hardlinks errors restoring xp ntfs to vm disk

Post here if you found a bug or something really not expected in the program
m.ardito
Posts: 17
Joined: Tue Jul 20, 2010 1:30 pm

Re: hardlinks errors restoring xp ntfs to vm disk

Post by m.ardito » Tue Aug 03, 2010 3:09 pm

Ok, now:
1) booted a livecd and created a small empty partition (gparted)
2) booted in winxp, and formatted the small partition NTFS
3) copied all the ERASER.SYS files in different folders on that partition
4) it just happened that, during boot, symantec virus definitions updated, so the 200909* folder is now gone, and there is another one :-) it seems that the two most recent ones are kept, or so...

unfortunately the (from winxp) copied files behave differently, perhaps:

in sysresccd 1.6.0beta006:

Code: Select all

[email protected] /root % fsarchiver savefs -v /mnt/ts809/xpsmall.fsa /dev/sda2
executing [ntfs-3g -h]...
command [ntfs-3g -h] returned 9
executing [ntfs-3g  -o streams_interface=xattr -o efs_raw  -o ro  /dev/sda2 /tmp/fsa/20100803-164024-00]...
command [ntfs-3g  -o streams_interface=xattr -o efs_raw  -o ro  /dev/sda2 /tmp/fsa/20100803-164024-00] returned 0
Analysing filesystem on /dev/sda2...
============= archiving filesystem /dev/sda2 =============
-[00][  3%][DIR     ] /
-[00][  7%][DIR     ] /20100721.002
-[00][ 36%][REGFILE ] /20100721.002/ERASER.SYS
-[00][ 40%][DIR     ] /20100728.002
-[00][ 68%][REGFILE ] /20100728.002/ERASER.SYS
-[00][ 72%][DIR     ] /BinHub
-[00][ 88%][REGFILEM] /BinHub/ERASER.sys
-[00][ 92%][DIR     ] /System Volume Information
-[00][ 96%][REGFILE ] /System Volume Information/MountPointManagerRemoteDatabase
-[00][100%][DIR     ] /System Volume Information/_restore{2AE42F14-1080-4262-A7D4-7480E8A114E8}
Statistics for filesystem 0
* files successfully processed:....regfiles=4, directories=6, symlinks=0, hardlinks=0, specials=0
* files with errors:...............regfiles=0, directories=0, symlinks=0, hardlinks=0, specials=0
executing [fusermount]...
command [fusermount] returned 1
executing [fusermount -u /tmp/fsa/20100803-164024-00]...
command [fusermount -u /tmp/fsa/20100803-164024-00] returned 0
no hardlinks are detected...

and then ran again fsarchiver savefs on /dev/sda1 just to check if the problem is there or gone...
well...

Code: Select all

Statistics for filesystem 0
* files successfully processed:....regfiles=35456, directories=2547, symlinks=0, hardlinks=0, specials=0
* files with errors:...............regfiles=0, directories=0, symlinks=0, hardlinks=0, specials=0
executing [fusermount]...
command [fusermount] returned 1
executing [fusermount -u /tmp/fsa/20100803-164307-00]...
command [fusermount -u /tmp/fsa/20100803-164307-00] returned 0
it seems that hardlinks are gone... !!! it could have been gparted resizing xp partition, or xp itself doing boot time disk checking-corrections...
don't know how to help you anymore now...:-) don't know if it is good or bad...:-D
anyway, i will continue to use fsarchiver and report you similar problems if they'll happen again

btw, the product is the "client" of the enterprise suite, referred in xppro as "symantec antivirus" version 10.1.0.394

Marco

admin
Site Admin
Posts: 550
Joined: Sat Feb 21, 2004 12:12 pm

Re: hardlinks errors restoring xp ntfs to vm disk

Post by admin » Tue Aug 03, 2010 7:48 pm

So it sounds the copy did not preserve the problem. I really have to reproduce the problem if we want to find a solution.
I think the best thing to do is to make a low-level copy (using DD) of the entire original partition, and then remove most data from it. But you will need to have some space to make a copy of the partition:

1) create a partition of the same size
2) dd if=/dev/orig of=/dev/copy (replace with original and copy partition devices)
3) ntfs-3g /dev/copy /mnt/temp
4) remove all files from /mnt/temp except the directory that contains "broken" files
5) create a "zero" file to improve compression:

Code: Select all

dd if=/dev/zero of=/mnt/temp/zero.dat bs=1M
6) umount /mnt/temp
7) create a compressed image of the partition with the broken file

Code: Select all

dd if=/dev/copy | bzip2 > /data/image-of-partition.dd.bz2
The file should be really small since the partition should only contains 0 bytes and the symantec directory. Hopefully you can send me that by email, or you can upload it somewhere.

