CHKDSK and Usn Journal

  • Thread starter Thread starter Patok
  • Start date Start date
P

Patok

Why is CHKDSK verifying the Usn Journal, and why not? My
understanding is, that the journal is only used if one has the
indexing service running (and some others, which I forget). I have
neither of these on any of my XP machines. All disks do not allow the
service to index, and the service itself is disabled. There is no
journal file in sight (by all indications it should be in system32,
right?).

However, on most of the computers, CHKDSK *is* verifying the Usn
Journal, except on one lonely machine, where it is not. What is it
verifying on these machines, where no such file exists? Or, why is it
not doing it on that lone computer?

All of the machines are XP Pro, SP3, NTFS (Duh).
 
Patok said:
Why is CHKDSK verifying the Usn Journal, and why not? My
understanding is, that the journal is only used if one has the
indexing service running (and some others, which I forget). I have
neither of these on any of my XP machines. All disks do not allow the
service to index, and the service itself is disabled. There is no
journal file in sight (by all indications it should be in system32,
right?).

However, on most of the computers, CHKDSK *is* verifying the Usn
Journal, except on one lonely machine, where it is not. What is it
verifying on these machines, where no such file exists? Or, why is it
not doing it on that lone computer?

All of the machines are XP Pro, SP3, NTFS (Duh).
Click to expand...

NTFS journaling has nothing to do with whether or not you have
Microsoft's, Google, Copernic's, or someone else's utility running that
might have something to do with interrogating and cataloging files. You
can even run indexing utilities on operating systems that don't even
have any journaling function.

http://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
Section titled "NTFS Change Journal"

http://en.wikipedia.org/wiki/NTFS#USN_Journal
http://en.wikipedia.org/wiki/Journaling_file_system

Journaling is used to recover changes to files made by you or some
process. If the OS crashes, journaling is used to recover the state of
those files. After all, the buffer in hard disks holding pending
changes is worthless if power is suddenly lost.

You sure CHKDSK isn't verifying the journaling state recorded for your
OS instance? Just because that step goes quickly doesn't mean that
there is no checking. If there is no journaling metadata to check then
the check is going to be pretty quick. Obviously journaling isn't
available unless you are using a file system that supports it. You sure
the oddball host is using NTFS?
 
VanguardLH said:
NTFS journaling has nothing to do with whether or not you have
Microsoft's, Google, Copernic's, or someone else's utility running that
might have something to do with interrogating and cataloging files. You
can even run indexing utilities on operating systems that don't even
have any journaling function.

http://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
Section titled "NTFS Change Journal"

http://en.wikipedia.org/wiki/NTFS#USN_Journal
http://en.wikipedia.org/wiki/Journaling_file_system

Journaling is used to recover changes to files made by you or some
process. If the OS crashes, journaling is used to recover the state of
those files. After all, the buffer in hard disks holding pending
changes is worthless if power is suddenly lost.
Click to expand...

Why are you preaching to the choir? Do you think I did not read
these links? None of it explains why I'm observing what I'm observing.
I know what journaling is supposed to do. What I don't know is who's
using it. I don't have any of the mentioned utilities running.

You sure CHKDSK isn't verifying the journaling state recorded for your
OS instance? Just because that step goes quickly doesn't mean that
there is no checking. If there is no journaling metadata to check then
the check is going to be pretty quick. Obviously journaling isn't
available unless you are using a file system that supports it. You sure
the oddball host is using NTFS?
Click to expand...

Duh. No, on the computer where it is not checking it, it is /not/
checking it. It is apparent from the event viewer. And the system *is*
NTFS. (Do you take me for a clueless luser here? I've posted enough on
this newsgroup to have hopefully eradicated such impressions. Jeez.)

Do you, or do you not, know where the journaling file is supposed
to be, and if CHKDSK says that it is checking journaling, does that
file exist, or not? And what does it mean, on a NTFS volume, if CHKDSK
is *not* checking it? This is the curious information I've been unable
to find.
 
