Windows XP "NTFS.SYS" Error
I recently encountered this problem on my file server and was in trouble. This PC is also used for some personal use, and because it's a file server, has lots of important files residing on it. Luckily for me, I had DVD backups of the data, however, not so luckily for me, the most recent backups were almost 2 months old...(oops!). This means that while most of the data was not at risk, there was definitely some data on the Hard Drives that needed to be saved. Below is a chronicle of what exactly happened to the PC and the behaviors it was exhibiting and how I fixed it. I never wish that this happens to anyone as it was not easy to find a solution at first, however, just in case someone runs into this issue, and frantically scours the 'net to find a solution, I hope that they can learn from my problems how to fix the issue and recover their data.
BACKGROUND: The PC that this occurred on was a fairly new machine that I had just put together about 2 months prior, where all the hardware was purchased new, including MB, Processor, Ram, HardDrive, and Video Card. It is a fairly powerful (at the time of writing at least) AMD64 X2 w/ 2GB ram, and NVidia GeForce7600GS (512mb) video card. In addition the system was over-clocked (to 2.5Ghz X 2) and still running stable temperatures with no ill effects. There were 3 hard drives in the system, the boot HDD being the newest (500GB). The machine was running perfectly fine and normal for the entire 2 months before the problem started.
THE START OF A BIG PROBLEM: System
was multitasking most of day, and running Internet Explorer. Internet email was
read prior to incident. Norton did not pick up anything prior to incident.
RealOne audio player became locked in loop and locked. Program was terminated. TP4
(a graphics program) was
shutdown. Rebooted system to get fresh load, and system started continuously
rebooting, failing each time right after "loading windows" page was shown.
Glimpses of BSOD to fast to read before soft reset occurred.
Each reboot brings up XP boot menu saying that XP was shutdown improperly and
gives the boot options for startup. ALL of these options failed to load windows
or the command prompt. "Last known good settings" didn't start either. During
Safe Mode boot, last module that loads (printed on screen) is MUP.SYS before
rebooting occurs.
THE NORMAL FIXES:
First things first, all the normal troubleshooting things were
performed before panic started setting in.
1) First of all, the MB and processor were all set back to their stock
speeds and the BIOS was cleared out and all the setting were set back to factory
default. Again, all the boot methods were tried again without success.
2) Next thing was to break out the Windows XP install CD and try to get
the recovery console started to see if any problems are reported. The CD
booted into the DOS XP Setup utility and loaded all the drivers necessary to
get to the point that it asks you, "(r) for Repair Console, or (Enter) for
Install Windows". I pressed "R" and the the repair console started loading
files. Looking closely, it would get to the HardDrive detection phase and
Crash and Burn into a Blue-Screen-Of-Death giving the "Stop Error: NTFS.SYS"
and required a reboot. Multiple attempts at starting the Repair Console
failed at this same point every time.
3) With the Windows XP install CD still in, I figured I'd try selecting
"Install" and seeing if I could do a repair install as windows calls it, where
it installed all the windows files, but keeps all your programs and data still
intact. This failed to work, as it would also crash and give a B.S.O.D. for "NTFS.SYS"
during loading. So at this point, I couldn't start windows from the hard
drive or the CD Rom. Hmm?
After searching the internet for info relating to the problem, I came across
MANY such reported problems that all sounded similar. After much reading
however, I found that MOST people who reported a similar problem was able to
recover it by using the Windows "Recovery Console" from the CD. I found
very few people who, like me, were NOT even able to get the recovery console to
work. A small percentage either had hardware problems, or never reported
their fix (assuming they found one of course). So I needed to start
looking harder.
HARDWARE PROBLEMS?:
At this point I started to suspect a possible hardware
failure or serious hardware driver issue as the possible cause, with the worse
case scenario, the HardDrive itself could be totally trashed. Since the
hardware was all brand new, I knew it was a possibility but probably unlikely.
So I tested everything I could...
1) I downloaded "Ultimate Boot CD" (or UBCD) from the Internet (look for
it in the "Internet Software" list located on the main Tip's and Tricks page).
UBCD is Dos based and not Windows, and the PC was able to boot to this CD to a
command prompt. Note that because UBCD is dos based, it cannot directly
access files and data on NTFS HardDrive partitions (which Window's uses).
Which means that all 3 HardDrives in the PC were "invisible" to DOS
because DOS is based on the FAT and FAT32 file systems.
2) I next performed a RAM memory test using utilities found on the UBCD.
These test perform write/read tests on the entire memory area to check the
integrety of the physical Memory chips. The test takes several hours to
perform (for 2GB of Ram), and reported NO errors during the entire test.
3) Next, I ran the CPU Test program found on the UBCD. This test
came back fine as well with no problems.
4) I also
swapped Video Cards to see if the problem was related to the Nvidia graphics
adapter, since the crash occurs near the loading and initializing of the windows
GUI. But the problem persisted.
5) Disabled in BIOS all unnecessary onboard devices including RAID
controller, USB ports, Ethernet, and Audio. Unplugged all remaining connections
on PC except monitor and KB. Thus if a driver was at fault, then if the
hardware is removed or disabled, Windows won't load the driver for that
hardware. But this did not make a difference either.
6) Disabled in BIOS all S.M.A.R.T. monitoring for all harddrives with no
change (some times when HDD go bad, they will show signs by failing a
SMART test which the BIOS runs at every startup by default. By disabling
SMART on the HDD, I was attempting to see if a possible SMART test failure was
the cause for not booting).
