N
Noca2plus
The problem
-----------
My WinXP computer will not boot from its hard drive. Shortly after POST, it
displays the message "A disk read error occurred. Press Ctrl+Alt+Del to
restart." I cannot get the option of starting in Safe Mode or restoring Last
Known Good Configuration by pressing <f8> at startup. The boot.ini is intact
(see below), but adding the /safeboot:minimal switch (
http://support.microsoft.com/kb/833721/en-us) does not change the error
message (i.e., it doesn't enter safe mode).
The data on the hard drive appears intact. If I boot into Recovery Console
from the WinXP Installation CD, I can see the files on the drive just fine.
I've also installed a fresh copy of XP on a spare drive, making my "broken"
drive the slave, and again, I can access the files just fine (this is how I
edited the boot.ini file of the broken drive)
The hard drive doesn't appear to be failing. I ran chkdsk /r from the spare
drive (targeting the "broken" drive) and while it corrected "errors in the
Volume Bitmap", no bad sectors were found (the drive still has zero bad
sectors). I also ran HDTune ( http://www.hdtune.com/ ), and the drive's
SMART status is all OK. I've run a lot of diagnostics on the drive and the
drive functions consistently. There's no hint (other than the inability to
boot) that the drive is "flaky" or showing inconsistent problems.
No other hardware on this computer appears to be failing. As mentioned
above, I installed XP to a spare drive on this same computer, and it seems to
be working fine. I've run many diagnostics on this spare drive as well. The
consistency of the computer's performance after the crash suggests that this
not a power- or power supply-related problem. Also, the consistency with
which this problem recurrs (see below) suggests it is not caused by random
errors in a failing component.
The drive does not appear to have a known virus. Booting from the spare
drive, I scanned the broken drive with Sophos anti-virus and Sophos
anti-rootkit. It was clean. Just to be sure, I also booted from a BartPE CD
( http://www.nu2.nu/pebuilder/ ) and scanned the drive with the latest
McAffee command line scanner. Again, it was clean. The one caveat here is
that, because I didn't boot from the broken drive, its registry was probably
not scanned.
Booting off a WinXP floppy boot disk (
http://support.microsoft.com/kb/314079/en-us ) does not allow the "broken"
hard drive to boot. I consistently get a different error message at start
up: "<windows root>\system32\hal.dll is missing or corrupt" The floppy boot
disk works fine in other computers and in this same computer when booting off
the "spare" drive. In booting off the "broken" drive (with the floppy), I
can get to the boot options screen by pressing <F8>, but selecting either
Safe mode or Last Known Good results in the same complaint about hal.dll.
I've replaced hal.dll on the "broken" drive with a (good) copy from the
"spare" drive, but that didn't change anything.
On the broken drive, the Master Boot Record and the primary partition's boot
sector appear to be intact (it's a basic disk, no dynamic volume). TestDisk
6.9 ( http://www.cgsecurity.org/wiki/TestDisk ) reported the MBR and Boot
Sector to be OK, and the 2 boot sector copies to be identical. Running
fixmbr and fixboot didn't help.
The problem Recurs
------------------
The most frustrating aspect of this "crash" is that it recurs after
restoring from backup with exactly the same symptoms. The first time it
happened, I spent a few days trying to fix it, including an "in-place" (no
reformat) reinstallation of WinXP, but nothing helped, so I gave up. I
reformatted the drive, reinstalled XP, and did a complete restore (including
system state) from backup (I use Retrospect 6.5). I was loath to perform a
"clean" reinstall of all my applications because I had just performed such a
clean reinstall about 4 months prior to this first "crash". After the
restore, I performed extensive checks with chkdsk, Sophos anti-virus, and
Rootkit Revealer (
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx ). Everything
came up clean. So, I decided to move on.
Then, about 2 weeks later, the drive "crashed" in the same exact way --
Won't boot (same error message), but the drive is accessible and the files
are intact. Again, I performed numerous checks, but eventually gave up
again. Switching my backup schedule from weekly to daily, I reformatted the
drive and restored from backup. Everything seemed fine. I crossed my
fingers.
But sure enough, 9 days later, the drive "crashed" in exactly the same way.
