Model Family: Western Digital Red Device Model: WDC WD30EFRX-68EUZN0 Serial Number: WD-WCC4N1002037 LU WWN Device Id: 5 0014ee 20a0f3b81 Firmware Version: 80.00A80 User Capacity: 3,000,592,982,016 bytes [3.00 TB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm Device is: In smartctl database [for details use: -P show] ATA Version is: ACS-2 (minor revision not indicated) SATA Version is: SATA 3.0, 6.0 Gb/s (current: 3.0 Gb/s) Local Time is: Sun Jan 9 17:37:14 2022 GMT SMART support is: Available - device has SMART capability. SMART support is: Enabled
=== START OF READ SMART DATA SECTION === SMART overall-health self-assessment test result: PASSED
General SMART Values: Offline data collection status: (0x00) Offline data collection activity was never started. Auto Offline Data Collection: Disabled. Self-test execution status: ( 0) The previous self-test routine completed without error or no self-test has ever been run. Total time to complete Offline data collection: (39900) seconds. Offline data collection capabilities: (0x7b) SMART execute Offline immediate. Auto Offline data collection on/off support. Suspend Offline collection upon new command. Offline surface scan supported. Self-test supported. Conveyance Self-test supported. Selective Self-test supported. SMART capabilities: (0x0003) Saves SMART data before entering power-saving mode. Supports SMART auto save timer. Error logging capability: (0x01) Error logging supported. General Purpose Logging supported. Short self-test routine recommended polling time: ( 2) minutes. Extended self-test routine recommended polling time: ( 400) minutes. Conveyance self-test routine recommended polling time: ( 5) minutes. SCT capabilities: (0x703d) SCT Status supported. SCT Error Recovery Control supported. SCT Feature Control supported. SCT Data Table supported.
The filename is "20160913_110018.jpg.tmp" the '?'s are where the date and ownership etc should be. When I try to do anything to the file (e.g. stat 20160913_110018.jpg.tmp results in an I/O error) so there is something very dodgy about this file.
<snip>
Any idea how I would do that?
In terms of the utilities Paul mentioned in his post, I cant see one that will enable me to find out which file is allocated to the dodgy blocks in question. Am I being dozy? Is there any way of correlating these blocks with the "Current_Pending_Sector" one to check it is all the same problem? The dodgy file above was created by an old android app I use to auto backup my phone photos to my server so maybe there is a bug in that that caused the problem?
First of all, your SMART Data isn't the end of the world.
I would still make a copy of the data now, using ddrescue, awaiting "resolution" of the drive status. You should copy the data off the drive now, either file-by-file or as an image/clone with ddrescue.
Duff ------- Good # No third drive needed in this picture. Drive DD copy # We will try to fix Duff Drive.
I try to research these hard drive terms as best I can. However, by observing the behavior over a long period of time (twenty years), it would appear Seagate behavior does not match just about all the "information" web pages I can find.
The information online says that first a Current_Pending is logged. It gets resolved, and the Reallocated_Sector_Count gets incremented if the problem was resolved by Reallocation.
The first problem is, the Reallocated_Sector_Count (which is zero on yours at the moment), is a thresholded count. They don't show you the real count, because if the manufacturer did that, you would "cherry-pick" new drives, until you "got one with a low count". You would keep returning brand new hard drives to the store, until the counter was as close to zero as you could make it. Obviously, this is bad for business.
It was considered acceptable at one time, to ship drives with 100,000 reallocations on them. The 100,000 number is subtracted from the real count. Only if the result is a positive integer, does a count show for the drive. So when Reallocated shows 1 in the Raw_Data field, it's really 100,001 (or some other large integer representing the acceptance criterion for new drives).
This means when the drive is in the prime of life and full of vigor, that counter stays at zero. It stays at zero, even if sectors are being spared out and reallocated. You cannot watch the drive burn through its "life", as the counter won't let you watch.
Then, one day, out of the blue, the Reallocated starts to increase from zero. Typically, you might see them come in "bunches", depending on the write activity level of the drive.