Why is CHKDSK verifying the Usn Journal, and why not? My understanding
is, that the journal is only used if one has the indexing service
running (and some others, which I forget). I have neither of these on
any of my XP machines. All disks do not allow the service to index, and
the service itself is disabled. There is no journal file in sight (by
all indications it should be in system32, right?).

However, on most of the computers, CHKDSK *is* verifying the Usn
Journal, except on one lonely machine, where it is not. What is it
verifying on these machines, where no such file exists? Or, why is it
not doing it on that lone computer?

All of the machines are XP Pro, SP3, NTFS (Duh).
Click to expand...

The USN journal can also be used by other utilities such as AV and
backup software. If you are certain that the USN journal is not being
used you can delete it with the fsutil command:

fsutil usn deletejournal /D X:

where X is the drive letter of the mounted drive

If utilities are using the USN journal they will just enable it again
after you delete it and it will be rebuilt.

John
 
Patok said:
Why are you preaching to the choir? Do you think I did not read
these links? None of it explains why I'm observing what I'm observing.
I know what journaling is supposed to do. What I don't know is who's
using it. I don't have any of the mentioned utilities running.
Click to expand...

Oh, you know everything ("preaching to the choir") but you're still
asking others for help. Yep, from what you posted, sure, we know that
you know everything we mention or suggest. Okay then, you know it all
so go ahead and resolve the problem on your own. Sorry for intruding on
your oversensitive ego and god-like realm.
Duh. No, on the computer where it is not checking it, it is /not/
checking it. It is apparent from the event viewer. And the system *is*
NTFS. (Do you take me for a clueless luser here? I've posted enough on
this newsgroup to have hopefully eradicated such impressions. Jeez.)
Click to expand...

Yes, apparently you are a loser. You actually think anyone is going to
be so fascinated with you presence that they have a memorized record of
your participation here and elsewhere or even bother to look up your
history. I wasn't here to learn about you. I saw the question, not the
poster. Wow, what an inflated ego or maybe you're on the rag.

You even expect that everyone who voluntarily chooses to respond will
somehow know what you already know so they won't step on your really
touchy toes. Good luck with culling helpful responses with that
attitude of yours.
Do you, or do you not, know where the journaling file is supposed
to be,
Click to expand...

Oh, now the question changes from what is journaling to where are its
files. Well, gee, now how am I supposed to answer that question without
possibly recounting information you might already know? Wouldn't want
to step on those touchy toes of yours again.
and if CHKDSK says that it is checking journaling, does that
file exist, or not? And what does it mean, on a NTFS volume, if CHKDSK
is *not* checking it? This is the curious information I've been unable
to find.
Click to expand...

Journaling files are not presented to the user through Windows Explorer.
They are tiny files spread out all over the hard disk and why sometimes
you still cannot defrag a partition enough to get a large enough
contiguous space to copy/move a file into that partition without it
getting split into fragments which, if that's your goal, you'll have to
wipe the partition and clone it back (using the file system, not by
replacing sectors) to move the journal files up front. Defrag doesn't
move the journal files.

Oops, I've intruded on your don't-ever-state-anything-I-already-know-
but-you-don't-know-what-I-know world. I might recount something you
already know which really seems to irritate you because we aren't mind
readers to know everything you already know. Have fun with your
research.
 
NTFS journaling has nothing to do with whether or not you have
Microsoft's, Google, Copernic's, or someone else's utility running that
might have something to do with interrogating and cataloging files. You
can even run indexing utilities on operating systems that don't even
have any journaling function.

http://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
Section titled "NTFS Change Journal"

http://en.wikipedia.org/wiki/NTFS#USN_Journal
http://en.wikipedia.org/wiki/Journaling_file_system

Journaling is used to recover changes to files made by you or some
process. If the OS crashes, journaling is used to recover the state of
those files. After all, the buffer in hard disks holding pending
changes is worthless if power is suddenly lost.