Many thanks

m.ardito
Posts: 17
Joined: Tue Jul 20, 2010 1:30 pm

Re: hardlinks errors restoring xp ntfs to vm disk

Post by m.ardito » Wed Aug 04, 2010 7:34 am

Hi, i'm sorry, but as you read here:
m.ardito wrote: and then ran again fsarchiver savefs on /dev/sda1 just to check if the problem is there or gone...
well...

Code: Select all

Statistics for filesystem 0
* files successfully processed:....regfiles=35456, directories=2547, symlinks=0, hardlinks=0, specials=0
* files with errors:...............regfiles=0, directories=0, symlinks=0, hardlinks=0, specials=0
executing [fusermount]...
command [fusermount] returned 1
executing [fusermount -u /tmp/fsa/20100803-164307-00]...
command [fusermount -u /tmp/fsa/20100803-164307-00] returned 0
it seems that hardlinks are gone... !!!
see
m.ardito wrote: files successfully processed:....regfiles=35456, directories=2547, symlinks=0, hardlinks=0, specials=0
hardlinks are gone... !!! i mean, on the original partition! fsarchiver founds no more hardlinks!

? i don't know why, but suspect that as the automatic virusdefs update of the symantec product removed those files, and created new dirs/files, those fields are gone from the disk, and probably the new ones have no hardlinks, as reported by fsarchiver. I will try to restore the last savefs, anyway, to see if other errors are produced, but i feel that was a problem of those specific files, that are now gone (well i have the .fsa backup, but not the original ones...)

i will try also to check with ntfsinfo -vi the new ERASER.SYS, if any, and check if the "double name" is still on the new files. i feel that the "hardlinks" errors on those files were somehow related to the presence of two different filenames (posix and win/doc spacenames)

I'll let you know, sorry for having been unable to keep those files...

Marco

admin
Site Admin
Posts: 550
Joined: Sat Feb 21, 2004 12:12 pm

Re: hardlinks errors restoring xp ntfs to vm disk

Post by admin » Wed Aug 04, 2010 11:34 am

Ok Thanks. We need to find a way to reproduce the problem.
I have sent you a private message.

m.ardito
Posts: 17
Joined: Tue Jul 20, 2010 1:30 pm

Re: hardlinks errors restoring xp ntfs to vm disk

Post by m.ardito » Thu Aug 05, 2010 8:02 am

Hi, i could send the program to you - it's about 27 meg 7z ultra compressed - BUT i feel it would be of no use to you, and you could easily experience license issues, i think. the program itself had no error, it was just a problem of "virusdefs" files, so virus definition updates (that were quite old, being named 20090115 and 20090927...) that are changed quite frequently on clients, and in our LAN they are updated from a local management server, not from symantec directly...

anyway,
the newly updated ERASER.SYS files behave differently (no more hardlink errors), and i suspect that there was something "wrong" only on the old files.
they do not have the "double name" anymore and both show

Number of Hard Links: 1 (0x1)

while the old files had

Number of Hard Links: 2 (0x2)

i higly suspect there - as you supposed - ntfs-3g failed on the old files either:
1) because those files had a bad ntfs format themselves (but i know nothing about ntfs details....), or other errors
2) because it was unable to handle that situation, and failed about that "short name"

i now repeated the search with ntfsinfo -vi command and here is the output (about the new files), hoping you (or someone of ntfs-3g team, if you are going to report this issue) can understand something more...