Won't boot (same error message), but files are intact. It is this third
crash state that I'm presently working with.
I don't recall any common activity that triggered the three crashes. In all
cases, the shutdown immediately preceding the crash was unremarkable -- no
new software installed -- no catastrophic error message.
Present situation (not good)
----------------------------
I feel I'm in quite a pickle. The drive's symptoms point to a
software-based problem. This could indicate as-yet-unknown malware. A clean
reinstall (i.e., only restore data files from backup, not applications and
system state) might fix the problem. But then again, the hypothetical
malware could be IN my data files. The only guarrantee from a clean
reinstall is that I'll spend another couple days cobbling my computer back
together again.
I've also thought about purchasing another hard drive of similar size to
restore to. This would difinitevly rule out hardware problems with the drive
itself. However, this plan has similar drawbacks. That is, the only
guarrantee is that I'll have spent money on another hard drive. If the
problem is indeed software-based, I imagine I'll have the same trouble within
a fortnight.
The damage to the drive appears minor. It won't boot, but little else
appears wrong. However, try as I might, I can't seem to get the drive to
boot.
Further thoughts
----------------
The "Disk Read Error" on startup appears to come from the boot sector. Disk
probe from the XP support tools (
http://support.microsoft.com/kb/306794/en-us ) shows this error text in the
boot sector (sector 63), and changing the text in the boot sector changes the
the error message displayed on startup.
The "Disk Read Error" occurs early in startup -- before the
\windows\ntbtlog.txt is written (appended). I added the /bootlog switch to
the boot.ini, but no text is ever written to ntbtlog.txt. The boot sector
also tests for the presence of ntldr in the root directory, and has separate
error text for complaining when ntldr is absent (I confirmed this with my
spare drive). However, renaming ntldr on my "broken" drive doesn't change
the error message on boot. It seems that the read error occurs even before
the boot sector code attempts to load ntldr, yet isn't a problem with the
boot sector itself. I'm not sure what all happens between the MBR passing
control to the boot sector and the boot sector loading ntldr. Locating the
MFT likely occurs during this time, but the logical cluster number for $MFT
in the boot sector (as reported by SecInspect.exe) appears to be correct (I
checked with dskprobe.exe). Besides, I'm not sure I could acccess the broken
drive's files from the spare if the boot sector had wrong information about
the MFT location.
It seems that a floppy boot disk should bypass problems with the "broken"
drive's boot sector code. However, because I cannot boot successfully off a
floppy (see above), there may be more than one problem: an early problem
that triggers the "disk read error" when booting strictly from the hard
drive. And a later problem that triggers the "hal.dll missing or corrupt"
when booting from the floppy.
In any case, both problems occur before the windows\ntbtlog.txt file is
written, so I can't confirm any particular file as being properly loaded
(actually, it seems likely that nothing is getting loaded because renaming
ntldr doesn't change the error message). To test the possibility of corrupt
files, I copied several files off the "broken" drive and put them into
service on my spare drive to see if the spare drive would inherit the
problems. These included boot.ini, ntldr, ntdetect.com, ntoskrnl.exe,
hal.dll, kdcom.dll, and bootvid.dll. All worked fine on the spare drive.
Using my spare drive, I've examined the event log for the broken drive. The
last entry (3/6/2008 1:52:39AM) is for the Event log service stopping, which
I think indicates a normal shutdown (not a crash). The \windows\bootstat.dat
file has a modify date of 3/6/2008 1:52:58AM, which suggests the computer
never successfully booted after that time (the last successful boot appears
to have been that morning -- 3/8/2008 8:06AM). Looking back further in the
event log, about 24hrs before this last shutdown, there is a series of about
20 events involving Windows File Protection. The series starts at 3/5/2008
12:42AM with the restoration of c:\windows\fonts\marlett.ttf and ends at
3/5/2008 4:59AM with the restoration of c:\windows\system32\oleaccrc.dll.
It's unlikely I was using the computer during that time. Curious behavior to
be sure. I don't know if similar WFP activity preceded the other two
"crashes". And I don't see any particularly critical files (e.g., ntldr)
being restored by WFP.
I sure would appreciate any help you can give me.