You sure CHKDSK isn't verifying the journaling state recorded for your
OS instance? Just because that step goes quickly doesn't mean that
there is no checking. If there is no journaling metadata to check then
the check is going to be pretty quick. Obviously journaling isn't
available unless you are using a file system that supports it. You sure
the oddball host is using NTFS?
Click to expand...


Patok,

Very precise post, and thanks for the link to "Journaling file
system."

--
=========== Tecknomage ===========
Computer Systems Specialist
ComputerHelpForum.org Staff Member
IT Technician
San Diego, CA
 
VanguardLH said:
Oh, you know everything ("preaching to the choir") but you're still
asking others for help. Yep, from what you posted, sure, we know that
you know everything we mention or suggest. Okay then, you know it all
so go ahead and resolve the problem on your own. Sorry for intruding on
your oversensitive ego and god-like realm.
Click to expand...

I'm not asking for help! Where did I write that I have a problem? I
was baffled by an inexplicable discrepancy I was observing, and posted
here, where experts be, who might know something.

Yes, apparently you are a loser. You actually think anyone is going to
be so fascinated with you presence that they have a memorized record of
your participation here and elsewhere or even bother to look up your
history. I wasn't here to learn about you. I saw the question, not the
poster. Wow, what an inflated ego or maybe you're on the rag.
Click to expand...

Well, that's your problem. When I see a question I think I can
answer, I look to see who's asking. And if it's some name I even
vaguely recognize as not incompetent, I don't post the first search
results from Google, because I expect them to have done at least that.
I'll remember next time when (if) you ask a question here, to answer
you with what the built-in XP Help&Support has to say, to make you see
how it feels.
I don't expect you to have memorized all of my participation, of
course, but didn't you at least notice that on some occasions I have
actually helped people here? And I've never given useless or
misleading advice, unlike e.g. Tester, Peter Foldes, or PA Bear? Is
that too much to ask?

You even expect that everyone who voluntarily chooses to respond will
somehow know what you already know so they won't step on your really
touchy toes. Good luck with culling helpful responses with that
attitude of yours.


Oh, now the question changes from what is journaling to where are its
files. Well, gee, now how am I supposed to answer that question without
possibly recounting information you might already know? Wouldn't want
to step on those touchy toes of yours again.
Click to expand...

Well, if you had read my first post carefully, you'd have seen that
I asked that question - and it is still there, near the top, at the
end of the first quoted paragraph of this here message.


Journaling files are not presented to the user through Windows Explorer.
They are tiny files spread out all over the hard disk and why sometimes
you still cannot defrag a partition enough to get a large enough
contiguous space to copy/move a file into that partition without it
getting split into fragments which, if that's your goal, you'll have to
wipe the partition and clone it back (using the file system, not by
replacing sectors) to move the journal files up front. Defrag doesn't
move the journal files.
Click to expand...

Now finally you say something non-trivial. Thanks. Are you saying
that the journaling system is *not* using NTFS files? That it is
occupying blocks that have no entries in the directory? Or that it is
part of the System Volume Information meta-folder?
 
John said:
The USN journal can also be used by other utilities such as AV and
backup software. If you are certain that the USN journal is not being
used you can delete it with the fsutil command:

fsutil usn deletejournal /D X:

where X is the drive letter of the mounted drive

If utilities are using the USN journal they will just enable it again
after you delete it and it will be rebuilt.
Click to expand...

That's an interesting thing to try, indeed. I don't know how
conclusive the results can be, though.

I did it on one of the partitions on one of the computers that do
check the journal. However, when checking it later with
fsutil usn queryjournal
it is still there. Empty at first, but still active - when I write to
that partition, it starts getting entries. So using deletejournal
doesn't disable it. Hmmm. And on the computer where CHKDSK doesn't
check it, it is disabled - that's what it says:

C:\>fsutil usn queryjournal c:
Error: The volume change journal is not active.

Who disabled it? How do I repeat that at will?
 
Patok said:
That's an interesting thing to try, indeed. I don't know how
conclusive the results can be, though.

