Rabu, 02 Oktober 2013

Manually Reset or Clear Dirty Bit in Windows without using CHKDSK

One mystery that has gone unsolved for the longest time now is the dirty bit on hard drive volumes. Basically a dirty bit is just a 1 hex value located somewhere hidden on the hard drive that Microsoft has never reveal until recently. Windows will check the dirty bit to determine if a volume can contain corrupted files due to hard resetting your Windows computer with files that are still opened or when you unplug a USB flash drive that is in the midst of copying a file.

When the computer boots up with the dirty bit enabled on a hard drive, you will be asked to check the disk for consistency before Windows is loaded. You can skip the disk checking by pressing any key but it will come back again the next time you start up your computer. This will usually keep happening until you let the drive be scanned or alternatively you can tell Windows to stop checking the specific drive. This method doesn’t clear the dirty bit on the drive though and simply forces Windows not to scan a drive on boot.
Checking file system on C: The type of the file system is NTFS
As for a USB flash drive or portable hard drive with the dirty bit enabled, plugging the drive into a Windows 7 computer will prompt a window that asks:
Do you want to scan and fix Removable Disk (G:)?
There might be a problem with some files on this device or disc. This can happen if you remove the device or disc before all files have been written to it.
If you close the popup or select “Continue without scanning”, then this popup will continue to haunt you until you decided to click the recommended Scan and Fix option. There are guides on how to disable the scan and fix window by disabling the Shell Hardware Detection service but that really isn’t a viable solution since you’re telling Windows to ignore the problem rather than fixing the problem itself.
Do you want to scan and fix Removable Disk
There is a tool called fsutil.exe in Windows which can be used to check if a volume is dirty and can even be used to manually set a drive as dirty which will force the requests to scan it, but weirdly it cannot be used to clear the dirty bit. Someone has already reverse engineered the fsutil.exe to confirm it.
fsutil.exe dirty
So there seems to be 2 solutions to clear the dirty bit which is to trust the Microsoft disk checking utility by completing a check disk OR you can move the data away from the volume, format the drive and then move it back. Going with the first option would risk losing some of your files when the scan disk decides to turn them into CHK files. The second option is safer but takes a lot of time if you have a lot of files to move.
Here is a third method, and we’ve spent several hours locating the dirty bit on NTFS and FAT16/32 file systems so that we can manually reset or clear the dirty bit with a hex editor that supports disk editing. As we said earlier, the dirty bit is simply 1 hex value on the disc volume that needs to be reset and is easy to change again in future once you know how.
We’ve tried a total of 13 different hex editors which are wxHexEditor, HxD, 010 Editor, CI Hex Viewer, iBored, HexEdit Pro, Hackman Suite, DMDE, Hexprobe, FlexHEX, ADRC Hard Disk Hex Editor, WinHex and Hex Workshop. Only DMDE, WinHex and Hex Workshop were the editors able to write the data back to the disc but the last two are shareware tools. HxD is certainly one of the easiest tools to use and can make the needed changes but is a bit slower because it needs to manually search the drive for some values.

Special Note: After testing it seems none of the hex editors will edit the system volume (C: drive) or any volumes currently in use and locked by the system, although some of them claim to be able to do so. There is a solution to this problem which we mention at the bottom of the article.