Code: Select all

[email protected] / % mount /dev/sda1 /mnt/windows
[email protected] / % cd /mnt/windows/Programmi/File\ comuni/Symantec\ Shared/VirusDefs
[email protected] /mnt/windows/Programmi/File comuni/Symantec Shared/VirusDefs % ls -li */ERASER.SYS
33488 -r-------- 1 root root 102448 2010-05-21 22:41 20100728.002/ERASER.SYS
19659 -r-------- 1 root root 102448 2010-05-21 22:41 20100802.002/ERASER.SYS
28773 -r-------- 1 root root  47760 2006-02-15 00:00 BinHub/ERASER.SYS
[email protected] /mnt/windows/Programmi/File comuni/Symantec Shared/VirusDefs % cd /
[email protected] / % umount /mnt/windows
[email protected] / % ntfsinfo -vi 19659 /dev/sda1 > 19659.txt
[email protected] / % ntfsinfo -vi 33488 /dev/sda1 > 33488.txt
[email protected] / % cat 19659.txt
Dumping Inode 19659 (0x4ccb)
Upd. Seq. Array Off.:    48 (0x30)
Upd. Seq. Array Count:   3 (0x3)
Upd. Seq. Number:        3 (0x3)
LogFile Seq. Number:     0x8c992580
MFT Record Seq. Numb.:   46 (0x2e)
Number of Hard Links:    1 (0x1)
Attribute Offset:        56 (0x38)
MFT Record Flags:        IN_USE
Bytes Used:              344 (0x158) bytes
Bytes Allocated:         1024 (0x400) bytes
Next Attribute Instance: 4 (0x4)
MFT Padding:    00 00
Dumping attribute $STANDARD_INFORMATION (0x10) from mft record 19659 (0x4ccb)
        Attribute length:        96 (0x60)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      0 (0x0)
        Data size:               72 (0x48)
        Data offset:             24 (0x18)
        Resident flags:          0x00
        ReservedR:               0 (0x0)
        File Creation Time:      Tue Aug  3 14:25:53 2010
        File Altered Time:       Fri May 21 22:41:04 2010
        MFT Changed Time:        Tue Aug  3 14:25:40 2010
        Last Accessed Time:      Tue Aug  3 14:25:57 2010
        File attributes:         ARCHIVE (0x00000000)
        Maximum versions:        0
        Version number:          0
        Class ID:                0
        User ID:                 0 (0x0)
        Security ID:             307 (0x133)
        Quota charged:           0 (0x0)
        Update Sequence Number:  0 (0x0)
Dumping attribute $FILE_NAME (0x30) from mft record 19659 (0x4ccb)
        Attribute length:        112 (0x70)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      2 (0x2)
        Data size:               86 (0x56)
        Data offset:             24 (0x18)
        Resident flags:          0x01
        ReservedR:               0 (0x0)
        Parent directory:        19418 (0x4bda)
        File Creation Time:      Tue Aug  3 14:25:53 2010
        File Altered Time:       Tue Aug  3 14:25:53 2010
        MFT Changed Time:        Tue Aug  3 14:25:53 2010
        Last Accessed Time:      Tue Aug  3 14:25:53 2010
        Allocated Size:          0 (0x0)
        Data Size:               0 (0x0)
        Filename Length:         10 (0xa)
        File attributes:         ARCHIVE (0x00000000)
        Namespace:               Win32 & DOS
        Filename:                'ERASER.SYS'
Dumping attribute $DATA (0x80) from mft record 19659 (0x4ccb)
        Attribute length:        72 (0x48)
        Resident:                No
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      3 (0x3)
        Lowest VCN               0 (0x0)
        Highest VCN:             25 (0x19)
        Mapping pairs offset:    64 (0x40)
        Compression unit:        0 (0x0)
        Data size:               102448 (0x19030)
        Allocated size:          106496 (0x1a000)
        Initialized size:        102448 (0x19030)
        Runlist:        VCN             LCN             Length
                        0x0             0x58b7c         0x1a
End of inode reached
[email protected] / % cat 33488.txt
Dumping Inode 33488 (0x82d0)
Upd. Seq. Array Off.:    48 (0x30)
Upd. Seq. Array Count:   3 (0x3)
Upd. Seq. Number:        4 (0x4)
LogFile Seq. Number:     0x8c8dce17
MFT Record Seq. Numb.:   31 (0x1f)
Number of Hard Links:    1 (0x1)
Attribute Offset:        56 (0x38)
MFT Record Flags:        IN_USE
Bytes Used:              344 (0x158) bytes
Bytes Allocated:         1024 (0x400) bytes
Next Attribute Instance: 4 (0x4)
MFT Padding:    00 00
Dumping attribute $STANDARD_INFORMATION (0x10) from mft record 33488 (0x82d0)
        Attribute length:        96 (0x60)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      0 (0x0)
        Data size:               72 (0x48)
        Data offset:             24 (0x18)
        Resident flags:          0x00
        ReservedR:               0 (0x0)
        File Creation Time:      Tue Aug  3 14:24:42 2010
        File Altered Time:       Fri May 21 22:41:04 2010
        MFT Changed Time:        Tue Aug  3 14:24:26 2010
        Last Accessed Time:      Tue Aug  3 14:24:48 2010
        File attributes:         ARCHIVE (0x00000000)
        Maximum versions:        0
        Version number:          0