I did it on one of the partitions on one of the computers that do
check the journal. However, when checking it later with
fsutil usn queryjournal
it is still there. Empty at first, but still active - when I write to
that partition, it starts getting entries. So using deletejournal
doesn't disable it. Hmmm. And on the computer where CHKDSK doesn't check
it, it is disabled - that's what it says:

C:\>fsutil usn queryjournal c:
Error: The volume change journal is not active.

Who disabled it? How do I repeat that at will?
Click to expand...

Well I'll be !@#$%^&*! Now suddenly the computer where CHKDSK did
not check the Usn journal, checks it! From the event viewer, I can see
that the first time it happened was after I uninstalled McAffe VirusScan
Enterprise, and installed avast! free on that machine.
Unfortunately I did not think of doing a chkdsk after uninstalling
McAffee and before installing avast!. The checkdisk before uninstall
McAffee does *not* check the Usn journa, and the one after avast
install, *does*! So I'm not sure what exactly enabled it - the McAffee
removal, or the avast installation.
So my guessed conclusion would be that McAffee had suppressed the Usn
journal functionality for some strange reason (or side effect).
 
Well I'll be !@#$%^&*! Now suddenly the computer where CHKDSK did not
check the Usn journal, checks it! From the event viewer, I can see that
the first time it happened was after I uninstalled McAffe VirusScan
Enterprise, and installed avast! free on that machine.
Unfortunately I did not think of doing a chkdsk after uninstalling
McAffee and before installing avast!. The checkdisk before uninstall
McAffee does *not* check the Usn journa, and the one after avast
install, *does*! So I'm not sure what exactly enabled it - the McAffee
removal, or the avast installation.
So my guessed conclusion would be that McAffee had suppressed the Usn
journal functionality for some strange reason (or side effect).
Click to expand...

I've long ago stopped using the big commercial anti-viruses and switched
to the free ones. First AVG, then Avira, and now MSE.

Yousuf Khan
 
VanguardLH said:
Oh, you know everything ("preaching to the choir") but you're still
asking others for help. Yep, from what you posted, sure, we know that
you know everything we mention or suggest. Okay then, you know it all
so go ahead and resolve the problem on your own. Sorry for intruding on
your oversensitive ego and god-like realm.


Yes, apparently you are a loser. You actually think anyone is going to
be so fascinated with you presence that they have a memorized record of
your participation here and elsewhere or even bother to look up your
history. I wasn't here to learn about you. I saw the question, not the
poster. Wow, what an inflated ego or maybe you're on the rag.

You even expect that everyone who voluntarily chooses to respond will
somehow know what you already know so they won't step on your really
touchy toes. Good luck with culling helpful responses with that
attitude of yours.


Oh, now the question changes from what is journaling to where are its
files. Well, gee, now how am I supposed to answer that question without
possibly recounting information you might already know? Wouldn't want
to step on those touchy toes of yours again.


Journaling files are not presented to the user through Windows Explorer.
They are tiny files spread out all over the hard disk and why sometimes
you still cannot defrag a partition enough to get a large enough
contiguous space to copy/move a file into that partition without it
getting split into fragments which, if that's your goal, you'll have to
wipe the partition and clone it back (using the file system, not by
replacing sectors) to move the journal files up front. Defrag doesn't
move the journal files.

Oops, I've intruded on your don't-ever-state-anything-I-already-know-
but-you-don't-know-what-I-know world. I might recount something you
already know which really seems to irritate you because we aren't mind
readers to know everything you already know. Have fun with your
research.
Click to expand...

THIS is the answer I believe is the root cause and solution to an ongoing problem (6 months+ of someone who put a target on my back) that has literally cost me everything. So at this point Im just desperate to protect myself and my children enough to get my kids back, my identity back, and move forward with my life and ensure this doesnt happen again. As someone who has learned more advanced techniques first due to my situation, before having learned the basics 101 ; its beyond challenging to know what Im looking for, let alone where to go and tools to execute.

That being said, the time spent scrolling through allllllll those insult comebacks really did help in the end so thank you!!!!
 
Back
Top