Microsoft KB Archive/831375

= The CHKDSK utility incorrectly identifies and deletes in-use security descriptors in Windows 2000 =

Article ID: 831375

Article Last Modified on 10/15/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server

-







For a Microsoft Windows Server 2003 or a Microsoft Windows XP version of this article, see 831374.



SYMPTOMS
When you run the chkdsk command in fix mode, and you use the /F or the /R switch with this command, you may experience one of the following symptoms:  Access control lists (ACLs) on some files may revert to their default values. This issue may occur if the volume contains more than 4,194,303 files, as in the following sample CHKDSK output:

Checking file system on J: The type of the file system is NTFS. Volume label is MYVOLUME.

Cleaning up minor inconsistencies on the drive. Cleaning up 1496 unused index entries from index $SII of file 0x9. Cleaning up 1496 unused index entries from index $SDH of file 0x9. Cleaning up 1496 unused security descriptors. CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Windows has made corrections to the file system.

1576209407 KB total disk space. 1514676116 KB in 4232266 files. 1523236 KB in 302192 indexes. 0 KB in bad sectors. 4671195 KB in use by the system. 65536 KB occupied by the log file. 55338860 KB available on disk.

4096 bytes in each allocation unit. 394052351 total allocation units on disk. 13834715 allocation units available on disk.

 Security descriptor information is removed from some files or folders. In the following example, the Chkdsk log file contains an error message that indicates that two security data stream entries cross page boundaries:

Checking file system on M:   The type of the file system is NTFS. Volume label is MyVolume. A disk check has been scheduled. Windows will now check the disk. Cleaning up minor inconsistencies on the drive. The security data stream entry at offset 0x1bfff0 with length 0x80010033 crosses the page boundary. The security data stream entry at offset 0x4bfff0 with length 0x80010033 crosses the page boundary. Repairing the security file record segment. Deleting an index entry with Id 4971 from index $SII of file 9. Deleting an index entry with Id 9614 from index $SII of file 9. Deleting an index entry with Id 9614 from index $SDH of file 9. Deleting an index entry with Id 4971 from index $SDH of file 9. Replacing invalid security id with default security id for file 97. Replacing invalid security id with default security id for file 1890. Replacing invalid security id with default security id for file 1991.



For more information about security descriptors, search for &quot;security descriptors&quot; in the Microsoft Windows 2000 Help and Support Center.



CAUSE
This issue may occur when one of the following conditions is true:
 * The CHKDSK utility may not find references to all security IDs if the master file table is larger than 4 gigabytes (GB) or if there are more than 4,194,303 files on the volume. In this scenario, the undiscovered security descriptors are reset.
 * The volume contains security descriptors that are logically correct but that do not conform exactly to the alignment convention for the NTFS file system security stream.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

327009 Chkdsk finds incorrect Security IDs after you restore or copy a lot of data



RESOLUTION
We recommend that you immediately install the appropriate service pack or hotfix on any computer that is currently vulnerable to the loss of security descriptors.

We recommend that you inventory servers and workstations in your organization and then install preventive software on any computers that are at risk. We recommend that you apply any preventive fix to new computers before you deploy the new computers for test or production use. We recommend that you inform server administrators, helpdesk administrators, and support professionals that they should install preventive fixes before the following operations are executed:
 * chkdsk /F
 * chkdsk /R
 * autochk

Note IT operations guides should also install preventive fixes before these commands are executed.

Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites
If volume security descriptors were deleted because of this issue, you may have to reassign user permissions to files and to folders.

Restart requirement
You must restart your computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version             Size  File name --  10-Dec-2003  05:17  5.0.2195.6881    579,856  Autochk.exe 10-Dec-2003 09:17  5.0.2195.6881     13,584  Chkdsk.exe 15-Nov-2001 15:27                     5,149  Empty.cat 11-Mar-2004 17:59  5.0.2195.6824     17,680  Fmifs.dll 11-Mar-2004 17:59  5.0.2195.6881     67,344  Ifsutil.dll 05-Feb-2004 08:18  5.0.2195.6896  5,869,056  Sp3res.dll 08-Oct-2003 18:18  5.4.1.0            6,656  Spmsg.dll 08-Oct-2003 18:18  5.4.1.0          140,800  Spuninst.exe 11-Mar-2004 17:59  5.0.2195.6881     83,216  Ufat.dll 11-Mar-2004 17:59  5.0.2195.6881    261,392  Ulib.dll 11-Mar-2004 17:59  5.0.2195.6881    322,832  Untfs.dll

Hotfix installation information
After you apply this hotfix, you must also apply hotfix 873437. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

873437 The CHKDSK command incorrectly identifies certain security descriptors as not valid in Windows 2000



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
This hotfix is included in the list of recommended hotfixes to be proactively applied to Windows 2000 server clusters. For more information about this list, click the following article number to view the article in the Microsoft Knowledge Base:

895090 Recommended hotfixes for Windows 2000 Service Pack 4-based server clusters

This hotfix should be evaluated and applied proactively to all server clusters that are prone to be negatively affected by the problem that is described in this article. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816915 New file naming schema for Microsoft Windows software update packages

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional query words: missing erased cleared autochk autocheck check disk security descriptors ACL deleted missing chkdsk

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwin2000presp5fix KB831375

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.