-----------
My WinXP computer will not boot from its hard drive. Shortly after POST, it
displays the message "A disk read error occurred. Press Ctrl+Alt+Del to
restart." I cannot get the option of starting in Safe Mode or restoring Last
Known Good Configuration by pressing <f8> at startup. The boot.ini is intact
(see below), but adding the /safeboot:minimal switch (
http://support.microsoft.com/kb/833721/en-us) does not change the error
message (i.e., it doesn't enter safe mode).
The data on the hard drive appears intact. If I boot into Recovery Console
from the WinXP Installation CD, I can see the files on the drive just fine.
I've also installed a fresh copy of XP on a spare drive, making my "broken"
drive the slave, and again, I can access the files just fine (this is how I
edited the boot.ini file of the broken drive)
The hard drive doesn't appear to be failing. I ran chkdsk /r from the spare
drive (targeting the "broken" drive) and while it corrected "errors in the
Volume Bitmap", no bad sectors were found (the drive still has zero bad
sectors). I also ran HDTune ( http://www.hdtune.com/ ), and the drive's
SMART status is all OK. I've run a lot of diagnostics on the drive and the
drive functions consistently. There's no hint (other than the inability to
boot) that the drive is "flaky" or showing inconsistent problems.
No other hardware on this computer appears to be failing. As mentioned
above, I installed XP to a spare drive on this same computer, and it seems to
be working fine. I've run many diagnostics on this spare drive as well. The
consistency of the computer's performance after the crash suggests that this
not a power- or power supply-related problem. Also, the consistency with
which this problem recurrs (see below) suggests it is not caused by random
errors in a failing component.
The drive does not appear to have a known virus. Booting from the spare
drive, I scanned the broken drive with Sophos anti-virus and Sophos
anti-rootkit. It was clean. Just to be sure, I also booted from a BartPE CD
( http://www.nu2.nu/pebuilder/ ) and scanned the drive with the latest
McAffee command line scanner. Again, it was clean. The one caveat here is
that, because I didn't boot from the broken drive, its registry was probably
not scanned.
Booting off a WinXP floppy boot disk (
http://support.microsoft.com/kb/314079/en-us ) does not allow the "broken"
hard drive to boot. I consistently get a different error message at start
up: "<windows root>\system32\hal.dll is missing or corrupt" The floppy boot
disk works fine in other computers and in this same computer when booting off
the "spare" drive. In booting off the "broken" drive (with the floppy), I
can get to the boot options screen by pressing <F8>, but selecting either
Safe mode or Last Known Good results in the same complaint about hal.dll.
I've replaced hal.dll on the "broken" drive with a (good) copy from the
"spare" drive, but that didn't change anything.
On the broken drive, the Master Boot Record and the primary partition's boot
sector appear to be intact (it's a basic disk, no dynamic volume). TestDisk
6.9 ( http://www.cgsecurity.org/wiki/TestDisk ) reported the MBR and Boot
Sector to be OK, and the 2 boot sector copies to be identical. Running
fixmbr and fixboot didn't help.
The problem Recurs
------------------
The most frustrating aspect of this "crash" is that it recurs after
restoring from backup with exactly the same symptoms. The first time it
happened, I spent a few days trying to fix it, including an "in-place" (no
reformat) reinstallation of WinXP, but nothing helped, so I gave up. I
reformatted the drive, reinstalled XP, and did a complete restore (including
system state) from backup (I use Retrospect 6.5). I was loath to perform a
"clean" reinstall of all my applications because I had just performed such a
clean reinstall about 4 months prior to this first "crash". After the
restore, I performed extensive checks with chkdsk, Sophos anti-virus, and
Rootkit Revealer (
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx ). Everything
came up clean. So, I decided to move on.
Then, about 2 weeks later, the drive "crashed" in the same exact way --
Won't boot (same error message), but the drive is accessible and the files
are intact. Again, I performed numerous checks, but eventually gave up
again. Switching my backup schedule from weekly to daily, I reformatted the
drive and restored from backup. Everything seemed fine. I crossed my
fingers.
But sure enough, 9 days later, the drive "crashed" in exactly the same way.