Clear the Dirty Bit for an NTFS Volume

1. Download the DMDE GUI for Windows tool and extract the zip file, it’s free and portable.
2. On running the DMDE.exe you will be asked to select a drive for editing, clicking on “Logical Disk/Volumes” will give the drive letter to help recognize the correct drive for editing. Partition size and label for the current selection will be underneath.
DMDE Select Disk/Device
3. On the Partitions screen click the volume on the logical drive, then Open Volume. Click Open on the next window. In the edit window click the expand icon on the bottom right window to expand the MFT view.
DMDE Open Volumn
4. Press Alt+C to bring up the volume cluster selection (or Editor -> Volume Cluster), just press OK or enter in the window.
5. Now in the Hex editor press Ctrl+S or go to Tools -> “Search String in Object”. In the Hex box enter the following string and click OK:
03 01 01 00 00 00 00 00 80 00 00 00 18
For some odd reason Windows 8 has slightly changed this value when it sets the dirty bit and the values to look for are different. For a fixed drive look for the following hex string:
03 01 01 01 00 00 00 00 80 00 00 00 18
For a USB flash drive in Windows 8 look for this:
03 01 81 01 00 00 00 00 80 00 00 00 18
Note the bits in bold that are different to Windows 7 and below.
DMDE Search for String
6. Instantly the program will find the string as it’s close by. Everyone will have different offset addresses for this string which is to be expected.
Search String Results
7. The dirty bit itself is not the whole string and the second (and third in Windows 8) 01′s in the search string are all that needs to be edited, so:
03 01 01 00 00 00 00 00 80 00 00 00 18 (or 03 01 01 01 for Win 8)
will turn into this to clear the dirty bit:
03 01 00 00 00 00 00 00 80 00 00 00 18
Click on the 01 to be edited and press Ctrl+E (or Edit -> Edit Mode) which will make the cursor flash. Change the 01 to 00. If this value is already 00 then the dirty bit is not currently set.
Edit hex to clear dirty bit
8. When you’re ready, press Ctrl+W or Edit -> Write Changes to commit the change to the disc and close DMDE.
The offset location of the dirty bit is different on every NTFS volume. If you try to locate the dirty bit using a search for 03 01 01 00 00 00 00 00 80 00 00 00 18 from the start of the drive, you will likely find another match within the first 20 or 30 sectors. Changing this value will NOT clear the dirty bit. So far the dirty bit offset hex patterns are the same on Windows XP and Windows Vista and 7 when installed in an NTFS partition, only 8 seems to be different. Manually resetting the dirty bit on NTFS takes effect immediately on Windows 7 and Windows 8 but on XP, it requires a restart.

Clear the Dirty Bit for a FAT32 Volume

Finding and clearing the dirty bit for a FAT32 file system is far easier than NTFS because it’s located right at the start of the volume and is always at the same offset location. Here’s how to clear it.
1. Download DMDE GUI for Windows and follow steps 1 and 2 above to load the program and select the drive volume to edit.
2. On the Partitions screen change nothing and select Close.
3. The dirty bit for FAT32 is located at offset 41 (5 down, 2 across) and if set this will be 01. Click on it, press Ctrl+E to edit, change 01 to 00 and then press Ctrl+W to commit the changes.
Clear fat32 dirty bit

Clear the Dirty Bit for a FAT(16) Volume

As for a FAT(16) volume, the procedure is exactly the same as for FAT32 apart from the offset to change the value is slightly different. When you’re working in DMDE, look at the offset of 25 and if necessary change the dirty bit value of 01 to 00. Use Ctrl+E, edit the value and then Ctrl+W to commit the changes.
clear dirty on fat16
Unfortunately we didn’t manage to locate the dirty bit for the exFAT file system which seems to be harder to trace and edit.

Changing the Dirty Bit on Locked/System volumes

If you’re trying to clear the dirty bit on your C drive you will probably find using any hex editor will not solve the problem and you will get a locked error in a similar way to when you need to run Chkdsk and it cannot run until you reboot the system.
could not lock. volume may be used or access is denied
However, there is a way around this problem which is not to boot from the C drive because doing that will break the lock and allow you to edit it with a hex editor. This can be achieved with the help of a bootable live CD, and we would highly recommend Hiren’s Boot CD for the task because HxD is already included in the Mini Windows XP.
1. Download Hiren’s Boot CD and burn it to CD or write it to USB.
2. Boot the system with the CD/USB flash drive and choose Mini Windows XP at the menu.
3. Once Windows has loaded, click on the tool icon in the tray and select “Editors / Viewers” -> HxD. This will load the HxD editor.
hiren hxd
4. Go to the Extras menu, select Open disk and choose the drive you can’t edit. Make sure to untick the Read Only box before pressing OK and accepting the warning.
open disk open as read only
5. Now simply search for the strings depending on the file system you want to edit from above. Ctrl+F will bring up the search window and choose a Datatype of Hex from the drop down, then enter the hex string.
hxd find hex values
6. Once you’ve done editing click the Save icon or press Ctrl+S. You obviously need to be very sure what you’re doing here because changing wrong values could render the computer unbootable.

source:  http://www.raymond.cc/blog/manually-reset-or-clear-dirty-bit-in-windows-without-chkdsk/2/

3 komentar:

  1. The simple solution to the problem is to do a search on your windows hard drive for AUTOCHK.EXE. Rename each of them to AUTOCHK1.EXE.

    Your computer will boot successfully and you can go find a good hard drive repair utility.

    1. AUTOCHK.EXE looks like CHKDSK.EXE but is the version that Windows runs on boot.