        Class ID:                0
        User ID:                 0 (0x0)
        Security ID:             307 (0x133)
        Quota charged:           0 (0x0)
        Update Sequence Number:  0 (0x0)
Dumping attribute $FILE_NAME (0x30) from mft record 33488 (0x82d0)
        Attribute length:        112 (0x70)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      2 (0x2)
        Data size:               86 (0x56)
        Data offset:             24 (0x18)
        Resident flags:          0x01
        ReservedR:               0 (0x0)
        Parent directory:        33287 (0x8207)
        File Creation Time:      Tue Aug  3 14:24:42 2010
        File Altered Time:       Tue Aug  3 14:24:42 2010
        MFT Changed Time:        Tue Aug  3 14:24:42 2010
        Last Accessed Time:      Tue Aug  3 14:24:42 2010
        Allocated Size:          0 (0x0)
        Data Size:               0 (0x0)
        Filename Length:         10 (0xa)
        File attributes:         ARCHIVE (0x00000000)
        Namespace:               Win32 & DOS
        Filename:                'ERASER.SYS'
Dumping attribute $DATA (0x80) from mft record 33488 (0x82d0)
        Attribute length:        72 (0x48)
        Resident:                No
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      3 (0x3)
        Lowest VCN               0 (0x0)
        Highest VCN:             25 (0x19)
        Mapping pairs offset:    64 (0x40)
        Compression unit:        0 (0x0)
        Data size:               102448 (0x19030)
        Allocated size:          106496 (0x1a000)
        Initialized size:        102448 (0x19030)
        Runlist:        VCN             LCN             Length
                        0x0             0x1bb9e         0x1a
End of inode reached
[email protected] / % ntfsinfo -vi 28773 /dev/sda1
Dumping Inode 28773 (0x7065)
Upd. Seq. Array Off.:    48 (0x30)
Upd. Seq. Array Count:   3 (0x3)
Upd. Seq. Number:        6 (0x6)
LogFile Seq. Number:     0x8c94fc86
MFT Record Seq. Numb.:   1 (0x1)
Number of Hard Links:    1 (0x1)
Attribute Offset:        56 (0x38)
MFT Record Flags:        IN_USE
Bytes Used:              344 (0x158) bytes
Bytes Allocated:         1024 (0x400) bytes
Next Attribute Instance: 4 (0x4)
MFT Padding:    00 00
Dumping attribute $STANDARD_INFORMATION (0x10) from mft record 28773 (0x7065)
        Attribute length:        96 (0x60)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      0 (0x0)
        Data size:               72 (0x48)
        Data offset:             24 (0x18)
        Resident flags:          0x00
        ReservedR:               0 (0x0)
        File Creation Time:      Mon Nov  5 16:34:02 2007
        File Altered Time:       Wed Feb 15 00:00:00 2006
        MFT Changed Time:        Mon Nov  5 16:33:59 2007
        Last Accessed Time:      Tue Aug  3 14:25:34 2010
        File attributes:         ARCHIVE (0x00000000)
        Maximum versions:        0
        Version number:          0
        Class ID:                0
        User ID:                 0 (0x0)
        Security ID:             307 (0x133)
        Quota charged:           0 (0x0)
        Update Sequence Number:  0 (0x0)
Dumping attribute $FILE_NAME (0x30) from mft record 28773 (0x7065)
        Attribute length:        112 (0x70)
        Resident:                Yes
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      2 (0x2)
        Data size:               86 (0x56)
        Data offset:             24 (0x18)
        Resident flags:          0x01
        ReservedR:               0 (0x0)
        Parent directory:        28643 (0x6fe3)
        File Creation Time:      Mon Nov  5 16:34:02 2007
        File Altered Time:       Mon Nov  5 16:34:02 2007
        MFT Changed Time:        Mon Nov  5 16:34:02 2007
        Last Accessed Time:      Mon Nov  5 16:34:02 2007
        Allocated Size:          0 (0x0)
        Data Size:               0 (0x0)
        Filename Length:         10 (0xa)
        File attributes:         ARCHIVE (0x00000000)
        Namespace:               Win32 & DOS
        Filename:                'ERASER.sys'
Dumping attribute $DATA (0x80) from mft record 28773 (0x7065)
        Attribute length:        72 (0x48)
        Resident:                No
        Name length:             0 (0x0)
        Name offset:             0 (0x0)
        Attribute flags:         0x0000
        Attribute instance:      3 (0x3)
        Lowest VCN               0 (0x0)
        Highest VCN:             11 (0xb)
        Mapping pairs offset:    64 (0x40)
        Compression unit:        0 (0x0)
        Data size:               47760 (0xba90)
        Allocated size:          49152 (0xc000)
        Initialized size:        47760 (0xba90)
        Runlist:        VCN             LCN             Length
                        0x0             0xa41ff         0xc
End of inode reached
Marco

Post Reply