Won't boot (same error message), but files are intact. It is this third
crash state that I'm presently working with.
I don't recall any common activity that triggered the three crashes. In all
cases, the shutdown immediately preceding the crash was unremarkable -- no
new software installed -- no catastrophic error message.
Present situation (not good)
----------------------------
I feel I'm in quite a pickle. The drive's symptoms point to a
software-based problem. This could indicate as-yet-unknown malware. A clean
reinstall (i.e., only restore data files from backup, not applications and
system state) might fix the problem. But then again, the hypothetical
malware could be IN my data files. The only guarrantee from a clean
reinstall is that I'll spend another couple days cobbling my computer back
together again.
I've also thought about purchasing another hard drive of similar size to
restore to. This would difinitevly rule out hardware problems with the drive
itself. However, this plan has similar drawbacks. That is, the only
guarrantee is that I'll have spent money on another hard drive. If the
problem is indeed software-based, I imagine I'll have the same trouble within
a fortnight.
The damage to the drive appears minor. It won't boot, but little else
appears wrong. However, try as I might, I can't seem to get the drive to
boot.
Further thoughts
----------------
The "Disk Read Error" on startup appears to come from the boot sector. Disk
probe from the XP support tools (
http://support.microsoft.com/kb/306794/en-us ) shows this error text in the
boot sector (sector 63), and changing the text in the boot sector changes the
the error message displayed on startup.
The "Disk Read Error" occurs early in startup -- before the
\windows\ntbtlog.txt is written (appended). I added the /bootlog switch to
the boot.ini, but no text is ever written to ntbtlog.txt. The boot sector
also tests for the presence of ntldr in the root directory, and has separate
error text for complaining when ntldr is absent (I confirmed this with my
spare drive). However, renaming ntldr on my "broken" drive doesn't change
the error message on boot. It seems that the read error occurs even before
the boot sector code attempts to load ntldr, yet isn't a problem with the
boot sector itself. I'm not sure what all happens between the MBR passing
control to the boot sector and the boot sector loading ntldr. Locating the
MFT likely occurs during this time, but the logical cluster number for $MFT
in the boot sector (as reported by SecInspect.exe) appears to be correct (I
checked with dskprobe.exe). Besides, I'm not sure I could acccess the broken
drive's files from the spare if the boot sector had wrong information about
the MFT location.
It seems that a floppy boot disk should bypass problems with the "broken"
drive's boot sector code. However, because I cannot boot successfully off a
floppy (see above), there may be more than one problem: an early problem
that triggers the "disk read error" when booting strictly from the hard
drive. And a later problem that triggers the "hal.dll missing or corrupt"
when booting from the floppy.
In any case, both problems occur before the windows\ntbtlog.txt file is
written, so I can't confirm any particular file as being properly loaded
(actually, it seems likely that nothing is getting loaded because renaming
ntldr doesn't change the error message). To test the possibility of corrupt
files, I copied several files off the "broken" drive and put them into
service on my spare drive to see if the spare drive would inherit the
problems. These included boot.ini, ntldr, ntdetect.com, ntoskrnl.exe,
hal.dll, kdcom.dll, and bootvid.dll. All worked fine on the spare drive.
Using my spare drive, I've examined the event log for the broken drive. The
last entry (3/6/2008 1:52:39AM) is for the Event log service stopping, which
I think indicates a normal shutdown (not a crash). The \windows\bootstat.dat
file has a modify date of 3/6/2008 1:52:58AM, which suggests the computer
never successfully booted after that time (the last successful boot appears
to have been that morning -- 3/8/2008 8:06AM). Looking back further in the
event log, about 24hrs before this last shutdown, there is a series of about
20 events involving Windows File Protection. The series starts at 3/5/2008
12:42AM with the restoration of c:\windows\fonts\marlett.ttf and ends at
3/5/2008 4:59AM with the restoration of c:\windows\system32\oleaccrc.dll.
It's unlikely I was using the computer during that time. Curious behavior to
be sure. I don't know if similar WFP activity preceded the other two
"crashes". And I don't see any particularly critical files (e.g., ntldr)
being restored by WFP.
I sure would appreciate any help you can give me.
. Initially