THE DATA IS THERE BUT NOT ACCESSABLE!: Now I started really looking through the 'net to find data recovery tools, and test utils. I ended up download a BootCD version of FreeDOS from www.ntfs.com. This version came with a program called NTFSReader to mount the NTFS Hard Drives in the PC. This worked, and I was able to access the boot drive and see the entire directory structure with filenames all still intact perfectly! This was great but there was a catch. The NTFSReader program was just that, a reader for NTFS file system only, it would NOT write to an NTFS file system, only a FAT or FAT32 file format drive (all of my HDD are formatted for NTFS so I was out of luck on this one, otherwise, a FAT32 HDD could have been used to backup the NTFS files). The program also would not let you modify an NTFS filesystem in any way at all, so there was no access to delete, or move any files at all. So this was promising for the data integrity, but a dead end for recovering it.
ENTER, THE SPARE PC SYSTEM:
OK, so at this point, I happen to have another PC tower
readily available and I decided to put it to good use. I removed the main
hard disk from the crashed PC and install it as a slave drive into a completely
different (and newer) PC. I was hopping to boot the new PC using it's
normal HardDrive, and then copy the data off the slave drive from the crashed
PC. Since I would be booting to Windows, I would be able to access NTFS
drives and read and write them with no problems.
When the new PC was turned on, it started booting, and believe it or not, it
would stop and reboot at the exact same point as the original PC did!
Remember, this new PC was booting from it's own HDD which I verified it booted
normally just prior to installing the bad drive as the slave. But alas,
the SAME PROBLEM on this one!? I tried all the boot methods just to be
thorough, and just as expected, they all failed to start up Windows.
I then removed the HDD from the original PC (the slave in the new PC), and tried
booting the new PC again. With the slave drive removed, it booted normal
again!
I then tried taking a really old spare HDD that I had laying around (15 GB), and installed it into the PC that originally showed the reboot problem. I left the original boot drive out of both PC's at this point, as it was obvious that the problem was related to the drive itself. I then installed a new copy of XP Pro onto the spare 15GB drive, and the install ran fine and smooth and I was soon booting to Windows with the PC that originally rebooting itself. This proved to me that all the hardware devices in the PC were working properly except possibly the original Hard Drive that causes the PC's to reboot. I connected the bad drive as the slave drive in the original PC and tried booting to be faced with the reboot curse instanty again.
HARDWARE PROBLEMS?: It was now obvious that the problem came from the hard drive itself, and that no matter what PC it was connected to the PC couldn't start Windows. However, the filesystem was still intact on the drive according to NTFSReader. I then downloaded a Maxtor HDD utility for the model drive in question and booted to CD and ran the Hard Disk Physical Tests. Both the Quick Test, and the Full Test came back as ERROR FREE. The Master Boot Record also reported to be fine. How could a Hard Drive, that not physically damaged cause any PC running windows to lock up and reboot???
HELLO LINUX err-KNOPPIX! TO THE RESCUE: As a last resort, I have heard of Linux being able to read NTFS, and I was pointed to a Linux version called "Knoppix Boot CD" This was a complete boot disc, that starts up a Portable Environment Linux on any PC. Once the Knoppix CD was started up and running, I was able to mount all the HDD in the system (including the faulty one) as NTFS read mode. Because I wasn't limited to DOS, Linux supports USB and Networking and even CD/DVD burning within the boot version, so these are all viable backup methods. I was able to use a 1GB ThumbDrive (which was formated FAT32) to copy the files off the faulty HDD and onto another PC for temporary backup. At last! I was able to get my files off, and while it may not be easy with a ThumbDrive, I could have used something that holds more data if I had needed such as burning a DVD or FTP'ing the files to a server somewhere).
FINALLY WORKING AGAIN: In the end, once the data was saved, I ultimately had to perform a Low Level Format of the Hard Drive using Maxtor's (manufacturer) boot disk. The LLF completed successfully and the drive was once again scanned for errors using the manufacturer's utilities. No errors were reported. The drive was repartitioned, and Windows was able to successfully load and complete a New install on the clean drive. Once again everything worked good between the HDD and the PC and Windows. All the software had to be re-installed from scratch of course and the data restored to the drive again, and soon everything was back in working order, all using the exact same hardware that was installed when it failed. Go figure!
CONCLUSION:
So what was the actual problem? Well, at various points
during the troubleshooting, I saw messages from Linux and FreeDos saying that
the NTFS filesystem was corrupt. This corrupted NTFS filesystem is what
was causing NTFS.SYS to crash during startup. Apparently, while Windows
is starting, it loads NTFS.SYS which handles the NTFS file system operations on
all the disk drives in the PC. When NTFS.SYS starts, it first checks how
many drives are in the PC physically, and then attempts to mount those drives in
Read/Write mode with NTFS support. I'm not for sure on whether Microsoft's
version of NTFS.SYS either only mounts drives in Read/Write mode and not in Read
only mode, or if it just more "picky" about the integrety of the NTFS file
structure, but when ANY form of Microsoft's version of NTFS.SYS tried to mount
the drive, it would crash and cause a Stop Error.
Linux on the other hand, has the ability to mount the NTFS drive in Read Only
mode, which is more stable since no data is manipulated on the drive.
Whatever the differences between the way Linux handles NTFS filesystems and
Windows handles NTFS filesystems was the difference between a successful data
recover and a Stop Error. It was because of this difference that explains
why the HDD caused multiple PC's to exhibit the same behavior regardless of
whether the PC was booting from the drive or not. Once NTFS.SYS loaded for
Window's, it was game over regardless of where the HDD was installed on the PC
or whether the PC booted from the HDD or a CD. It was also why a Low-Level
Format effectively "fixed" the problem (if you can call Low Level Formatting a
Fix for anything).