OK, so while you are watching this going on, you look at Current_Pending. What do you notice ? Well, the damn thing is not coming off the pegs and is staying at zero. Somebody lied to us!
My observation is, Yes, Current_Pending does go non-zero. But it picks a particular time to go non-zero. It's when the drive is headed for trouble, and a section of the disk doesn't have any spares left. SOMETHING, some resource is running low. That is when Current_Pending goes non-zero. The Internet description of the behavior, then works in the expected manner. Items decremented from Current_Pending, show up in Reallocated.
What can we conclude about your drive. The drive is Seagate (so Current_Pending sense is "altered"). You have no Reallocated (raw_data is zero). That is good. But the fact you have a Current_Pending showing, means there is probably more to the problem you are showing us, than meets the eye.
This is NOT the time to have a big grin on your face, delete the file and move on.
The drive needs to be flushed and restored. The flushing allows the "true nature" of the drive to shine through. When to stop using a drive is a judgment call. For example, of the drives that I have purchased and managed here myself, no drive has failed here in more than 20 years. I have three failures total from before that. Two Maxtors (probably motor controller failures), and a Seagate 32550N that died in spectacular fashion (head assembly jammed in head lock solenoid). Even the unhealthy Seagate 500GB drives I have here, some with as few as 8000 hours on them, they show bad counts, but the drives still aren't dead. I use these as scratch drives -- the "only copy" of data never goes on those drives.
*******
So here's the deal.
You can:
1) Copy the files off, in a file-by-file fashion, to a second drive. But now, you don't really know whether the files have good integrity or not. It's a copy, but it might not be the best, sweetest copy.
Zero the drive out with "dd" in Linux. For example, if fdisk or gdisk tells you the drive size rounds to cylinders, perhaps this is enough. What is magic about that number ? 63 divides into it.
Now, scan the clean drive with ddrescue and build a log of unreadable sectors. Since the write operation attempted by the "dd" has given a chance for Pending items to be removed, any new Current_Pending we see now are bad news. The Current_Pending "grow" as this command progresses to completion.
That scans the disk, and gives an idea how many sectors cannot be read. At the same time, it allows the drive to "grow" the Current_Pending. If the drive was perfectly healthy, the Current_Pending after this run would be zero Raw_Data.
mkfs.ntfs and copy the files back, assuming nothing you see during the cleaning in this section, showed worrying signs.
You could also dd_copy the disk back, instead of file by file, if you want. Then CHKDSK etc.
OR
2) Do nothing. Use file system level tools. Make the file go away. Delete the directory. Create the directory. Copy the single directory of files in it back.
But now, you should enhance your backup procedures. The problem is, at least a few utilities, they will "bail" on the backup, if more CHKDSK-style errors show up. Backups are intolerant of health problems. You cannot have "100% adequate" backups, on a drive that is screwing itself into the ground. The backup software won't let you. To make backups of unhealthy drives, that is a HELL of a job, and your time is important to you.
One thing you're going to learn about hard drives is, the bigger the drives are that you buy, the longer and longer these attempted-repair procedures take. Something I was doing with a 6TB the other day (not really a big drive), it took
12 hours. You tend to lose track of what step you're at, when things are that slow. It is not uncommon for people doing RAID recovery, for a single step to take a whole week! This tends to make people avoid maintenance and rely on "Prayer" for their protection.
Yes. Well the answer becomes very simple. Copy every other file off, onto a shiny new drive.
If you want to recover that file you probably need to use something like DD and a third drive to copy the dead one to, but honestly, do you care? If you totted up the time you and others here have already spent on this we could all have donated 50p and you would have the cost of two new drives covered.
Trust the collected experience of IT professionalsand ex professionals - once a modern drive shows any errors at all that chkdsk and friends cannot fix, its time to bin the drive.
I think you have had a head crash - disk powered off while spinning with head over a sector, and its gouged out some material. Where that has ended up is the problem. Once you have trash inside a drive it will get worse
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.